Setting up Nextcloud instance - ATT > pfSense > HAProxy > ACME

Networking & Firewalls
1

This is probably a very common setup, but I’ve been banging my head trying to get this to work for a week, It’s probably firewall rules/NAT or something silly that I’m missing. I’ve been running ATT → pfSense → LAN with various VLANs and PIhole (using Unbound on the pfSense box) for years now, but opening up safely for an internal server isn’t working out.

I have an ATT gateway set to passthrough → pfSense. PfSense gets the public IP on WAN fine (the admin access is still on a private IP). I’ve been following the video about setting up HAProxy and ACME, but I can’t get a successful certificate issued. I use Namecheap for my domain, but can’t use the API key because it’s not available to me, so I’ve been trying the DNS-Manual setup. I’ve added the text record and waited overnight, tried several times, and it always fails.

I feel like I don’t have basic things setup to link the public IP to the private IP of HAProxy and the Nextcloud server, and I’m not sure what to do.

Since it is DNS verification, I tried bypassing the Pihole and gave everything 1.1.1.1 and 1.0.0.1 for DNS, still no good.

So…I feel like there’s a missing link between the WAN and HAProxy/ACME. I should also mention that the Nextcloud server is the only thing being used on the domain so far.

I’m trying to set it up like in the video with subdomains. Nextcloud.my-domain.com

Sorry for the long post. I wanted to give some detail. Thanks in advance for any help.

2

I have a few questions.

  1. Are you able to ping externally back to your pfsense box using the DNS record you created?

  2. What are your NAT rules when you set up HAproxy?

  3. Have you tried to run ACME in dry run to see what the error is?

3

  1. I’m unable to ping the domain externally, but I can’t ping the public IP either. There must be a ping block in the settings somewhere. I can ping both domain and IP internally.

  2. I tried a port forward from WAN → pfSense internal IP, but it didn’t make a difference. I also have a WAN firewall rule to allow port 443 from ANY → THIS FIREWALL. Doing an external port scan still says 443 is filtered on the public IP.

  3. Here’s the error I get when attempting a manual RENEW after placing the challenge TXT record:

Verify error:DNS problem: NXDOMAIN looking up TXT for _acme-challenge.moonfumes.com - check that a DNS record exists for this domain

4

HAProxy aside, this looks like an issue with me just getting the ACME cert. Could it be DNS settings? I’ve never worked with a domain before working on this project, so I could have something set wrong the records. Here they are :

Screen Shot 06-22-22 at 08.01 AM
Screen Shot 06-22-22 at 08.01 AM1121×323 17.5 KB

Otherwise, what else could be blocking port 80,443? The only thing between pfSense and the internet is my ATT gateway, which is in passthrough mode and it’s settings say everything is open.

5

I gave up on the DNS verification method and tried Standalone HTTP. That worked, so I’m moving on to HAProxy setup.

6

I was getting frustrated with how this was going, so I bought a new domain at Cloudflare. I used the API key for certificate verification and it worked first try. HAProxy is set up and working fine now. Moral of the story, Namecheap DNS doesn’t work with verification apparently…at least it didn’t for me.