Letsencrypt for the whole domain with LE

pixel · May 13, 2023, 2:09pm

Hi@all,

++ Preface ++

please excuse the long preface I just wanted to describe in detail the situation so far. The actual question → see below.

So far I installed Letsencrypt on my pfSense because it was very simple and elegant. The PF updates everything automatically and HTTPS requests are received by the HA proxy and answered with a valid and trusted certificate.

At the ISP the corresponding subdomains are created which point to the WAN interface of the pfSense.

The external domain is: unseredomain.de, the local UCS network is: lan.unseredomain.de. The corresponding subdomains at the ISP are: [hostname].ourdomain.com.

HTTPS requests (from external) to: https://cloud.unseredomain.de are provided with a necessary certificate by the HA proxy and are routed to the internal host: https://cloud.lan.unseredomain.de.

To enable HTTPS access from the LAN, I configured a virtual network interface on the PF that listens on the LAN and is also integrated in the HA proxy. The HA proxy forwards HTTPS requests to https://cloud.unseredomain.de from the LAN to the internal host in the same way.

This is an elegant solution but it has one major drawback. All HTTPS requests from the LAN go through the pfSense. All the traffic! In case of groupware or web services this may be acceptable, but in case of streaming server (Jellyfin) this is a problem concerning bandwidth. Of course you could connect the internal clients directly to the internal hostname but this also brings problems because then no valid certificate is delivered and many applications have problems with self-signed certificates.

++ Question ++

Because of the above deficits I want to install Letsencrypt in the LAN. There is a corresponding app on the UCS systems. I wonder what is the best concept?

Besides various UCS systems there are other server VM’s (Ubuntu). All this server (VM’s) need a valid certificate and the renewal of the certificates should run automatically.

I have read that there are wildcard certificates. Would my project work with this? Is this supported by the UCS app? As far as I could find out in the forum there are still problems here.

If someone could give me some helpful words along the way I would be very grateful.

with best
sven

riess82 · May 15, 2023, 9:36am

Hi Sven.

I have approached the topic from the other side, first trying to set up all certificates on the UCS machines directly. For any simple setup this works really well, but for more complex situations (like the ucs-sso certificate being needed on multiple machines) I have switched to what you have (pfSense, ACME, HAProxy and distributing from there).

For streaming, maybe consider setting the streaming up on a seperate domain name or a seperate port, so that you can set up HAproxy as needed for this, without interfering with other settings.

Regards, Martin

pixel · May 15, 2023, 11:55am

I’ve solved it, at least I think so, quite elegantly.

The HA proxy on the pfSense stays as it is. This is necessary anyway because several servers should be accessible from externally using the subdomain via HTTPS.

For testing, I did all this with the Jellyfin server to test how it works. The pfSense still takes care of the certificates and copies them to the internal host when they are renewed. However, an NGINX with these LE certificates was still required on the Jellyfin server.

The HA proxy on the internal (virtual) NIC now has nothing to do with this. The performance, especially with parallel streams, is significantly better.

I think a good solution. If everything runs reliably, I will look into bringing the LE certificates automatically to the UCS systems in this way. However, this is not a priority because it does not bother me that it is a self-signed certificate when accessing the UCS admin via browser.

with best
sven

pixel · May 23, 2023, 1:27pm

I have now automated the process. If pfSense extends a certificate, it copies it to the associated host (UCS) via scp.

These must be in:

/etc/apache2/sites-available/000-default.conf

be entered. So that this is not reset by an update, I have the appropriate template:

/etc/univention/templates/files/etc/apache2/sites-available/ssl.d/000-default.conf

Is this the correct way?