pfSense - Let's Encrypt guide. Get a proper SSL certificate for your WebUI.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome today i'm going to show you how to get a proper certificate from let's encrypt and how to apply it to your pfsense firewall web ui but before i get into that i wanted to say thank you to all of the people who are leaving comments and likes who help with promoting the channel other ways and for the people who are donating to our paypal and lbry these are the important things that help us make more content for you if you'll find this video helpful and would like to support the channel links to paypal and lbry are in the video description also from now on i'll be going through the questions or comments attached to your donations at the end of each video so if you'd like to hear my thoughts on any topic i've covered on the channel just add a magic phrase into your message video answer please we decided to do this because youtube doesn't make it very straightforward for the creators to read and reply to all of the comments sometimes i'm not getting notifications about comments and much more often they just don't show up in the youtube studio if you have questions on why you'd need a proper ssl certificate i've covered that in my similar video for opn sense if you're interested go ahead and watch that first i'll leave a link to it in the show notes otherwise let's begin the tutorial first and foremost we're gonna have to change the default management ports on our system because acme will be using port 80 and port 80 is occupied by the web redirect rule at the moment so let's do that first go to system advanced under the tcp port just choose a random port of your liking and then disable the web ui redirect rule scroll down to the bottom of the page and hit save now we don't want to wait 20 seconds so i'll just type in port 8000 over here accept the ssl certificate for the time being because we don't have a proper one just yet now it's time to install acme package go to system package manager available packages and install the acme package which is just first on the list in my case confirm wait for the package to install and now installation was successful go back to the main screen from the main screen go to services acme certificates if you don't have acme certificates under services just refresh the page first go to account keys and create a new account key in my case i'll just call it web ui keys under acme server switch from testing to production v2 enter the email address over here keep in mind that you're going to have to use legitimate email address here and it's not for any marketing purposes whatsoever let's encrypt will be sending you notifications if your certificate is about to expire and you forgot to renew it now just click create new account key so the key was created let's register the key okay the key was registered and now hit save all right everything looks good so far now go to certificates and add a new certificate for the name i'm going to go with web ui cert i'll leave the description empty because this is going to be my only let's grab certificate but if eurpsense will be managing multiple certificates type in the description it's going to be easier for you in the future to determine which certificate is where you can leave the private key at 2048 but i'll bump it up to 40.96 by this point you should have your domain name ready and in my case it's going to be youtubedemos.gatewayhyphenit.com for the method choose standalone http server leave the port option empty it's going to default to 80 anyways now under action list we want to add a new action and just copy and paste this bit from the restart the ui on this firewall and leave method as shell command so now whenever certificate is renewed nginx will be reloaded and that will allow new certificate to replace the old one that's pretty much it for now let's hit save now we need to open port 80 on the van side so that acme can work automatically with our dns name go to firewall rules and add a rule on your website so add action pass choose the interface address family protocol tcp source any destination this firewall port destination range is going to be http i want to log the packets and i want to leave a description of acme click save and apply changes now that we opened the port 80 acme will work just fine but some of the mama's hackers out there will start telling me in the comments that this is not secure and you shouldn't be opening port 80 on your firewall let me prove you that this has nothing to do with security we have the port 80 open on our firewall but there is no service listening on it at the moment and for the attacker the port will look as if it was closed let me demonstrate so let's telnet into our website as you can see it was successfully connected and if i quit i get a legitimate response from my nginx server but if i do the same to youtube demos i cannot connect at all now let's scan for the open ports with nmap again if i scan my website it found the service with open port 80 and it found that it's running nginx but if i do the same to youtube demos nmap says that the port is filtered so again even though port is open no service is listening on it at the moment so there is very little chance that someone will attack you in this kind of scenario now that the port is open let's go back to acme certificates and let's issue our certificate and there you go we received a response from acme and it says that our certificate was registered successfully if you see a failure somewhere here don't be scared you're just gonna need to troubleshoot some issues on your firewall if you can't come up with the fix just drop a comment below and i'll try to give you an advice on what needs to be done now when we have a certificate go to system advanced and under ssl tls certificate for the web ui just choose the web ui certificate and click save it will reload the nginx so you might give it few moments refresh the page accept the new certificate and under this circumstances you will still see the certificate is not valid because you are connecting to the firewall by the ip address and not the dns name let's connect with the dns name so i purposely left this in a video and this is to show you what happens if you don't add your dns name to the known dns names list under system advanced alternative host names so just add your host name here hit save go back to the page with your dns name refresh it and there you go the system is up and running with the new certificate now let's just log in and check if everything is okay and in fact it is the last thing you need to do is go back to acme certificates global settings and enable the automatic renewal for your new certificate just hit save and you are good to go that's it for this video like share subscribe and all that good stuff if you have any questions just post them in the comments below or send us a small donation with a question i'll review all of them at the end of next video but for now thank you very much for watching and i'll see you in the next one

Info

Channel: Gateway IT Tutorials

Views: 11,471

Rating: undefined out of 5

Keywords:

Id: 1qVAapgr3hI

Channel Id: undefined

Length: 9min 33sec (573 seconds)

Published: Mon Oct 19 2020