Replacing the Self Signed Certificate in OPNsense with Let's Encrypt

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
you may have noticed when you first log into opensense that it says that the certificate is not valid do you want to continue a lot of self-hosted web applications you've probably seen this warning before because by default they usually generate a self-signed certificate and so a warning is given because it's easy for a malicious actor to spoof a self-scient certificate because there's no uh Authority signing off on the certificate to say it's a valid certificate so in open sense you can actually create your own certificates using let's encrypt by using the Acme plug-in so in this video I'm going to show you how to use the Acme plugin so you can set up your own let's encrypt certificate the great thing about this process is you don't have to expose your open sense web interface to the internet to be able to get a certificate because I want to show you using the DNS challenge which is my favorite authentication method for let's encrypt because you can use it for any internal service on your network and without needing to open up access to the internet to validate your certificates so it's just really great I think for home labs and for in home networks if you want to get rid of those warning messages and actually have a valid real certificate so that that's actually our goal in this video today before getting started with setting up the Acme plug-in and opensense you will need to set up an API key with your domain name registrar I'm using cloudflare as an example because that's what I currently use and I know a lot of people use cloudflare as well and it's just easiest for me to do an example for a service I already have but there's other domain providers that you can use so the first thing we're going to do is open up cloudflare and to minimize having to blur out a bunch of stuff I already have it signed in to my account and if you go to the upper right hand corner you'll be able to click on your profile and then you can click on this API tokens section over on the side here and then you'll see some API tokens that you already have created by default you should have a global API key for example I already have an edit Zone DNS key in here and this is what we're going to create but I'm going to show creating one this is for my real accounts I already have one but I'll create a new one just to show you how to do this process so I don't have to delete my old one or do anything like that because I don't want to mess with my account so we'll just click create token and of course the first option is actually edit Zone DNS this is probably one of the most commonly used API tokens that's probably why they put it first because for Dynamic DNS updates can use it as well as creating certificates so I actually use it for both purposes I use it for Dynamic DNS as well so if you click on use template you'll see that you have Zone DNS by default and edit is already you know the default options are pretty great you'll notice if I go down here and just click continue to summary it actually wants you to pick a specific Zone I don't know if that's because I have multiple domain names that asked me to pick or if even if you have one domain name it might ask you to pick but if you want you can just say all zones or you can say a specific Zone which would be a specific domain name I'm just going to say all zones because you can use the same token for all of your uh domain names if you want to create one token for each domain name to to make it you know give out less permissions you can do that but it's easier just to say all zones and then if you don't make sure don't put a date in there so this token won't expire so you have to worry about renewing this token because your renewals will fail eventually once this token expires so if you just click continue to summary and then you just click create token and you'll see here there is an API key that is generated you can copy and paste this I won't blur this out because I'm this is not going to be a token I'm going to be using so I don't care if you see this token I'm not going to copy and paste this token into my example because I want to use it real um you know API token that I already have created so when I copy paste it I'll blur that out but here you'll see that there's a token here you want to copy this token and make sure you save it so when you go to view all API tokens you'll see I have a new token in here below my other token so I have to make sure I delete the right one when I'm done with this yeah tutorial here so as you can see it's very easy to create a token and now we just need we're going to go back to open sense and we're going to be using that token when we create the Acme client as you can see on my dashboard this is the name of my system I just made up a fake name for this demo called router test router hyphen test at homenetworkout.com keep note of this name you need to make sure this is your real domain name which this is my real domain name that I own and you want to make a hostname for it and that that is under this system settings uh General page and you can put it here router test home networkeye.com you want to make sure you got to make sure this matches what you put on your certificate or the validation for your certificate will not match and it probably won't end up being a valid certificate so that's part of the process where you need to make sure because this becomes part of your common name on your certificate so you want to make sure that matches so that let's go to so we're going to go to Firmware plugins and we wait for the plugin list to load if it has to refresh it takes a second so it's actually the first option here the Acme client so you can click install okay now it's done so now what we need to do is we'll go down to services I'm just going to click on a random page here because yes I have to refresh the page you'll see Acme client appears as you can see on the settings page this plugin is not enabled by default we'll do this we'll come back to this but I just want you to see this page the auto renewal is checked by default these are your default settings right here so we're going to go to accounts we're going to set up everything first and then we'll enable once we're done to make sure we have everything set up properly so we're going to go to accounts we're going to click uh add a new name and I'm just going to make up my name here right you can just use whatever name you want make sure you use a valid email address uh okay this will be the account that you use for your let's encrypt certificates they will email you whenever your certificate is about to expire so you'll know and you just click save that's all you really need to add on that page then we go to challenge types we're just kind of going down through these menu options here let's just configure everything because there's a couple different steps so challenge type is all defaults to DNS which is what we want which is great we'll just say DNS challenge is the name this name is not very important whatever you can call it whatever you want basically just so if you click on the DNS service box you can actually see cloudflare when you scroll up after selecting cloudflare as a DNS service you'll see it opened up the Clapper options down here you can enter your Global API key but I don't recommend doing that because that's less secure than actually using the token we just created because it has more restrictive permissions so ideally you would just want to fill this section in down below that these are your cloudflare account ID and your API token and your Zone ID The Zone ID is optional technical likely probably if you only have one domain name you're managing per per key or you only own one domain name you might not really need that Zoom ID but since I have said all zones I want to put the Zone ID in there so it knows which domain name I'm going to actually be modifying so I'm going to put that information here and I'll blur it out because this is the most sensitive part of the installation if you're not sure where your cloudflare account ID and your Zone ID are located if you go to your domain name on cloudflare and you scroll to the right hand corner of the overview page you'll see the Zone ID and the account ID there and then you just paste your key that you copied earlier and remember you only get to copy that once so I never I forgot to mention that before but you only get the copy at once so if you forgot what it was delete it and recreate it so you can get your token okay now that we have this information entered we can click save as you can see that count challenge type is saved now we're down to the last two options which are certificates and automations I recommend creating automation real quick before you create a certificate because that way you can just go ahead and select the automation right after you where as you're creating the certificate so let's go to automations first and I'll show you why we're going to do this one first one click add on automations and we're going to say restart open sense web UI it's actually the first thing there so we could just give it a name it's called restart um open sense web you haven't got the same thing okay it doesn't really matter what we call it we're just going to click save and it's enabled by default okay now we're going to go to our certificates and then we're going to click on the plus button and then we're going to say the common name this is the name of your router that you have that I showed you earlier and mine is called router test.home network.com we gotta make sure this matches because this is your common name it matches your matches your certificate and then we already have our Acme account in here and challenge type in here is already about default because it just if there's only one of each type there it just Picks It by default you can leave the audio renewal on and the renewal interval the same as means it's going to do every 60 days okay the only other thing left to configure is this automations this is the automation we just created so click on restart open sense web UI the reason I had you created automation so you can just pick it here and you don't have to come back to it to edit this and this uh automation is helpful because whenever you get a new certificate or no to refresh the web interface just to make sure that new certificate gets applied so the next time you log in after the certificate gets renewed to make sure the web interface is actually using that new certificate and we just click save all right at this point we have all the information we need to issue a certificate you can either click on this button here that says issue or renew certificate if you just want to pick out that one if you have multiple certificates but yeah or you can click this button it says issue renew all certificates you may not want to do this if you have multiple certificates but since we only have one certificate it doesn't hurt to click this button here after refreshing the browser after a minute or so you'll see that you should have a last Acme status is okay otherwise you'll get some other error message here if it didn't work and then you'll you'll see the renewal date and last run so since we got it in renewal date and time here we actually got a valid certificate when I actually copy pasted this in my example because I'm using it through a tiny pilot I'm not sure if I copy pasted the right thing out of my password manager so it actually said validate fail here so I went and fixed that real quick and redid it if you see validation failed that probably means there's something wrong with the API key or something as a typo or something somewhere because this should still work the nice thing about doing these certificates I didn't mention earlier is you don't actually have to create a DNS entry for homenetwork.com for router Dash tests if you yeah I don't actually have DNS entry for that you only need a DNS entry for router.test if you want external access front to your network to that that hostname so since I don't need that you can actually create certificates on any host name and on any device in your internal network using a real domain name now that we created this certificate we know that it works we can go to a settings page and click on enable plugin and click apply this will cause it your certificate to either renew every 60 days or whatever so you want to make sure you click this enable it once you've got everything working if you want to change the time when your certificate is updated click on update schedule and by default it's set to midnight you can change the minutes or hours if if you're familiar with con jobs you can just change the different timings on when this actually occurs so you can be in the middle of the night when you're not awake and then your stiff Cuts always stay renewed if you hit cancel or save it takes you back to here now that I've created a certificate and have it auto renewing let's go to the system trust certificates page so that you can see that our new certificate that we generated is right here and one last thing we need to do is actually go to the settings Administration page and you'll see that this is the default certificate right here under the SSL certificate the default certificate is web GUI TLS certificate that's the self-signed one that opensense creates when you install it so what we need to do now is actually select the one that we've generated with our Acme client as you can see we have the router test certificate so we just select that and we'll click save down here at the bottom so now it's reloading the web GUI you may have to refresh the page if it doesn't refresh automatically as you can see I'm using the IP address to access my open sense box and you'll see I'm still getting a warning here but notice the warning down here instead of being self-signed certificate it actually says that the certificates only valid for router test.homenetworki.com so what we need to do now that we've got a new certificate is actually just use the domain name so we'll just do router test workguide.com as you can see when we use the host name and domain name we don't get any warnings and it shows that we're secure that the site is the connection's secure and it's a valid let's encrypt certificate so that's what we want and that gets rid of your warnings for open sense I hope you found this guide helpful how to get rid of the warning message when you try to access your router so until next time see you later and then [Music] what we can do is we hit refresh and it says validation failed validation failed
Info
Channel: Home Network Guy
Views: 9,970
Rating: undefined out of 5
Keywords:
Id: bY5mLytgDek
Channel Id: undefined
Length: 13min 22sec (802 seconds)
Published: Tue Aug 22 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.