Let’s Encrypt with NGINX and pfSense
I’ve been using self-signed certificates for a few of the applications and services I run at home on the local network for a year now and with Firefox it’s not an issue as you accept the risk the very first time and never get asked again. However in the kitchen, the Splunk dashboard runs using the Chrome browser because it’s a little more stable running 24/7 on the tablet. Chrome treats self-signed certificates in a different manner to Firefox – every week it pops up the same boring warning screen and you have to press Advanced then proceed to carry on to the site…
So to fix the issue with the annoying warning screen, I need to get hold of a non-self-signed certificate.
To get a non-self signed certificate, I need to use a domain that I own or can prove I have control over so that rules out the local network fake domain set in pfSense which is “.home”. I have a few other domains but don’t want to mix those up with internal addresses, so I purchased a new domain from HOST-IT.co.uk.
Next up, trying out Let’s Encrypt – I’d read about Let’s Encrypt about two years ago and wanted to use it in a project at work for test environments but since we have a paid for wildcard certificate, we used that for all the test environments instead. This little project at home gives me a the perfect opportunity to try out Let’s Encrypt and get a non-self-signed certificate for free 🙂
I started with the docker image certbot/certbot but since I’ve never used certbot before, I decided after a few attempts to install certbot on my server instead and at least that way it prompts you to complete the certificate registration. For those interested, the command I used can be found below.
certbot certonly \ --config-dir config/ \ --work-dir work/ \ --logs-dir logs/ \ --manual \ --preferred-challenges dns \ --email firstname.lastname@example.org \ --agree-tos \ -d test.example.co.uk
To request a wildcard certificiate instead of a specific host certificate, use:
Once you run the above, you’ll get prompted to agree to your IP address being logged – entering No will cancel your certificate request! After you’ve agreed to your IP being logged, it will display a DNS TXT record that you need to place on your domain.
Take the challenge code and put a DNS TXT file on your domain, e.g.
I’d highly recommend testing whether the TXT file can be found at this point before pressing enter on the certbot window. I found that the TTL on my hosting account was set to a day by default and had to change it to 1 minute. To test the DNS TXT can be seen, run something similar to:
dig -t TXT _acme-challenge.example.co.uk
Once you’ve got your certificate, there’s a whole bunch more commands that may come in useful like:
certbot --config-dir config/ --work-dir work/ --logs-dir logs/ certificates
For listing all the certificates you own.
certbot --config-dir config/ --work-dir work/ --logs-dir logs/ renew
For renewing all the certificates you own.
certbot --config-dir config/ --work-dir work/ --logs-dir logs/ --help
For a list of all the other commands available.
Next up, I’m keeping my home network domain as “.home” because I have too many services to change over now, so I need to override any requests in pfSense that go to specific hosts on the new domain name. To do this, go to the DNS Forwarder -> Host Override section and add a new entry, e.g. if a request to splunk.example.co.uk is received, use IP address 10.0.0.22 locally.
And finally, the NGINX config needs to be updated to use the new certificates. Temporarily while I’ve been testing out these new certificates, I’ve left in the server_name configuration that I previously used “splunk.home” but in addition added the new domain so either could work.
And the result is that the Chrome browser on the tablet no longer objects to the certificate. Cool 🙂
p.s. for those trying to use this guide, some of the images show an example whereas others are based off my real splunk setup – sorry! So the first set of certbot images I’ve asked for test.example.co.uk and therefore if you wanted to put a corresponding record into pfSense, you’d need to put host=test, domain=example.co.uk and in the nginx config it would say server_name test.example.co.uk.