Let’s Encrypt with NGINX and pfSense

I’ve been using self-signed certificates for a few of the applications and services I run at home on the local network for a year now and with Firefox it’s not an issue as you accept the risk the very first time and never get asked again. However in the kitchen, the Splunk dashboard runs using the Chrome browser because it’s a little more stable running 24/7 on the tablet. Chrome treats self-signed certificates in a different manner to Firefox – every week it pops up the same boring warning screen and you have to press Advanced then proceed to carry on to the site…

Chrome self signed certificate warning

So to fix the issue with the annoying warning screen, I need to get hold of a non-self-signed certificate.

To get a non-self signed certificate, I need to use a domain that I own or can prove I have control over so that rules out the local network fake domain set in pfSense which is “.home”. I have a few other domains but don’t want to mix those up with internal addresses, so I purchased a new domain from HOST-IT.co.uk.

Next up, trying out Let’s Encrypt – I’d read about Let’s Encrypt about two years ago and wanted to use it in a project at work for test environments but since we have a paid for wildcard certificate, we used that for all the test environments instead. This little project at home gives me a the perfect opportunity to try out Let’s Encrypt and get a non-self-signed certificate for free 🙂

I started with the docker image certbot/certbot but since I’ve never used certbot before, I decided after a few attempts to install certbot on my server instead and at least that way it prompts you to complete the certificate registration. For those interested, the command I used can be found below.

certbot certonly --config-dir config/ --work-dir work/ --logs-dir logs/ --manual --preferred-challenges dns --email email@address.com --agree-tos -d test.example.co.uk

To request a wildcard certificiate instead of a specific host certificate, use: -d *.example.co.uk

Once you run the above, you’ll get prompted to agree to your IP address being logged – entering No will cancel your certificate request! After you’ve agreed to your IP being logged, it will display a DNS TXT record that you need to place on your domain.

certbot request certificate dns challenge

Take the challenge code and put a DNS TXT file on your domain, e.g.

acme challenge text example

I’d highly recommend testing whether the TXT file can be found at this point before pressing enter on the certbot window. I found that the TTL on my hosting account was set to a day by default and had to change it to 1 minute. To test the DNS TXT can be seen, run something similar to:

dig -t TXT _acme-challenge.example.co.uk
dig text check

Once you’ve got your certificate, there’s a whole bunch more commands that may come in useful like:

certbot --config-dir config/ --work-dir work/ --logs-dir logs/ certificates

For listing all the certificates you own.

certbot list certificates
certbot --config-dir config/ --work-dir work/ --logs-dir logs/ renew

For renewing all the certificates you own.

certbot renew certificates
certbot --config-dir config/ --work-dir work/ --logs-dir logs/ --help

For a list of all the other commands available.

Next up, I’m keeping my home network domain as “.home” because I have too many services to change over now, so I need to override any requests in pfSense that go to specific hosts on the new domain name. To do this, go to the DNS Forwarder -> Host Override section and add a new entry, e.g. if a request to splunk.example.co.uk is received, use IP address 10.0.0.22 locally.

pfSense host override

And finally, the NGINX config needs to be updated to use the new certificates. Temporarily while I’ve been testing out these new certificates, I’ve left in the server_name configuration that I previously used “splunk.home” but in addition added the new domain so either could work.

nginx config

And the result is that the Chrome browser on the tablet no longer objects to the certificate. Cool 🙂

Splunk dashboard with new certificate

p.s. for those trying to use this guide, some of the images show an example whereas others are based off my real splunk setup – sorry! So the first set of certbot images I’ve asked for test.example.co.uk and therefore if you wanted to put a corresponding record into pfSense, you’d need to put host=test, domain=example.co.uk and in the nginx config it would say server_name test.example.co.uk.

Load Balancing WAN Connections

I’ve previously posted about how slow my ADSL connection is (5Mbps max!) and that I bought a 4G router just over a year ago (http://blog.v-s-f.co.uk/2014/10/fed-up-of-waiting-for-superfast-broadband/). Before I bought the 4G router, I decided to look at how to load balance the connections. There were two reasons for doing so. One was that I planned to buy another ADSL connection to get a stunning combined* max of 10Mbps!!! And the other reason is that the 4G connection has a few quirks that mean I prefer to send and receive certain traffic down the ADSL connection.

I did a lot of research and bought a Netgear FVS336G v2 off Ebay. At the time I bought it, I only had the ADSL connection, but the device only lasted a month. The device wouldn’t work on the newest firmware, would work for a few days and then grind to a halt and also my tablet couldn’t access the internet! Needless to say, it went back on Ebay…

After more research I then found pfSense. At the time I had a spare media centre pc lying around which had become redundant, but ran at 80 watts idle. I repurposed it for the task of determining if pfSense would be suitable.

pfSense is brilliant and free! As a router it does everything I could possibly want (Port forwarding, OpenVPN, Firewall and Load Balancing to name but a few). The administration portal never crashes or decides not to load a page – it simply works.

I started off again with just the ADSL connection and then bought the 4G router. Setting up the load balancing took a bit of time along with determining what firewalls to put in place.

I’ve recently upgraded the hardware to use a low power cpu on board motherboard and the entire system now runs at a max of 20 watts.

Even when the 4G conection was running at 50Mbps for over 10 minutes, the cpu never went above 5%.

pfsense-windows10-download

(Example of the firewall rules for sending traffic down ADSL for banking and email)

firewall-rules

* Load balancing WAN connections does not mean you will achieve A+B – you would need to bond the connections to get close to achieving A+B speeds. For example in the screen shot above where 50Mbps is being transfered, it’s all across the 4G connection as the connections are not bonded. Load balancing however in my situation is great as a family member can watch iPlayer and I can still browse the internet without affecting the video stream as the data will normally be distributed across the connections available according to load.