0

I have a Pfsense box that is able to issue/renew acme certificates, with haproxy installed, that has two backend servers that use the generated acme certificate that works fine. (email and nextcloud servers)

From outside my local network, going to nextcloud.site.com or email.site.com works perfectly, it has the secure ssl certificate through haproxy and it correctly either takes you to the mail site or the nextcloud site

However, on my local network which is behind pfsense, I cannot seem to get dns resolver to give a proper ssl connection to either. This is a problem because when using the nextcloud app on my phone, it'll work fine outside the network but inside it complains that the ssl certificate is incorrect (because only http works inside the network)

I have dns resolver set to forward the same exact nextcloud address (nextcloud.site.com) to the internal ip address, which works but isn't using the ssl certificate. I have the same certificate selected under dns resolver > ssl/TLS certificate

Is this even possible with dns resolver or is there another solution??

JCTechie
  • 101
  • 3
  • I'm confused - which serice is TLS enabled? Mail/Website or DNS? So you are using DNS over TLS? – fuero Apr 06 '20 at 08:20
  • I am not using dns over tls, I'm not sure what you mean by which service tls is enabled for, I'm still quite new to ssl/ TLS, but under pfsense > Dns Resolver > general settings > I have Enable SSL/TLS Service enabled and under SSL/TLS Certificate I have the same certificate selected that haproxy uses – JCTechie Apr 06 '20 at 08:27
  • Sorry, but your question makes no sense in the current form. Please detail what exactly your not-working devices show and where they are connecting on which port. Whose IP are you serving in your internal network? – fuero Apr 06 '20 at 08:38
  • Alright I'll add some details and pictures tomorrow, sorry it didn't make sense probably not the best idea for me to try and ask it late at night – JCTechie Apr 06 '20 at 08:47
  • I tried guessing a little - perhaps my answer fits :-) – fuero Apr 06 '20 at 08:50

1 Answers1

1

So I'm assuming this:

  • pfSense runs HAProxy, externally your clients/peers/whatever connect to the pfSense's WAN IP.
  • The Nextcloud box is a host in your LAN or DMZ
  • pfSense's DNS available only LAN facing and redirects nextcloud.site.com to the Nextcloud box' LAN/DMZ IP.
  • pfSense's HAProxy serves TLS (HTTPS by HAProxy) and has the HSTS header set.
  • pfSense's HAProxy proxies nextcloud.site.com to the box in LAN/DMZ to serve external clients

In that case, you have these options:

  • Remove your DNS override and set up NAT hairpinning/reflection
  • Reconfigure your Nextcloud Host to serve its content via HTTPS
  • Remove the HSTS header from HAProxy
fuero
  • 9,591
  • 1
  • 35
  • 40