Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Chunkers]

I was wondering if anyone could give me some advice on Self Certified Certificates and whether it is worth it / possible to use Lets Encrypt or something similar to prevent a browser always alerting "your connection is not private". Are self signed certificates much of a risk for a home OPNsense user?

I was reading this guys website on the subject.

Is a registered domain a necessity?  I do currently have one, but the service I use doesn't appear to allow me to generate the necessary tokens

Just curious really, and also a bit annoyed that every time I access my OPNsense webUI I have to 'Proceed unsafely'

C

[Alex Atkin UK]

I continue to use http to avoid this hassle, also as I have custom cgi scripts my server probes on pfSense to monitor router activity.

I just don't see how SSL improves security in any way on a private home network.

[Chunkers]

I continue to use http to avoid this hassle, also as I have custom cgi scripts my server probes on pfSense to monitor router activity.

I just don't see how SSL improves security in any way on a private home network.

thanks, thats helpful, and give me pause for thought

[Alex Atkin UK]

I mean sure if you have malware on the network it can snoop your login password without SSL.  But then if you have malware on your network it could also be a keylogger on the PC or just brute-force the login.  So SSL seems kinda redundant at that point.

[kitz]

I think I'd tend to agree wondering if it is worth it.   
I get errors if working on the website with the pages held on my PC.   There's also the warning padlock if you visit your modem/router.  However the effort involved in sorting it if it is just you on your LAN can be a pita. Youre not trying to prove to customers that youre keeping any financial transactions or customer data secure and establishing a secure encrypted connection between your webserver and their browser.

Yes, you do need a registered domain as you need to set a CNAME & set up the DNS server also iirc the max time for letsencrypt certs are 3month, so you'd need to remember to redo every 3mth. Setting up SSL may be a piece of cake for some, but I was more than happy to let my webhosts sort it all for the main site.

[Chrysalis]

I have my own CA in trusted store for LAN devices.

I like the convenience of saved password to login (which browsers block now on http or if untrusted https).

[Alex Atkin UK]

I never even realised, there's the ACME package on pfSense and OPNsense that supports letsencrypt and Cloudflare DNS.

Of course, it doesn't want to work for me and frankly given what I already said it doesn't seem worth it.

[Chunkers]

Really appreciate the thoughts shared here, I have checked and can't get certificates for my registered domain without upgrading my package significantly, the cost of which has put me off.

Its really just the feeling that browsers are shouting 'unsafe' at me every time, as some point I'll probably stop using SSL as I agree its probably unnecessary

Cheers!

[Chrysalis]

I dont know who you have your domain with, but that is potentially predatory pricing mechanisms you dealing with there.

Now days if you want free certificates for internet usage, you can use lets encrypt.

But for LAN devices, you dont need an internet certificate at all, I generate my LAN certificates in the pfSense certificate manager, and just link it to the LAN IP for the device, the CA is the same for all these certificates and is trusted in my local certificate store.

I just checked opnsense and that also has a certificate manager. System -> Trust on menu.

I also use my private certificates for internet services that are accessed via IP such as remote opnsense/pfpsense.

Maybe you already decided to leave it, but if you are still interested thats where you can find it on opnsense.