Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Self-Signed Certificates on OPNSense  (Read 4749 times)

Chunkers

  • Reg Member
  • ***
  • Posts: 531
  • Brick Wall head-banger
Self-Signed Certificates on OPNSense
« on: May 18, 2024, 01:10:29 PM »

I was wondering if anyone could give me some advice on Self Certified Certificates and whether it is worth it / possible to use Lets Encrypt or something similar to prevent a browser always alerting "your connection is not private". Are self signed certificates much of a risk for a home OPNsense user?

I was reading this guys website on the subject.

Is a registered domain a necessity?  I do currently have one, but the service I use doesn't appear to allow me to generate the necessary tokens

Just curious really, and also a bit annoyed that every time I access my OPNsense webUI I have to 'Proceed unsafely'

C
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5480
    • Thinkbroadband Quality Monitors
Re: Self-Signed Certificates on OPNSense
« Reply #1 on: May 18, 2024, 07:08:35 PM »

I continue to use http to avoid this hassle, also as I have custom cgi scripts my server probes on pfSense to monitor router activity.

I just don't see how SSL improves security in any way on a private home network.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + GL.iNet GL-X3000/ Spitz AX WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Chunkers

  • Reg Member
  • ***
  • Posts: 531
  • Brick Wall head-banger
Re: Self-Signed Certificates on OPNSense
« Reply #2 on: May 19, 2024, 07:02:27 PM »

I continue to use http to avoid this hassle, also as I have custom cgi scripts my server probes on pfSense to monitor router activity.

I just don't see how SSL improves security in any way on a private home network.

thanks, thats helpful, and give me pause for thought :)
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5480
    • Thinkbroadband Quality Monitors
Re: Self-Signed Certificates on OPNSense
« Reply #3 on: May 19, 2024, 08:37:04 PM »

I mean sure if you have malware on the network it can snoop your login password without SSL.  But then if you have malware on your network it could also be a keylogger on the PC or just brute-force the login.  So SSL seems kinda redundant at that point.
« Last Edit: May 19, 2024, 08:40:09 PM by Alex Atkin UK »
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + GL.iNet GL-X3000/ Spitz AX WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

kitz

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 34034
  • Trinity: Most guys do.
    • http://www.kitz.co.uk
Re: Self-Signed Certificates on OPNSense
« Reply #4 on: May 20, 2024, 01:13:50 PM »

I think I'd tend to agree wondering if it is worth it.   
I get errors if working on the website with the pages held on my PC.   There's also the warning padlock if you visit your modem/router.  However the effort involved in sorting it if it is just you on your LAN can be a pita. Youre not trying to prove to customers that youre keeping any financial transactions or customer data secure and establishing a secure encrypted connection between your webserver and their browser.

Yes, you do need a registered domain as you need to set a CNAME & set up the DNS server also iirc the max time for letsencrypt certs are 3month, so you'd need to remember to redo every 3mth. Setting up SSL may be a piece of cake for some, but I was more than happy to let my webhosts sort it all for the main site.

Logged
Please do not PM me with queries for broadband help as I may not be able to respond.
-----
How to get your router line stats :: ADSL Exchange Checker

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7508
  • AAISP CF
Re: Self-Signed Certificates on OPNSense
« Reply #5 on: May 20, 2024, 11:50:35 PM »

I have my own CA in trusted store for LAN devices.

I like the convenience of saved password to login (which browsers block now on http or if untrusted https).
Logged

Alex Atkin UK

  • Addicted Kitizen
  • *****
  • Posts: 5480
    • Thinkbroadband Quality Monitors
Re: Self-Signed Certificates on OPNSense
« Reply #6 on: May 21, 2024, 08:43:24 AM »

I never even realised, there's the ACME package on pfSense and OPNsense that supports letsencrypt and Cloudflare DNS.

Of course, it doesn't want to work for me and frankly given what I already said it doesn't seem worth it.
Logged
Broadband: Zen Full Fibre 900 + Three 5G Routers: pfSense (Intel N100) + GL.iNet GL-X3000/ Spitz AX WiFi: Zyxel NWA210AX
Switches: Netgear MS510TXUP, Netgear MS510TXPP, Netgear GS110EMX My Broadband History & Ping Monitors

Chunkers

  • Reg Member
  • ***
  • Posts: 531
  • Brick Wall head-banger
Re: Self-Signed Certificates on OPNSense
« Reply #7 on: May 25, 2024, 08:44:47 AM »

Really appreciate the thoughts shared here, I have checked and can't get certificates for my registered domain without upgrading my package significantly, the cost of which has put me off.

Its really just the feeling that browsers are shouting 'unsafe' at me every time, as some point I'll probably stop using SSL as I agree its probably unnecessary

Cheers!
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7508
  • AAISP CF
Re: Self-Signed Certificates on OPNSense
« Reply #8 on: May 25, 2024, 12:15:17 PM »

I dont know who you have your domain with, but that is potentially predatory pricing mechanisms you dealing with there.

Now days if you want free certificates for internet usage, you can use lets encrypt.

But for LAN devices, you dont need an internet certificate at all, I generate my LAN certificates in the pfSense certificate manager, and just link it to the LAN IP for the device, the CA is the same for all these certificates and is trusted in my local certificate store.

I just checked opnsense and that also has a certificate manager. System -> Trust on menu.

I also use my private certificates for internet services that are accessed via IP such as remote opnsense/pfpsense.

Maybe you already decided to leave it, but if you are still interested thats where you can find it on opnsense.
« Last Edit: May 25, 2024, 12:19:06 PM by Chrysalis »
Logged