Hi everyone, I use Nethserver with a private name eg. mynethserver.local.lan and a mynethserver.ddns.net alias. On my pfsense firewall I have the dnat of port 443 on nethserver and the server has a let’s encrypt certificate. I just finished installing another server and would like to install a let’s encrypt certificate as the first server, but port 443 is already busy. How can I
AFAIK three options.
Convince Let’sencrypt to accept another port
Change the device who have access to 443
Have more than one ip on the ISP connection.
1 Like
Hi, another ip is not possible. What do you intend to accept from let’s encrypt another port? I technically do a dnat to port 4443 and get it to 443, but is that correct? Moreover, when it is time for renewal, the problem arises at least I think of the port 80 for the exchange of the new certificate. Thanks
Convince let’sencrypt to verify your challenge for have the certificate on another port
Which, as far as i know, is not possible.
Therefore…
Ok, so only one address with dnat to one server …
AFAIK the set of port is one par IP Address.
Sorry but I don’t really understand what you mean. Google translator gives me an incomprehensible translation
Proverò con l’italiano, Francesco: c’è un solo set di porte TCP/IP per indirizzo IP. Non puoi avere due porte 443 sullo stesso indirizzo, per quanto ne so.
Se non puoi avere indirizzi IP aggiuntivi su quella connessione e non puoi togliere di mezzo l’altro strumento che usa la porta 443 su pfsense, direi che non puoi avere let’sencrypt. Ma è solo la mia idea…
I’ll try with italian, Francesco: there can be one only set of TCP/IP ports for every IP address. Can’t happen to have two TCP 443 ports on the same address, as far as i know.
If you can’t have more IP addresses for that connection and you cannot get 443 because it’s occuped, i’d say that Let’sencrypt is a no go. But that’s only my opinion…
1 Like
First of all thanks for the translation. I know the basics of tcp well, I had thought of a reverse proxy but not only which url … Well, who knows maybe I will find a workaround or something similar. 
There IS another option: DNS based LetsEncrypt…
@danb35 is our expert on this…
My 2 cents
Andy
The fourth, which Andy mentioned, is DNS validation, for which I’ll put some links below. A fifth would be using a reverse proxy on the pfSense device (it supports HAProxy), directing traffic (including the Let’s Encrypt validation queries) for the one host to the one, and the other to the other. A sixth would be to get the certs on the pfSense box, and then deploy them from there to the respective Nethserver boxes. Doubtless there are others as well.
For DNS validation–here’s the relatively simple way, but it requires a supported DNS host:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_for_internal_servers
Here’s a less-simple way, but it can work with any DNS host:
https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns
4 Likes
Every example here is great. For reference I use methods 5 & 6 @danb35 has recommended along with some help from @Andy_Wismer on how to automate some of the importing of certs from Pfsense into NS.
This is where I learned how to do reverse proxy with Pfsense: https://m.youtube.com/watch?v=gVOEdt-BHDY&t=10s
3 Likes
Hello and thanks . I would find it interesting to be able to distribute certificates via pfsense, but at the moment I find it difficult to understand how to do it. If you have an example to post could you do it? Otherwise thanks anyway.