NethServer Version: 7.9
I would like to connect my OPNsense Firewall to the Nethserver Samba AD.
What are the right credentials?
Hi
The problem is that the AD in NethServer uses it’s own, self created SSL certs, even if your NethServer is using Lets Encrypt SSL certs. But not your AD!
See here for solution:
My 2 cents
Andy
1 Like
Thank you for the hint. For a quick test I just disabled strong auth but this is not a solution for production…
Hi
OPNsense is a “pro” firewall - it won’t accept “anything” you throw at it, especially not where certs is concerned… It’s quite fussy - but on the other hand, that’s quite good! 
There are 2 solutions: let OPNsense do all LE certs, or NethServer. Then transfer the certs over.
Better still would be DNS API enabled, but my DNS hoster has no API for LE… 
My 2 cents
Andy
PS: I gave Elliani the hint in a long session - long ago…
2 Likes
That’s what acme-dns is for.
Agreed, but I also need time for that, and end of year, a new year / budget for clients - is always a busy time.
Add in preps for FOSDEM and my little Zabbix Demo next week…
But it will come… Rome wasn’t built in a day…
Also setting up a hosted NethServer for myself (VPS).
I’m also thinking of one at Contabo…
My 2 cents
Andy
@fausp I am with you 100% on having problems with some other items needing a valid cert for authentication and honestly it is very easy & arbitrary to do. So much so I made a feature request here you should bump up to let them know you have an active interest in a 1 click cert import for AD.
@mrmarkuz helped me understand the logic of some of the scripts posted around the forum and it comes down to four basic steps:
-
- Request & obtain a valid LE cert for your AD container on NS.
Done via the GUI and can be found under System → User & Groups → Account Provider → Details
- Request & obtain a valid LE cert for your AD container on NS.
-
Copy the valid LE cert to the NS AD container
cp -f /etc/letsencrypt/live/nsdc-demo.ad.example.com/privkey.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
cp -f /etc/letsencrypt/live/nsdc-demo.ad.example.com/fullchain.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
-
Change permissions of newly copied LE cert
chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem -
Restart NS AD container
systemctl -M nsdc restart samba
Now you can automate all of this to your hearts delight like @Andy_Wismer suggested but it is dependent on how you want to renew & hook in your LE cert. I verified that this above solution worked for my Guacamole AD users because I just can’t think disabling strong authentication in 2021 is gonna be a sustainable thing. This took me literally 10 minutes to do manually but would be horrible to keep track of for 3 month renewals or scale out.
3 Likes
‘pyOpenSSL’ module missing required functionality. Try upgrading to v0.14 or newer
Do you have some custom install using pip?
1 Like
Hi
It seems your No-IP Adress is not resolving correctly…
Or the Firewall is not configured correctly, in any case, there’s no website responding…
None of the names tried respond…
Mostly not found, if entering IP, nothing appears.
My 2 cents
Andy
I finally got LetsEncrypt certs for my Nethservers and even the OPNsense. (Thank you all for your Help!)
The problem is that the browser (firefox) doesnt exept it because the internal servername (srv1.mydomain.lan) and the dyndns-domainnaime (myname.zapto.org) doesnt match…
How did you solve this issue?
Does creating a hostname alias for your server solve your problem?
In the server manager: Dashboard > Hostname / Alias
Yep, this works but I have more than one server… Do I need a public domain for each server?
With default NS Let’s Encrypt http challenge; yes
Tip: search the forum on Let's Encrypt dns challenge and you find a ton of information. 
OK, thank you!