Connect OPNsense to Nethserver AD?

NethServer Version: 7.9

I would like to connect my OPNsense Firewall to the Nethserver Samba AD.
What are the right credentials?

I tried it on the CLI with ldap:

And with ldaps:

@fausp

Hi

The problem is that the AD in NethServer uses it’s own, self created SSL certs, even if your NethServer is using Lets Encrypt SSL certs. But not your AD!

See here for solution:

My 2 cents
Andy

1 Like

Thank you for the hint. For a quick test I just disabled strong auth but this is not a solution for production…

@fausp

Hi

OPNsense is a “pro” firewall - it won’t accept “anything” you throw at it, especially not where certs is concerned… It’s quite fussy - but on the other hand, that’s quite good! :slight_smile:

There are 2 solutions: let OPNsense do all LE certs, or NethServer. Then transfer the certs over.
Better still would be DNS API enabled, but my DNS hoster has no API for LE… :frowning:

My 2 cents
Andy

PS: I gave Elliani the hint in a long session - long ago… :slight_smile:

2 Likes

That’s what acme-dns is for.

@danb35

Agreed, but I also need time for that, and end of year, a new year / budget for clients - is always a busy time.

Add in preps for FOSDEM and my little Zabbix Demo next week…

But it will come… Rome wasn’t built in a day…

Also setting up a hosted NethServer for myself (VPS).
I’m also thinking of one at Contabo…

My 2 cents
Andy

@fausp I am with you 100% on having problems with some other items needing a valid cert for authentication and honestly it is very easy & arbitrary to do. So much so I made a feature request here you should bump up to let them know you have an active interest in a 1 click cert import for AD.

@mrmarkuz helped me understand the logic of some of the scripts posted around the forum and it comes down to four basic steps:

  1. Copy the valid LE cert to the NS AD container

cp -f /etc/letsencrypt/live/nsdc-demo.ad.example.com/privkey.pem /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
cp -f /etc/letsencrypt/live/nsdc-demo.ad.example.com/fullchain.pem  /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem
  1. Change permissions of newly copied LE cert

    chmod 600 /var/lib/machines/nsdc/var/lib/samba/private/tls/key.pem
    chmod 644 /var/lib/machines/nsdc/var/lib/samba/private/tls/cert.pem

  2. Restart NS AD container

systemctl -M nsdc restart samba

Now you can automate all of this to your hearts delight like @Andy_Wismer suggested but it is dependent on how you want to renew & hook in your LE cert. I verified that this above solution worked for my Guacamole AD users because I just can’t think disabling strong authentication in 2021 is gonna be a sustainable thing. This took me literally 10 minutes to do manually but would be horrible to keep track of for 3 month renewals or scale out.

3 Likes

Tried to get a LE cert and got this error msg:

‘pyOpenSSL’ module missing required functionality. Try upgrading to v0.14 or newer

Do you have some custom install using pip?

1 Like

I think it was necessary to be able to install/run ansible…

I tried:

But I still get the error…

Port 80 and 443 are open and the .zapto.org point to my IP…

@fausp

Hi

It seems your No-IP Adress is not resolving correctly…
Or the Firewall is not configured correctly, in any case, there’s no website responding…

None of the names tried respond…
Mostly not found, if entering IP, nothing appears.

My 2 cents
Andy

I finally got LetsEncrypt certs for my Nethservers and even the OPNsense. (Thank you all for your Help!)

The problem is that the browser (firefox) doesnt exept it because the internal servername (srv1.mydomain.lan) and the dyndns-domainnaime (myname.zapto.org) doesnt match…

How did you solve this issue?

Does creating a hostname alias for your server solve your problem?

In the server manager: Dashboard > Hostname / Alias

Yep, this works but I have more than one server… Do I need a public domain for each server?

With default NS Let’s Encrypt http challenge; yes

Tip: search the forum on Let's Encrypt dns challenge and you find a ton of information. :wink:

OK, thank you!