Validated by a trusted CA:
1 Like
Yes, I understand that thanks 
I wanted to just point out, that theoretically the router just wants to only do encrypted queries, and if a “valid” certificate is installed on it, then it should do the trick. But I get your point, so I probably will just modify the script that is fired everytime the letsencrypt certificate is renewed and copies and installs the certificate to the router to additionally copy it to nsdc.
But I’ll have to do my homework first, and find out how to modify routing as prerequisite to accomplish the above.
Thanks again. Really appreciate your help 
2 Likes
I have a final follow up question. I want to use the same script, which copies my certificates to opnsense to copy them also to nsdc on the dc nethserver. Can please any of you assist me? As Giacomo had described the letsencrypt files are /etc/letsencrypt/live//{fullchain.pem,privkey.pem} right?
The nsdc container uses /var/lib/machines/nsdc/var/lib/samba/private/tls/{key.pem,cert.pem} is that correct?
So can I just copy privkey.pem -> key.pem and fullchain.pem ->cert.pem? And finally I’ll have to systemctl -M nsdc restart samba for a samba restart on nsdc. Will that do it? Or am I missing something?
Yes, that should do it.
Yes, it works here. My findings were the following:
I was not able to do it with selfsigned certificate, thus nethserver ad nsdc container needs to be configured with a valid certificate with ad.yourdomain.com in it. So I use letsencrypt certificate. Opnsense needs to be able to ping ad.yourdomain.com. The opnsense query needs to be encrypted (port 636). And the base dn must be configured accordingly. For copying the certificate to opnsense I found a script. See comments of giacomo on how to implement it. I basically have made a certificate for sshing from nethserver holding the letsencrypt certificate to opnsense without password, then configured that certificates and this php script are copied (scp) to opnsense, then invoked the php script (also via ssh), and then deleted the script and the copied certificates from opnsense - everytime there is a new certificate, the above happens automatically. To trigger a copy everytime the certificate is renewed see giacomos post in this thread. Once the certificate is in place in opnsense and also in nsdc ad container, the only remaining thing is to get userdn, bind credentials and base-dn right depending on your domain setup. I had trouble understanding cn and ou. Once I got them right, everything worked as expected. For example when you edit your domain with rsat tools from within a windows client, and you create an ou MyUsers, thats ou= but the standard container users is cn=. The same goes with MyComputers =ou but standard container Computers =cn.
In my case, I always got an error message wrong credentials or unknown user in opnsense in the log located here in opnsense (sorry, but I have it in german): System/Protokolldateien/Allgemein, until I figured out, that while my normal domain users were transfered in ou=MyUsers, the user, which I created for ldapqueries remained in the standard “container” Users.
Thus the correct User DN in my case is:
cn=ldapusername, cn=Users (and not ou=MyUsers),dc=ad,dc=yourdomain,dc=com
I hope that helps.
4 Likes
Hi Elleni,
Nicely explained findings.
Michel-André
Today I realized our OPNsense server stopped authenticating our roadwarrior users. The reason is Let’s encrypt changing its root CA certificate while our OPNsense router was not updated for a while. Manually executing the php script which updates certificate as described in this thread revealed that the script refused to update the certificate on the OPNsense router with message:
The certificate issuer does not match the certificate.
O=Let’s Encrypt, CN=R3, C=US,
I thought the solution would be updating the OPNsense router but it wasn’t
I had to modify the script and change the CN=Let’s Encrypt Authority X3 to CN=R3 then the script works fine again, but I discovered that I could not renew the letsencrypt cert on nethserver, so I opened a separate thread after discovering that I cannot renew our letsencrypt certificate on our nethserver.