Results 1 to 9 of 9
  1. #1
    Untangler
    Join Date
    Dec 2017
    Posts
    85

    Default HTTPS Certificates

    Something that's bothered me about Untangle for years is my inability to get the HTTPS certificates done properly. I feel like I need a little help with setting it up properly. I would like to avoid the "not secure" all the time on the webpage gui. I know it's dumb, but I feel like it's a failure on my end to properly learn to set it up. So is it possible I could get a little help on it from someone a bit more knowledgeable. I'm not sure if I need to do something through let's encrypt or use a certificate authority.

    Thanks!

  2. #2
    Untangler
    Join Date
    Nov 2018
    Posts
    51

    Default

    Are you trying to access your Untangle box over the internet? I would't recommend this option from a security point of view. For this you could use Command Center or a VPN. So the question is, are you trying to access Untangle over the internet and why or from your local network?

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,813

    Default

    Solving HTTPs errors in administration simply means having the correct certificate.

    But here's the rub... what is the correct certificate? To access from all angles without errors you need a certificate that's named for your public DNS name, your private DNS name, and all IP addresses on Untangle. Every time an IP changes, you need a new certificate.

    Now, if you limit yourself to just the public name operating without error, this becomes fairly trivial. But if you pop your IP into the address bar... BAM browser complaint.

    This is why I just don't care about the certificates on my networking gear, SSL isn't a great security mechanism for this stuff.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Dec 2017
    Posts
    85

    Default

    It's over my Local Network, and not public IP. Just more feel like I've failed by having the error. It's like having the check engine light on because the gas cap wasn't tight.

  5. #5
    Untangler
    Join Date
    Nov 2018
    Posts
    51

    Default

    I've created my own for local access and it works fine, no errors. Go to Config>Administration>Certificates, click on Generate Server Certificate (bottom left) and fill in all the data. For example CN is filled automatically if you have hostname and domain name for local network. Under Subject Alternative Names you just leave the local domain name which resolves Untangle's IP over local network or IP address of Untangle (e.g. 192.168.1.1). I excluded WAN's IP because I would never access it over internet, unless it's a safe VPN.
    Be sure to check HTTPS, save everything and click on download root certificate authority. Import that cert to trusted root certificates in your browser and there you go. Hope it works for you, otherwise ask here.

  6. #6
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,758

    Default

    1. Get a real, public domain name. Even a free name from someone like no-ip.com can work (though these are technically a host names... but you can use them). An internal domain name (.local, etc) will not.

    2. Choose a hostname within that domain for the Untangle server. For example, if you own "example.com" you might choose "untangle.example.com". If you use a name from a free domain service like no-ip.com, this name probably is the host name.

    3. Make sure public DNS for this FQDN name points at your Untangle server's public IP. If you are certain you will NEVER need to reach the untangle server from the outside, you can skip this... but if you want to use Untangle's VPN support, for example, you probably want this. One way to accomplish it is via the "Dynamic DNS Service Configuration" section in Config=>Network=>Hostname.

    4. Set up split DNS, so internal clients looking up the FQDN name will pick up the internal IP. This sounds complicated, but all it really means is adding a static A record for your FQDN hostname in your local DNS server to point at the Untangle internal IP.

    5. Put the desired host and domain in Untangle's Config=>Network=>Hostname section, and then check the "Use Hostname" radiobutton a little lower. Save. Make sure you've done this after step 4, even though you were on the same config page for step 3, or you may break your ability to reach some pages. Also remember: most DNS entries are cached, so make sure you've flushed your cache before testing or assuming things are broken.

    6. Now you can log into Untangle via the terminal and setup Let's Encrypt... though this is tricky, because it's not supported and likely to be overwritten at update time (it'd be really nice to have support for this built-in). The alternative is purchasing a certificate, but a one year basic cert from Digicert is $218, which is more than 3x what you pay for a home subscription over the same period. There are cut-rate services that charge much less, but they're commonly not trusted by browser and OS vendors, and the whole point here is getting a cert from someone they do trust.

    7. Whatever you do, once you have a certificate you have to tell Untangle to use it. This is done via Config=>Administration=>Certificates. Look for the "Upload Server Certicate" button conveniently hiding at the bottom of the page where you'll never see it. The trick here is there's usually also an intermediate certificate. You need to make sure this intermediate is bundled in the same file when you upload.

    8. Now look in Config=>Network=>Access rules, and make sure HTTPS is not blocked.

    That's it, though I did a lot of hand-waving in step 6 about where to get your cert. At one point, I thought there was also an option to always redirect HTTP block and admin pages to HTTPS, but I didn't see it reviewing things for this post. And yes, I know "FQDN name" is redundant, but this makes it easier to follow if you don't know the FQDN acronym.

    [Optional 9.] Set up a port forward rule to redirect outbound traffic for port 53 back to the internal DNS server used with step 4. (Don't forget to bypass that server's DNS traffic).
    Last edited by jcoehoorn; 07-19-2020 at 02:14 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  7. #7
    Newbie
    Join Date
    Jul 2020
    Posts
    3

    Default

    Will lets encrypt be implemented in future release?

    I think no need to spend $218 for digicert.... for home use, positivessl via namecheap will be good enough.... less than $20 for 5 years.... of course you cant do wildcard domain like lets' encrypt. For home use, living with port numbers is fine. just bookmark the site.

  8. #8
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,209

    Default

    Quote Originally Posted by DrAnarchy View Post
    Will lets encrypt be implemented in future release? .
    Vote for this feature request. https://untanglengfirewall.featureup...0/lets-encrypt Not sure how many more than 847 votes it will take but maybe you can break the camels back.

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,813

    Default

    Let's Encrypt doesn't solve the problem though... that's the issue.

    You need a certificate that works for the public name, the private name, and all the IP addresses on Untangle to eliminate all those errors, and even then you don't get rid of the errors generated on the block pages. Also you cannot get SSL certificates for private names or IP addresses anymore.

    This is a cosmetic change with no actual substance. I'd much rather Untangle enhance the admin UI with MFA support than muck about with this.

    Though even though I say all this, I must also admit there's something off in the optics of Untangle as an open source project doing what it does, enabling self signed certificates over the use of Let's Encrypt. Functionally none of this is important, but it feels wrong anyway. So I figured at some point this would be added, but I wouldn't expect it to be so until after Untangle works out all the magic required for EFI support. After all... certificates don't matter much if we can't install Untangle anymore!
    Jim.Alles likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2