[Help Wanted] Unable to create ACME cert behind opnsense and proxmox

[Dvalin21]

Describe the bug I've tried installing this on proxmox, behind opnsense. For some reason, even after verifying both ports 80 and 443 were open, it wouldn't allow me to create letsencrypt certificates. Also under "certs wiki" where you can verify that your ports are open, it would fail each time. I've other ports opened the same way with no issues. Is it possibly because I have it installed on Proxmox?

To Reproduce Steps to reproduce the behavior:

1. Go to '...' TLS Certificats
2. Click on '....' Click on Open ACME Tool
3. Scroll down to '....' Click on create ACME (keeps saying probably firewall)
4. Click on "Wiki" at the bottom
5. Click on check on open ports (I may have the terminology wrong)
6. It would say unable to connect, Verify if your behind a NAT that its connected correctly.

In opnsense, here is how I had the port forwarding setup Under Nat Port Forwarding

Interface: WAN
TCP/IP Version: IPV4
Protocol: TCP
Source: Any
Source Port Range: Any
Destination: WAN Address
Destination Port Range: Alias Zoraxy ( for ports 80, 443)
Redirect Target IP: Ip address for Zoraxy
Redirect Target Port: Alias Zoraxy ( for ports 80, 443)

Then clicked saved. Restart Zoraxy and router....got the same result.

**Expected behavior**
I expected it to be able to see the port forwards and assign certs

**Browser (if it is a bug appears on the UI section of the system):**
 - OS: [e.g. iOS]  Proxmox/Lxc/Debian 12
 - Browser [e.g. chrome, safari] Chrome
 - Version [e.g. 22] 2.6.7

**Host Environment (please complete the following information):**
-  Arch: [e.g. arm64] amd64
 - Device: [e.g. Bananapi R2 PRO] Custom PC
 - OS: [e.g. Armbian] Proxmox
 - Version [e.g.  23.02 Bullseye ] Debian (Proxmox based on Debian)

I used the following script to install it to proxmox bash -c "$(wget -qLO - https://github.com/tteck/Proxmox/raw/main/ct/zoraxy.sh)"

This came from https://tteck.github.io/Proxmox/

Additional Information

For the time being had to switch back to Nginx, which once I restored Nginx from backup, it immediately started running. All certs were renewed with no issues. I would rather switch over however with all that Zoraxy offers. Thanks

[tobychui]

I am not sure about opnsense and running inside proxmox, but there are users who run their Zoraxy inside proxmox and ACME tools is usable when Zoraxy is directly exposed to the internet. This seems like a "Help Wanted" issue to me than a bug that caused by Zoraxy.

With such complex infrastructure in place, you should keep using Nginx which provide more flexible configuration than Zoraxy. Again, Zoraxy is design for noobs with simple network infrastructure and it is not design to handle complex infra like yours. Not to mention running in Chinese hardware like the Bananapi which, in my experience, might contains weird issues within the kernel they supplied. In your use cases, Nginx seems a better fit for you.

I will update the label and keep this here in case anyone out there figure out a solution to your problem.

[Dvalin21]

Thanks Toby for the reply. I did go back to Nginx for the time being. There are many who I know or on forums that I'm on that are noobs. Ill make sure to reference this app to them. However, I think I may have been doing something wrong after looking a little closer. I think my issue was the root proxy port and the proxied port on the status page. If someone was just doing a common reverse proxy function with Zoraxy, what should go in the set root proxy and what should go in the proxied port on the status page? Will use this for future reference when referring this app.

On Fri, Nov 24, 2023 at 4:02 AM Toby Chui @.***> wrote:

I am not sure about opnsense and running inside proxmox, but there are users who run their Zoraxy inside proxmox and ACME tools is usable when Zoraxy is directly exposed to the internet. This seems like a "Help Wanted" issue to me than a bug that caused by Zoraxy.

With such complex infrastructure in place, you should keep using Nginx which provide more flexible configuration than Zoraxy. Again, Zoraxy is design for noobs with simple network infrastructure and it is not design to handle complex infra like yours. Not to mention running in Chinese hardware like the Bananapi which, in my experience, might contains weird issues within the kernel they supplied. In your use cases, Nginx seems a better fit for you.

I will update the label and keep this here in case anyone out there figure out a solution to your problem.

— Reply to this email directly, view it on GitHub https://github.com/tobychui/zoraxy/issues/83#issuecomment-1825425809, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABY7PVNJOTIIE3XG2SGYUMDYGBWEZAVCNFSM6AAAAAA7Y3HQX6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRVGQZDKOBQHE . You are receiving this because you authored the thread.Message ID: @.***>

[tobychui]

Hi @Dvalin21,

As Zoraxy is not Apache or Nginx that has their own static web server (at least not before 2.6.7), the proxy root is designed for you to forward default traffics to an external web server (like Apache or Nginx). Now with the 2.6.8 release, you can just tick "Use static web server as root" options and let Zoraxy's build in static web server handles the unknown traffics.

That aside, it is common that you might not be used to how Zoraxy name things if you are a long term Nginx (or NPM) user. For those options, here is how I set them

Status Page

Proxy Root Page

Where I have another Apache web server running on localhost:8080 (this can be any LAN address, public IP address or domain) and my zoraxy allow https access (i.e. port 443) from the internet (WAN).

[Dvalin21]

@tobychui Thank you so much for taking the time to explain this. I will be referring other users to this app and will share this to help them understand the setup.

[tobychui]

Closing this due to inactive and outdated.

[freedbygrace]

I just ran into this issue after migrating to Zoraxy. It is not Zoraxy that is the issue. It is DNS and the way that the ACME protocol works/has been implemented. It is implemented within the Zoraxy in the best way, but OPNSense unbound DNS is intercepting the dns response for some ridiculous reason. Because the certificate is requested using SOA dns, it is expecting a specific response, but because Unbound intercepts it, it appears tampered and Zoraxy can only respond and say, you did not get the certificate. The problem is happening upstream. I just spent two days this.

nslookup -type SOA yourrecord.yourdomain.com

Note: I have the exact same setup. Proxmox, Virtual OPNSense, Linux VM, Docker Container running Zoraxy in host network mode on the container.

In the end, I switched my internal DNS server to Technitium, but there are DNS alternatives in OPNSense that could possibly be used also.