BigFix Server SSL Certificate on the cheap

Usage and Config
1

I have a test BigFix server at home and I got really tired of the self signed certificates for https tripping me up, so I went on a journey to resolve it “on the cheap”.

  1. I got a domain from godaddy for about $15/year
  2. got my public IP from my home router (it’s dynamic, but only changes like once every 2 years) and pointed my godaddy domain at my public IP on my router.
  3. I played around with my home router and found the “host in DMZ” setting. I used this to put my BigFix server into my DMZ temporarily.

So now I could get to my BigFix server REST API, Web Reports and WebUI from external to my house.
I run them all on a single test server (again - on the cheap), but with the typical Self Signed Certificate issues in the browsers, so the journey continued.

  1. I tried a few free SSL cert services and found I liked Let’s Encrypt the best.
  2. I banged on certbot until I got a working set of certs from it and figured out where to put them and the BigFix settings to use them.

Now I had my broswer issues resolved and that nice little green padlock indicating a safe SSL connection! Just a little bit to tidy up.

  1. I moved my BigFix server out of the DMZ and used Port Forwarding for 52311, 80, 443, 2443 (my webUI port) to allow those ports to pass my router and hit my BigFix server.

All working…

So I whipped up a little Fixlet that will do the Certbot stuff easily and set all the BigFix settings in one step.
https://bigfix.me/fixlet/details/26963

Working and secure SSL for my test BigFix server for $15/year in domain costs!

I would not use this for production work, but for your home test servers, it works a treat.
Once every 90 days or so you have to put your server back into the DMZ and run the certbot renew to refresh the certs. Since the Fixlet has all of the settings pointed at the Live folders, it updates them in place, making it super easy.

Hope this makes at least one person’s life a little easier.

Happy BigFixing

8 Likes
2

Nice work!

IIRC, Let’s Encrypt’s certs have a very short expiry timeframe, correct? Would the renewal process be to just rerun this every N-1 days?

2 Likes
3

Another option is domains.google which offers domain name registration starting (realistically) at $12/yr (does depend upon TLD chosen), doesn’t try to upsell you, includes basic DNS hosting services and WHOIS privacy as part of the cost, and access to manage everything via simple web interface.

I have a similar process to @brolly33 for my home lab however I leverage the DNS TXT record authentication method with Let’s Encrypt so I don’t need to expose any of my servers.

Note, regardless of domain registration provider some TLDs (notably .app, .day, .dev, .page) are secure-only TLDs and only support SSL traffic. If you register one of these, keep that in mind as everything you setup using these names must be using SSL 100% of the time (i.e. there is no HTTP traffic allowed and will be denied in all web browsers and modern HTTP libraries regardless of port used).

1 Like
4

@atlauren with this setup, my “once every 90 days” process is to move my server back into DMZ and run certbot renew then move the server back out of DMZ. Because I have used the default location for the certbot certificates, I don’t have to copy or repoint anything. Just renew and be done.

If I was not using Port 80 and 443 for another reason, I could just port forward those to my BigFix server and I could skip the DMZ portions.

@Mike Thanks for the alternate. There are absolutely better ways to do it. I will teach myself those on another weekend :slight_smile: For now I am just pleased to get all my SSL certs into a single, easy to renew place on my BigFix server.

1 Like