@robatwork:

@kpa:

If you happened to have a self-signed certificate that was created before the change linked below the newer browsers definitely didn't like it because they now require the FQDN of the system in the SubjectAltName field of the certificate.

Which is where we came in  :)

I don't think I will start any arguments about whether Chrome is an upstart baby browser or fully mature 9 year old browser which eclipses all other browsers by market share

I meant newer versions of the mainstream browsers, not any of the completely new browsers or new forks of the existing ones. Chrome did what they had to with the validation requirements, hence the issue.

With a cluster, the certificates are shared between both nodes. If you import a cert for the secondary directly on the secondary it will be overwritten by the certs from the primary during the next config sync.

You can do two things:

1. Use a single certificate to cover both nodes (SANs include hostnames for primary, secondary, and a hostname for the CARP VIP for other purposes, or perhaps a wildcard cert) and then select this for use as the GUI cert on both nodes. This is simple with ACME and the way we usually recommend doing it.

2. Import the primary and secondary GUI certs to the primary node, so they will be synchronized to both units. Then pick the certificate in the GUI settings after that.

Ok it seems nginx IS running and 'netstat -l -p tcp-a -n|grep 80' confirms this.
I had some mark values in my routing and tried ping's -m but that route is for tcp.
Ping -r for ignoring routing did not work.

Sincerely,
JC Magras

MY problem( just ahead of yours in list) shows nothing when 'ps ax|
grep nginx' !  Et tu?

Good. Just for illustration, you really can break this with anything; e.g. here I replaced the string "NTP" with "NTP Lets Break This" in /usr/local/www/status_logs_common.inc, resulting in:

That is dangerously incorrect. There is more to HTTPS than encryption when used properly.

Do a fresh install and stop messing with /etc/passwd.

A first simple override of the up/down for disabled interfaces:
https://github.com/pfsense/pfsense/pull/3820

but perhaps there is more that can be done underneath to actually find out the hardware state even when at the pfSense software level the interface is disabled.

It's not on anyone's radar or to-do list that I'm aware of.

Looking at the backend code of the page, and the GUI, it will accept either space or ; as a separator and they both work.

Be sure when using ; that you don't use both a space and a ;.

So either: "example.com movie.edu"
OR: "example.com;movie.edu"

PS: RRD graphs are a bit irritating now, that's absolutely correct. Since that's data from the past I can live with it.

That was a general problem due in many places in the UI to a js change.
It should be fixed in recent builds by:
https://github.com/pfsense/pfsense/commit/a7c47d85270fcf8c784e6af61ea2fd09f9d4f5ac
related issue https://redmine.pfsense.org/issues/7625

It was immediately after the eclipse did its thing.

@Derelict:

You might consider a different authentication source instead of the firewall local users.

Users probably shouldn't be enabled to make changes to a firewall's configuration.

It sounds like you have much greater design problems than admin being called admin.

?

They can only change their user accounts password, wouldn't really call that changes to a firewall.

Especially seeing how that is what Jimp, is highly recommending be done lol. In not only my other thread with similar questions, but a ton other on the forums.

A different Auth source is all fine and good, except now that is more hardware, to do something I can already do with the Local. Sure if I had 1000s of usernames needed, I would do that, for the 35 rooms, not even close to worth it lol. So what other options is there? To run the different auth server on the same box? Well now I have to Visualize the PFsense and Auth server, which is even more of a security issue.

Even then, adding a MYSQL server and using Radius, just adds more security vulnerabilities, More OSes means more issues.

I have concerns about them accessing the GUI as well, that was brought up in the other thread. Jimp is assuring me, its fine, no matter where I go with what there is going to be an issue, its just deciding on the lesser of the evils.

Thanks. The crap color was driving me crazy.

I have an N3150 with 1.6GHz speed, but a boost speed of 2.08GHz.  Does pfSense ever make use of the 2.08GHz speed?  I cannot tell from the dashboard, as the clock speed goes away above 1.44GHz or so.

Also, it would be nice if the speed was just always displayed, instead of the page jumping up and down as the speed display comes and goes.

@jimp:

@spiorf:

because if I can get a certificate for "pfsense.lan", anybody can, and so there is no point  in verifying certificates or using https at all.

Which is not true for the reasons I stated. Nobody else can get a certificate for my firewall hostnames, because they could not pass the required validation.

And LE may be complex at first, but it almost forces you to setup automation. Changing keys every 3 months is more secure and is already done by sites covering ~30% of TLS transactions.

You are right. Sorry, english is not my native language.  What i really meant was " if i COULD get…". I know you can't.

As i already said, I know how complex LE is, and i already use it from the beginning, setting up the required automation. And i love it!

But you know what certificate transparency logs are, do you? Because I want to keep my internal hostnames private. Even more in a company.

This is a good and private security model. And can secure also IP addresses. While LE cant.

Everyone can do it the way he wants, but right now, you can do it your way from the GUI, while I can't (without an ugly hack).