Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem with webGUI certificate

    Scheduled Pinned Locked Moved Cache/Proxy
    4 Posts 2 Posters 903 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SamDond
      last edited by

      I have a fresh install of pfSense and added the squid and squidGuard packages. Everything works fine and squidGuard blocks things. However, when a website is blocked I do not get the normal "This website has been blocked" page, but instead an error message from Squid.

      (92) Protocol error (TLS code: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
      Self-signed SSL Certificate: /O=pfSense webConfigurator Self-Signed Certificate/CN=pfSense=3c3100c2b0dda

      From what I gather there is some problem with the certificate that the web gui uses. I've tried googling for a solution but there is little information about this, and what few things I found do not work. I tried renewing the webGUI certificate as it was expired straight away when I installed pfSense, then I tried changing the web GUI to use HTTP, then I tried changing the proxy settings in Squid to have "Bypass Proxy for Private Address Destination" enabled, as well as the IP for pfSense in "Bypass Proxy for These Destination IPs", but these all did nothing. Any help is appreciated. Thanks.

      For reference my version of pfSense is 2.5.2-RELEASE, squid is 0.4.45_5, and squidGuard is 1.16.18_20

      1 Reply Last reply Reply Quote 0
      • S
        SamDond
        last edited by

        I've done a bit of digging for the error message here: https://www.openssl.org/docs/man1.1.0/man3/X509_STORE_CTX_set_current_cert.html

        I looked up the error message code and found this:

        X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
        the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates.

        1 Reply Last reply Reply Quote 0
        • S
          SamDond
          last edited by

          Ok so I sorta fixed it with a slight workaround.

          Set pfSense's web gui to use http rather than https. Go to Services > SquidGuard Proxy Filter, and go to Common ACL tab. Here change the Redirect Mode to ext url move (enter URL) and then in Redirect Info you add: http://<my_pfsense_ip>/sgerror.php?url=403%20Error&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u (replace <my_pfsense_ip> with the actual value, by default it's 192.168.1.1

          There is probably a better solution to this involving the web gui's certificate not clashing with squidguard out of the box, but I can't find any help on it anywhere.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @SamDond
            last edited by

            @samdond

            Browsers will always warn if a certificate is self signed.
            When you access the pfSense GUI over https, pfSense will use a self generated - thus self signed - certificate. You can instruct your browser to make an exception.

            Or get a certificate from a trusted certificate authority, like Letsencrypt and the acme.sh pfSense package.

            @samdond said in Problem with webGUI certificate:

            Set pfSense's web gui to use http rather than https.

            That's another solution.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.