WebGUI SSL cert for HA cluster
-
I have a HA setup of 2 pfsense nodes. I am trying to configure SSL server certificate for Web GUI specific for each node. I have disabled the sync option of Certificate Authorities, Certificates, and Certificate Revocation Lists from the Configuration Synchronization Settings (XMLRPC Sync). However, configured web GUI SSL certificate from the primary node is synching to the 2ndary node and removing the certificate set for 2ndary GUI. Pfsense version I am using is 2.5.2. Is it a bug? Or is there any other configuration do I need to check. Please, help me out with this issue.
Thanks
-
@jinat
What about a getting a wild card cert ?I'm just thinking out loud, I'm not using HA or inter router syncing.
-
@gertjan wild cart certs are no-no now a days. It includes lot more functions that is not expected in a highly secured environment.
-
If you sync OpenVPN that requires certificates to sync so it will still copy them if you have that on.
For HA you can do a couple different things:
Method 1: Include SANs for both nodes and the shared CARP VIP hostname in one certificate and have both use that (works great w/ACME, certs from other places may cost more)
Method 2: Import the cert for the primary and secondary nodes (plus any shared certs) to the primary so all certs exist on both nodes. Then pick the appropriate one for use in the GUI on both.
-
@jinat this is actually a very interesting question. I have no real play time with HA setup..
I see no real mention of this in the ha example setup. But do see setting different names for the nodes, firewall-a and firewall-b for example. So this would suggest for sure use of different certs.
And since the name doesn't get overwritten, you would assume that the cert used wouldn't get overwritten either.
You should still be able to sync CA, certs etc.. But the setting for which cert the node uses shouldn't get overwritten.
So should be able to have a cert for firewall-a and firewall-b on both nodes, where a uses the A cert and b uses the B cert..
I think I need to setup a HA to play with for just this question.. Because now my curiosity cat is meowing at me ;)
edit: I see jimp chimed in, method2 was how I was thinking it should work.. But I like method 1 as a better option to be honest.
-
@jimp Hi, thanks, that sounds good. I have applied method 1 already.
-
@johnpoz Hi, what is the reasoning behind to consider method 1 as a better option?
-
@jinat because you can access either or and the carp address with just 1 cert ;)
-
@johnpoz Here I am using Web GUI SSL cert for accessing GUI, following the configuration System->Advanced->AdminAccess->HTTPS->Certs. Not sure about the CARP VIP address you are talking about. How SSL cert can be used in CARP configuration? There should be a backend HTTPS configuration that I am aware of.
-
@jinat You have your carp vip right, pick a name - setup dns to resolve that name firewall-c.yourdomain.tld for example.. Since the cert has the san for firewall-c its valid.
This would just load the node that is primary and owns the vip at the time..
-
@johnpoz I am not using CARP VIP for pfsense nodes. But yes, what I have done is I have given the certificate a shared common name and the certificate includes SAN with fqdn of primary and 2ndary node.
-
@jinat said in WebGUI SSL cert for HA cluster:
I am not using CARP VIP for pfsense nodes.
Then they are not really in a HA setup.. The only way you could get client to move over to the other node would be manually. If there is no vip that the nodes pass shared that one ones and the other does not unless the primary fails.
How do your clients move to the other node.. You would manually have to change their gateway to point to the other node.
-
@johnpoz Hi yes as I am not using CARP VIP it is not fully redundant HA setup. Is there any way I can change the certificate with CLI? I have lost GUI access.
-
@jinat said in WebGUI SSL cert for HA cluster:
Is there any way I can change the certificate with CLI?
like pick which one? I do not believe so other than rolling back to another restore recent config.
You could use
pfSsh.php playback generateguicertTo generate a selfsigned and use that. or just revert to http for the gui, etc.
-
@johnpoz I recovered the GUI Acces with generating new web configurator cert. Thanks.
Now, I am having A communications error occurred while attempting to call XMLRPC method merge_installedpackages_section: @ 2021-12-14 08:52:20 and GUI access is not stable it is very often giving 504 gateway timeout error.
