SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE after successful cert renewal
-
I renewed the ACME certificate on pfSense yesterday. It is listed in the UI, under Services/ Acme / Certificates as
Valid From: Sat, 25 Feb 2023 19:14:36 -0800 Valid Until: Fri, 26 May 2023 20:14:35 -0700
But when I access the FQDN or IP via firefox, I get
Error code: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
Viewing the certificate shows
Validity Not Before Mon, 18 May 2020 23:19:44 GMT Not After Sun, 16 Aug 2020 23:19:44 GMT
The name on the certificate according to the browser is the same as in the UI's SAN list.
In the certificate options page, the actions list consists of
/etc/rc.restart_webgui
I have tried
- Issuing /etc/rc.restart_webgui via the UI Execute Shell Command facility
- Restarting PfSense
- Halting and booting PfSense
Also, on the computer running my browser I tried
sudo apt-get purge firefox rm -r ~/.mozilla/* ; rmdir .mozilla rm -r /etc/firefox/* ; rmdir /etc/firefox rm /usr/lib/firefox-addons/* ; rmdir /usr/lib/firefox-addons
I am running PfSense 2.6.0-RELEASE (amd64) and acme package version 0.7.3.
It is a bit embarrassing but in case it is relevant, yesterday I upgraded from PfSense 2.4.5 to PfSense 2.6.0, following the Netgate Upgrade Guide. I removed the ACME package prior to the upgrade and installed afterward. Everything seemed to go smoothly.
Perhaps obviously I only dabble in this stuff, so please forgive me if I have missed something obvious. Also, it's Sunday here and the family needs some time, so I may not get back to this post until tomorrow. I'm not sure of the etiquette, perhaps I should have held off on my post?
-
@svengalh
The error message says that the issuer certificate (CA / intermediate CA) has expired.Display the certificate in the browser and check if it's even this one you've recently renewed.
-
Renewing a certicate is one thing.
Telling the software that it should take in account the new cert is another.Did you :
as this will restart the pfSense GUI upon successful renewal.
-
This post is deleted! -
This post is deleted! -
Just to tie this off for other dabblers (read: bunglers in my case) who have the same issue...
As per the documentation, the certificate used can be set in System / Advanced / Admin Access:
Changing to the recently renewed certificate fixes the issue discussed in my previous posts.
-
@svengalh said in SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE after successful cert renewal:
Changing to the recently renewed certificate
You only set this ones, the day you start using the certificate :
from then on, the acme pfsense package will renew this cert. There is nothing more to do.
If you change the certificate's name/ID, then, yeah, you have to change to that new cert.
But why would you you do that ?