Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Add Upstream SSL Intercepting Proxy Certificate

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 657 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mt_onsemi
      last edited by

      Problem Statement:
      pfSense unable to do package updates because an upstream https proxy is providing a certificate that pfSense is not accepting. This pfSense is running on a VM, under ESXi. Internet access is provided by organization's upstream transparent proxy, which does MITM packet inspections for http/https. As such all https requests receive the organization's certificate, and this appears to be where pfSense is failing.

      I've looked over various historic posts on the same topic and everyone seems to claim it was resolved but when I copy their approach I get nowhere. Older pfSense version that feels like it no longer applies to more recent versions of pfSense. more recent pfSense version appears to suggest upgrading to latest pfSense.

      What Has Been Tried:
      Obtained organization's SSL certificate by going to an internet site on another computer, in the same subnet as the pfSense host. Within Chrome you can inspect the SSL certificates used, and I just exported the certificate from there. Then went to pfSense System->Certificate->Authorities->Add, Method: Import Existing Certificate, and Trust Store: Yes. Certificates were correctly imported and certificate details can be looked at in pfSense. They appear to match what Chrome indicates, so assume everything correctly imported.

      However when I run 'pkg install open-vm-tools-nox11' (attempting to install vmware tools on VM), I get:
      Updating pfSense-core repository catalogue...
      Certificate verification failed for /O=ABC Semicon/CN=ABC Semicon RSA Root CA
      35077394432:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-RELENG_2_7_0/crypto/openssl/ssl/statem/statem_clnt.c:1921:

      This approach of using Chrome to get upstream MITM proxy's certificate seems to have worked on other Linux boxes, so naively thought it would work here too.

      1 Reply Last reply Reply Quote 0
      • M
        mt_onsemi
        last edited by

        Additional information. It appears I can succeed with:
        curl https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-core/meta.txz --output meta.txz
        OR WITH
        curl https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.txz --output packagesite.txz.
        File successfully downloads, so perhaps this is a pkg specific problem?

        1 Reply Last reply Reply Quote 0
        • M
          mt_onsemi
          last edited by

          Responding to my own post in case others come across this. I am not considering this a total solution, but rather a workaround until someone can point me towards a more robust solution.

          pfSense's pkg management tool does not appear to use the system's certificates, so manual intervention is needed.

          I was able to update packages, and install new ones by:

          1. going to command line
          2. setenv SSL_CA_CERT_PATH /etc/ssl/certs
          3. then pkg update or pkg install xxx
          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            There is a checkbox to add the CA to the system when you import it if required:
            Screenshot from 2023-12-31 18-31-58.png

            However in this situation I would add the proxy IP to pfSense specifically so it doesn't need to have that CA.
            https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#proxy-support

            Steve

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.