Using LetsEncrypt Certificate for Web Configurator Authentication
-
I have setup a Lets Encrypt certificate using ACME and Cloudflare. The certificate shows up in the system/certificate/authorities and system/certificate/certificates sections.
In System/advanced/Admin Access I select:
Protocol: Https
SSL/TLS Certificate: LetsEncryptCertificate
TCP Port: 443
Web Redirect: checkedOnce changes are saved I log out of the pfsense system and type in the url:
https://192.168.1.1:443Using the latest version of Firefox I get the following message:
"we could not verify the certificate: reason = wrongHost"What am I missing or doing wrong?
Regards.
-
@pslinn said in Using LetsEncrypt Certificate for Web Configurator Authentication:
Once changes are saved I log out of the pfsense system and type in the url:
https://192.168.1.1:443Using the latest version of Firefox I get the following message:
"we could not verify the certificate: reason = wrongHost"I don't believe, that Lets Encrypt has signed a certificate for 192.168.1.1.
But this is, what the browser is expecting to get, when entering this host.You LE certificate might be issued for a certain common name. Add a host override for it to your internal DNS and point it to 192.168.1.1.
BTW: It is not necessary to state the port 443, since it is default for https.
-
@viragomann Thanks for replying.
I have used your suggestion as follows:
- went to dns resolver
- under General Settings went to Host Overrides
- selected Add and typed in the requested contents including alias'.
I am getting the same error message when I log out and log back in.
I then added system/advanced/Admin Access/Alternate Hostnames and provided the various alias'.
In addition I have gone to:
- Services/DNS Resolver/General Settings/SSL/TLS Certificate and selected the LetsEncryptCertificate.
All this did not fix the issue.
I am clearly missing something. Any further suggestions?
Regards.
-
@pslinn I have found that Bitdefender was part of the issue. I have uninstalled Bitdefender temporarily to see if there are any other issues.
There are.
Both Firefox and Edge do not recognize the Let's Encrypt certificates as being valid, even after I imported the certificates to the browsers.
Any suggestions?
Regards.
-
@pslinn
I guess, the Defender has just prohibitted the browser from accepting the connection anyway.What do Firefox show now?
The should be an Advanced button to get further. FF should display an error then and should let you display the certificate.
What is the error?
Does it show the proper certificate? -
@viragomann said in Using LetsEncrypt Certificate for Web Configurator Authentication:
I don't believe, that Lets Encrypt has signed a certificate for 192.168.1.1.
They expressly state in their User manual that they only use domain names, and NOT IP addresses.
@pslinn said in Using LetsEncrypt Certificate for Web Configurator Authentication:
Once changes are saved I log out of the pfsense system and type in the url:
https://192.168.1.1:443You all work, and you missed the most important reason why you were asking for a certificate :
So you don't have to use htpp://192.168.1.1 anymore, but now you can use :
https://pfSense.some-domain-name-that-you-rent.tld
and yes, "some-domain-name-that-you-rent.tld" is a domain name that you have to rent.
Letsencrypt does just one thing : they will test taht you 'own' (= control) that domain name.@pslinn said in Using LetsEncrypt Certificate for Web Configurator Authentication:
went to dns resolver
under General Settings went to Host Overrides
selected Add and typed in the requested contents including alias'.You don't have to do this.
If you asked letsencrypt to create this cert for you :
pfSense.some-domain-name-that-you-rent.tld
and because pfSense already has "pfSense.some-domain-name-that-you-rent.tld" loaded into the DNS (point to 192.168.1.1)...
edit : do not believe me !!
Go check yourself, using your equipment :nslookup pfSense.some-domain-name-that-you-rent.tldthe answer will be :
192.168.1.1....
So your browser (PC) can resolve "pfSense.some-domain-name-that-you-rent.tld" as pfSense has the answer (and yes, 8.8.8.8 has not !! (of course))
So the browser can nw connect to the resolved domain name = "192.168.1.1"
So the pfSense GUI, connected over https (using port 443) will hand over a certificate to the browser stating that this certificate belongs to "pfSense.some-domain-name-that-you-rent.tld"
And that is just great : the browser was initially using "pfSense.some-domain-name-that-you-rent.tld", got 192.1368.1.1 as the address where the server can be found, got a cert back from this web server that it is "pfSense.some-domain-name-that-you-rent.tld" => this is what https is all about. Nothing more, nothing less.
Oh, yes, now everybody knows who is who, some random numbers can be exchanged securely so the entire traffic can also be encrypted decrypted on both side so the traffic passes over the 'possible hostile network on a secured way, and can not be altered while going over the wire.Btw : if you ask for a wild card certicate like
"some-domain-name-that-you-rent.tld"
"*.some-domain-name-that-you-rent.tld"( this means : the top level domain name "some-domain-name-that-you-rent.tld"
and
all the sub domains "*.some-domain-name-that-you-rent.tld" )you can now use your certificate for
pfsense.some-domain-name-that-you-rent.tld
printer.some-domain-name-that-you-rent.tld
nas.some-domain-name-that-you-rent.tldwhen you've installed the certificate on your printer, nas etc.
Now you can use "https" to access all these devices (if they support it).
