Authenticating Users with Google Cloud Identity
-
That's the Google CA cert they are using for your domain?
pfSense needs that to trust the LDAP server cert but it shouldn't need the key. You'd only need that to create certs from the CA. So only if you need to create a client cert perhaps.
-
I understand, but is the procedure with which I pasted the certificate file correct?
-
Yes, that's fine for importing a cert.
-
Hi @stephenw10 , Where can I see the cause of Stunnel not starting?
-
Well as I suggested I would try to start the service then check the logs.
-
@stephenw10 said in Authenticating Users with Google Cloud Identity:
Well as I suggested I would try to start the service then check the logs.
Reply
I find Stunnel only in System/General and it only affects the installation phase. Then I don't see it anywhere else
-
How do you have it configured? What happens when you try to start it?
-
-
both in Services/Stunnel and in Status/Services if I click on the arrow to start it after a while it returns again
-
@leonida368 said in Authenticating Users with Google Cloud Identity:
https://docs.netgate.com/pfsense/en/latest/recipes/auth-google-gsuite.html
Ok so reviewing that it is a cert and not a CA cert. So did you import it with the key as described there?
-
yes
-
Try setting logging to DEBUG, see if that generates something when it tries to start.
-
unfortunately nothing
-
Does it start correctly if you don't set a cert at all?
Otherwise check if you have something else listening on port 1636 already for some reason.
-
hi, the Certificate field cannot remain empty
-
Up until last year I used Packetfence to do this. Even if it is a different product (it is a nac not a firewall) for better or worse the authentication with Google Workspace worked, but this involved the simultaneous presence of Packetfence for authentication and PFSense as a firewall and furthermore Packetfence registers a device with the user who authenticates and then the captive portal no longer appears on that device. Instead I would have liked to do everything with PFsense but I find it hard....
-
@leonida368 said in Authenticating Users with Google Cloud Identity:
the Certificate field cannot remain empty
It throws an error when you try?
You have to have a client cert for Google Auth to accept it but Stunnel should start OK without a cert defined there. If it does then we know the problem is with the certificate.
-
Like:
-
it's a box where you have to choose something but if I choose Default I have a view like yours i.e. the Certificate field is empty. However, even in this way the service does not start
-
Ok so not a certificate issue.
Do you have other STunnel entries that might have misconfig?
Do you have some other service already listening on port 1636?
What happens if you just try to run the command at the CLI:
[24.03-RELEASE][admin@4200.stevew.lan]/root: stunnel [ ] Initializing inetd mode configuration [ ] Clients allowed=54725 [.] stunnel 5.71 on amd64-portbld-freebsd15.0 platform [.] Compiled/running with OpenSSL 3.0.13 24 Oct 2023 [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI [ ] errno: (* __error()) [ ] Initializing inetd mode configuration [.] Reading configuration from file /usr/local/etc/stunnel/stunnel.conf [.] UTF-8 byte order mark not detected [ ] Compression disabled [ ] No PRNG seeding was required [ ] Initializing service [Google Auth Test] [ ] Initializing context [Google Auth Test] [ ] stunnel default security level set: 2 [ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK [ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256 [ ] TLS options: 0x2100000 (+0x0, -0x0) [ ] Session resumption enabled [ ] Loading certificate from file: /usr/local/etc/stunnel/stunnel.pem [ ] Certificate loaded from file: /usr/local/etc/stunnel/stunnel.pem [ ] Loading private key from file: /usr/local/etc/stunnel/stunnel.pem [ ] Private key loaded from file: /usr/local/etc/stunnel/stunnel.pem [ ] Private key check succeeded [ ] No trusted certificates found [:] Service [Google Auth Test] needs authentication to prevent MITM attacks [ ] OCSP: Client OCSP stapling enabled [ ] DH initialization skipped: client section [ ] ECDH initialization [ ] ECDH initialized with curves X25519:P-256:X448:P-521:P-384 [.] Configuration successful [ ] Deallocating deployed section defaults [ ] Cleaning up context [stunnel] [ ] Binding service [Google Auth Test] [ ] Listening file descriptor created (FD=9) [ ] Setting accept socket options (FD=9) [ ] Option SO_REUSEADDR set on accept socket [.] Binding service [Google Auth Test] to 127.0.0.1:1636: Address already in use (48) [!] Binding service [Google Auth Test] failed [ ] Unbinding service [Google Auth Test] [ ] Service [Google Auth Test] closed [ ] Deallocating deployed section defaults [ ] Cleaning up context [stunnel] [ ] Deallocating section [Google Auth Test] [ ] Cleaning up context [Google Auth Test] [ ] Initializing inetd mode configurationThere you see it fails to start for me because it's already running.
