Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Best way to stop the trust warnings for webGUI

    Scheduled Pinned Locked Moved webGUI
    11 Posts 3 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • wgstarksW
      wgstarks
      last edited by

      For a while I was able to tell Safari to always trust the self-signed cert for pfsense webGUI but that stopped working a while back and now I have to tell the browser to go to the site every time. It’s just 4 or 5 extra clicks but gets annoying after a while. Since the webGUI is only accessible from my private network would it be best to just use http (if that’s possible) or is there a better option?

      Box: SG-4200

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @wgstarks
        last edited by johnpoz

        @wgstarks nothing wrong with using just http when your local like you are.

        But if you want just create a CA have your browser trust it, sign a cert and no more warnings.

        cert.jpg

        And since not a public CA, you can set the cert to be good for 10 years if you want and your browser won't complain that its valid for too long either

        And now that your browser trusts this ca, you can use it for other certs for your other guis you might have, switches, printers, unifi controller, nas, etc..

        edit: here is a post I did many moons ago on how you can do it

        https://forum.netgate.com/post/831783

        One thing is your browser might complain about logging in with http.. while prob not as annoying - still a pain so this would kill 2 birds one stone.

        If I hit my nas for example with just http get this annoying little window on my login

        http.jpg

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • wgstarksW
          wgstarks
          last edited by

          Thanks. I believe what you are describing is what I had setup before but it’s been a few years so I’ll need to dig into it a little deeper to verify. It is no longer working though. Maybe the CA has expired or something. I may try deleting my original setup and re-creating it using your post. It isn’t likely to work with my iPhone since I have no way to tell the mobile browser to “always trust” but the webUI isn’t really mobile friendly anyway. Hopefully if I can get it working I can figure out a way to use it for the self hosted unifi controller I run. Same problem there and Ubiquiti doesn’t allow http and I haven’t found a way to replace that certificate which has expired.

          Box: SG-4200

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @wgstarks
            last edited by

            @wgstarks said in Best way to stop the trust warnings for webGUI:

            It isn’t likely to work with my iPhone since I have no way to tell the mobile browser to “always trust”

            yeah there is!

            easu.jpg

            See just using IP and its trusted, because I have 192.168.9.253 in the SAN of the cert.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • wgstarksW
              wgstarks
              last edited by

              How did you create the profile?

              Box: SG-4200

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @wgstarks
                last edited by johnpoz

                @wgstarks easy way is to just email the ca cert to yourself then in your mail on your phone click on it, and it will install it.. You then have to go to your profiles and actually click install, etc..

                install.jpg

                I just removed it and put it back in so I could grab some screenshots

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • wgstarksW
                  wgstarks
                  last edited by

                  Will it work the same in macOS?

                  Box: SG-4200

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • JonathanLeeJ
                    JonathanLee
                    last edited by

                    Just add the certificate to your mach trust store

                    Make sure to upvote

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @wgstarks
                      last edited by

                      @wgstarks yeah it should work on any OS.. now depending on the browser or OS you may need to add it to a specific store.. Maybe the browser has its own and doesn't use the OS store..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • wgstarksW
                        wgstarks
                        last edited by

                        I’m using safari and as far as I know it uses the macOS keychain. IIRC I added the pfsense certificate to the keychain and that worked for several years. Not sure exactly when it stopped working but might have been after a Mac equipment upgrade. Maybe the certs don’t get imported in a restore. Might just need to manually add it again.

                        Box: SG-4200

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @wgstarks
                          last edited by

                          @wgstarks yeah I don't have mac anything, only apple I have is iphone and ipad.. and not having any issues with those devices.

                          But yeah if you have a CA already and signed cert.. If it was installed the error would be that its expired not that you don't trust it.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.