Best way to stop the trust warnings for webGUI
-
For a while I was able to tell Safari to always trust the self-signed cert for pfsense webGUI but that stopped working a while back and now I have to tell the browser to go to the site every time. It’s just 4 or 5 extra clicks but gets annoying after a while. Since the webGUI is only accessible from my private network would it be best to just use http (if that’s possible) or is there a better option?
-
@wgstarks nothing wrong with using just http when your local like you are.
But if you want just create a CA have your browser trust it, sign a cert and no more warnings.
And since not a public CA, you can set the cert to be good for 10 years if you want and your browser won't complain that its valid for too long either
And now that your browser trusts this ca, you can use it for other certs for your other guis you might have, switches, printers, unifi controller, nas, etc..
edit: here is a post I did many moons ago on how you can do it
https://forum.netgate.com/post/831783
One thing is your browser might complain about logging in with http.. while prob not as annoying - still a pain so this would kill 2 birds one stone.
If I hit my nas for example with just http get this annoying little window on my login
-
Thanks. I believe what you are describing is what I had setup before but it’s been a few years so I’ll need to dig into it a little deeper to verify. It is no longer working though. Maybe the CA has expired or something. I may try deleting my original setup and re-creating it using your post. It isn’t likely to work with my iPhone since I have no way to tell the mobile browser to “always trust” but the webUI isn’t really mobile friendly anyway. Hopefully if I can get it working I can figure out a way to use it for the self hosted unifi controller I run. Same problem there and Ubiquiti doesn’t allow http and I haven’t found a way to replace that certificate which has expired.
-
@wgstarks said in Best way to stop the trust warnings for webGUI:
It isn’t likely to work with my iPhone since I have no way to tell the mobile browser to “always trust”
yeah there is!
See just using IP and its trusted, because I have 192.168.9.253 in the SAN of the cert.
-
How did you create the profile?
-
@wgstarks easy way is to just email the ca cert to yourself then in your mail on your phone click on it, and it will install it.. You then have to go to your profiles and actually click install, etc..
I just removed it and put it back in so I could grab some screenshots
-
Will it work the same in macOS?
Box: SG-4200
-
Just add the certificate to your mach trust store
-
@wgstarks yeah it should work on any OS.. now depending on the browser or OS you may need to add it to a specific store.. Maybe the browser has its own and doesn't use the OS store..
-
I’m using safari and as far as I know it uses the macOS keychain. IIRC I added the pfsense certificate to the keychain and that worked for several years. Not sure exactly when it stopped working but might have been after a Mac equipment upgrade. Maybe the certs don’t get imported in a restore. Might just need to manually add it again.
-
@wgstarks yeah I don't have mac anything, only apple I have is iphone and ipad.. and not having any issues with those devices.
But yeah if you have a CA already and signed cert.. If it was installed the error would be that its expired not that you don't trust it.
