pfSense certificate
-
Every time I try to login in to my router (running pfSense) Firefox tells me "potential security risk ahead" and I have to click on Advanced and tell Firefox it's okay to go ahead.
I have no experience with certificates, but I am thinking the above problem is the result of an expired certificate.
How do I fix this problem?
-
If the cert is expired you will see an alert for it in the gui and can renew the cert in the cert manager.
If it's just because it's a self-signed cert then the browser will normally allow you accept it permanently.
-
Thank you for the reply.
There are no alerts within the pfSense GUI. If I check the available certificates there is a self-signed certificate valid until 5/24/25.
I don't see any option to make the exception permanent in Firefox. Perhaps this has become more of a Firefox question than pfSense?
-
Yup could be. I use Firefox here and only ever have to allow the cert exception once per device.
What actual error is shown?
-
hey there,
I don't think it is a question of expiring...rather it seems to me, it is a question of "does Firefox already know about your self-signed cert?"
I use certificate manager on pfsense to make my own CA and use that to issue my own ssl certificates (and user ones as well). So in my LAN I have https active, using self-signed certs for servers at home (and a self-signed webGUI cert for pfsense instead of the default one).
BUT: you need to make that issuing CA known to your browser.So: export your CAs cert, import that to Firefox (settings > security > certificates I think) and then...it should no longer give out warnings and you do not need exceptions any more (since your browser sees your self-signed certs and trusts your issuing CA).
At least that's what I suggest... :)
-
@the-other Thank you for the reply. I tried importing the certificate to Firefox, and Firefox said there was no need since it already had the certificate.
So perhaps this is not a certificate issue.
-
@hspindel It’s likeky because you have set a validity span that is too long on your self signed certificate. I think the limit is around 390 days right now - otherwise the browser will declare the certificate invalid. Those limits are expected to drop further in the future i think
-
Sure you imported the ca one? First export from pfsense...I did not mean the ssl server cert, just to be sure.
@keyser
I read about limited lifespan acceptance too. Still, my certs have 3650 days and still got accepted... -
@the-other said in pfSense certificate:
Sure you imported the ca one? First export from pfsense...I did not mean the ssl server cert, just to be sure.
@keyser
I read about limited lifespan acceptance too. Still, my certs have 3650 days and still got accepted...Yes, it will be accepted and installed, but it will throw you the certificate warning every once in a while anyways - haven’t quite figured out how that interval is determined
-
Was able to reproduce the issue. Actual firefox message is:
Warning: Potential Security Risk Ahead
Firefox detected a potential security threat and did not continue to <local IP>.
Issue is most likely with the website and there is nothing you can do to resolve it.
-
Does it tell you what the issue is?
The usual warning from the self signed cert is:
But you can just accept that and it won't usually ask again.
-
@stephenw10 Yes, that is the exact same warning screen I see. Unfortunately it reappears no matter how many times I accept it.
-
Hmm, that has to be a security setting in Firefox.