Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense certificate

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 4 Posters 995 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hspindel
      last edited by

      Every time I try to login in to my router (running pfSense) Firefox tells me "potential security risk ahead" and I have to click on Advanced and tell Firefox it's okay to go ahead.

      I have no experience with certificates, but I am thinking the above problem is the result of an expired certificate.

      How do I fix this problem?

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        If the cert is expired you will see an alert for it in the gui and can renew the cert in the cert manager.

        If it's just because it's a self-signed cert then the browser will normally allow you accept it permanently.

        H 1 Reply Last reply Reply Quote 0
        • H
          hspindel @stephenw10
          last edited by

          @stephenw10

          Thank you for the reply.

          There are no alerts within the pfSense GUI. If I check the available certificates there is a self-signed certificate valid until 5/24/25.

          I don't see any option to make the exception permanent in Firefox. Perhaps this has become more of a Firefox question than pfSense?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Yup could be. I use Firefox here and only ever have to allow the cert exception once per device.

            What actual error is shown?

            1 Reply Last reply Reply Quote 0
            • the otherT
              the other
              last edited by

              hey there,
              I don't think it is a question of expiring...rather it seems to me, it is a question of "does Firefox already know about your self-signed cert?"
              I use certificate manager on pfsense to make my own CA and use that to issue my own ssl certificates (and user ones as well). So in my LAN I have https active, using self-signed certs for servers at home (and a self-signed webGUI cert for pfsense instead of the default one).
              BUT: you need to make that issuing CA known to your browser.

              So: export your CAs cert, import that to Firefox (settings > security > certificates I think) and then...it should no longer give out warnings and you do not need exceptions any more (since your browser sees your self-signed certs and trusts your issuing CA).

              At least that's what I suggest... :)

              the other

              pure amateur home user, no business or professional background
              please excuse poor english skills and typpoz :)

              H 1 Reply Last reply Reply Quote 0
              • H
                hspindel @the other
                last edited by

                @the-other Thank you for the reply. I tried importing the certificate to Firefox, and Firefox said there was no need since it already had the certificate.

                So perhaps this is not a certificate issue.

                keyserK 1 Reply Last reply Reply Quote 0
                • keyserK
                  keyser Rebel Alliance @hspindel
                  last edited by

                  @hspindel It’s likeky because you have set a validity span that is too long on your self signed certificate. I think the limit is around 390 days right now - otherwise the browser will declare the certificate invalid. Those limits are expected to drop further in the future i think

                  Love the no fuss of using the official appliances :-)

                  1 Reply Last reply Reply Quote 0
                  • the otherT
                    the other
                    last edited by the other

                    Sure you imported the ca one? First export from pfsense...I did not mean the ssl server cert, just to be sure.
                    @keyser
                    I read about limited lifespan acceptance too. Still, my certs have 3650 days and still got accepted...

                    the other

                    pure amateur home user, no business or professional background
                    please excuse poor english skills and typpoz :)

                    keyserK 1 Reply Last reply Reply Quote 0
                    • keyserK
                      keyser Rebel Alliance @the other
                      last edited by

                      @the-other said in pfSense certificate:

                      Sure you imported the ca one? First export from pfsense...I did not mean the ssl server cert, just to be sure.
                      @keyser
                      I read about limited lifespan acceptance too. Still, my certs have 3650 days and still got accepted...

                      Yes, it will be accepted and installed, but it will throw you the certificate warning every once in a while anyways - haven’t quite figured out how that interval is determined

                      Love the no fuss of using the official appliances :-)

                      H 1 Reply Last reply Reply Quote 0
                      • H
                        hspindel @keyser
                        last edited by

                        Was able to reproduce the issue. Actual firefox message is:

                        Warning: Potential Security Risk Ahead

                        Firefox detected a potential security threat and did not continue to <local IP>.

                        Issue is most likely with the website and there is nothing you can do to resolve it.


                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Does it tell you what the issue is?

                          The usual warning from the self signed cert is:
                          Screenshot from 2025-02-05 10-30-58.png

                          But you can just accept that and it won't usually ask again.
                          Screenshot from 2025-02-05 10-32-16.png

                          H 1 Reply Last reply Reply Quote 0
                          • H
                            hspindel @stephenw10
                            last edited by

                            @stephenw10 Yes, that is the exact same warning screen I see. Unfortunately it reappears no matter how many times I accept it.

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Hmm, that has to be a security setting in Firefox.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.