Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Why is port 80 being blocked by pfSense?

    Scheduled Pinned Locked Moved Firewalling
    22 Posts 4 Posters 679 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator @NGUSER6947
      last edited by johnpoz

      @NGUSER6947 what cert? What is showing you some selfsigned cert most likely?

      Lets encrypt CAs are normally out of the box trusted.. Validate your using the right cert for your service - its prob just still using its selfsigned vs the one from lets encrypt your trying to use.

      Your browser should show you the details of the cert being presented.

      Here is a cert from lets encrypt I use for one of my services.

      cert.jpg

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      N 1 Reply Last reply Reply Quote 0
      • N
        NGUSER6947 @johnpoz
        last edited by NGUSER6947

        @johnpoz I think you are correct. This is what it shows:
        ac69129b-aab2-4fcd-a88f-8524a392b8a4-image.png

        Also, if I try to connect from my phone (using cellular data, not my home wifi) it reports the same thing for the certificate info.

        How do I get it to retrieve the certificate from my domain or switch it to use the LE certificate, do I need to upload the certificate to my DNS provider (DynaDot, who registered my domain) so that it serves up the certificate when clients connect to the domain, before they even get to the pfSense router? Or am I way off base with that idea?

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @NGUSER6947
          last edited by johnpoz

          @NGUSER6947 that is your pfsense gui cert - set it to use the cert you want.

          cert.jpg

          I use a cert I signed with pfsense CA, that my browser trust.. But you can have it use the lets encrypt cert.

          Just click the drop down and change it.

          Once you set the gui to use your acme cert - you prob going to want to add the cron that restarts the gui when cert has been updated in the acme client.

          gui.jpg

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          N 1 Reply Last reply Reply Quote 0
          • N
            NGUSER6947 @johnpoz
            last edited by NGUSER6947

            I only see the default certificate, there's nothing else.
            488f316d-e08b-4853-b7c2-01302c4ea14b-image.png

            Well but now, the certificate information I see in the web browser is showing that it is coming from my domain, but still insecure:
            6a683f96-8a32-4970-9bed-52d2e866e4f4-image.png

            johnpozJ N 2 Replies Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @NGUSER6947
              last edited by johnpoz

              @NGUSER6947 if there is nothing else - how are you now seeingg the neededomain.cc ?

              How would you get a cert for that from lets encrypt?

              Did you hide that - that is not a valid public domain.. acme doesn't work without a valid public domain name.

              If you are running the acme client on pfsense and got a cert it would be listed.

              Here are the 2 certs I use for other things via haproxy - they are listed in pfsense cert manager..

              twocerts.jpg

              If you want help you're going to need to provide a bit more info.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • N
                NGUSER6947 @NGUSER6947
                last edited by NGUSER6947

                @johnpoz I am not using the Acme package. I used Certbot to obtain the LE certificate. Didn't hide anything in the Advanced setup:
                1406de8f-89db-4b0a-be12-0bdb24618aa6-image.png

                So I see this when accessing the site from my phone currently. It says it is using the Let's Encrypt certificate:
                0d3d775a-e6b1-4c4b-952f-9fe6f89aeee6-image.png

                So it seems like it's almost there. Do I need to go into an apache config file and enter this domain into the trusted domain section maybe?

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @NGUSER6947
                  last edited by johnpoz

                  @NGUSER6947 Are you running haproxy? And letting it do the cert..

                  Oh my bad - typo.. That is a public domain. But its serving up apache - that is not the web gui

                  page.jpg

                  So your forwarding 80 through pfsense?

                  And on 443 its serving up owncload. And that is not browser complaining about the cert, that is owncload

                  owncloud.jpg

                  If your trying to get to that from inside your own network you would either need to do nat reflection, haproxy or just setup your local domain to resolve that to the local IP your serving it up on.

                  There is nothing wrong with the cert, your browser trusts it - that is some internal config you need to do on owncloud.

                  that config/config.php has nothing to do with pfsense.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  N 1 Reply Last reply Reply Quote 0
                  • N
                    NGUSER6947 @johnpoz
                    last edited by

                    @johnpoz I was going to remove the port forward for 80 once I got the certificate and 443 set up.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @NGUSER6947
                      last edited by

                      @NGUSER6947 well configure owncloud then - says there is an example.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      N 1 Reply Last reply Reply Quote 0
                      • N
                        NGUSER6947 @johnpoz
                        last edited by

                        @johnpoz Got it, yes I know I was mixing up pfSense and OC setup things here. I had only gotten to the part where the phone would even show a valid connection about 20 minutes ago. Thanks for sticking with me.

                        Really appreciate the help.

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @NGUSER6947
                          last edited by

                          @NGUSER6947 I wouldn't use the port 80 way to validate to be honest.. Just use DNS to get your cert, then you never have to open up port 80 at all.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • N
                            NOCling
                            last edited by

                            Do you switch away the pfSense GUI ports first.
                            There are 80/443 used per default.
                            At the moment you expose the pfSense GUI to the Internet, very bad Idea!

                            Netgate 6100 & Netgate 2100

                            N 1 Reply Last reply Reply Quote 0
                            • N
                              NGUSER6947 @NOCling
                              last edited by

                              @NOCling Yes, fixed. Thanks.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.