WebGUI page - no response / unable to configure pfSense

newbieuser1

Thank you. Yes, version 2.7.2.

My screen is like your screenshot, except under Protocol it says: "No Certificates have been defined. A certificate is required before SSL/TSL can be enabled. Create or Import a Certificate".

patient0

@newbieuser1 said in WebGUI page - no response / unable to configure pfSense:

My screen is like your screenshot, except under Protocol it says: "No Certificates have been defined. A certificate is required before SSL/TSL can be enabled. Create or Import a Certificate".

Is there a certificate you can select in the 'SSL/TLS Certificate' drop-down list? If yes, select it and switch the protocol to HTTPS.

It's unlucky that the settings page accepts switching to https without having selected a certificate. I'll check tomorrow if that is still an issue on 2.8.0-BETA. And if yes if there is an existing bug report for it. It automatically selected the one available cert, GUI default. Is that true for you too?

Gertjan

You saw this ;

@newbieuser1 said in WebGUI page - no response / unable to configure pfSense:

My screen is like your screenshot, except under Protocol it says: "No Certificates have been defined. A certificate is required before SSL/TSL can be enabled. Create or Import a Certificate".

and I presume that you installed pfSense a couple of day ago :

@newbieuser1 said in WebGUI page - no response / unable to configure pfSense:

I got a Protectli Vault, on which I installed pfSense.

One of the things that happens when you install : a cert like :

is created so you can use it for the https access.
Its a self signed certificate, which means it isn't signed by the big "trusted" (by your browser) companies, so your browser should through a message on the screen that it can't trust the cert. Just tell it to go ahead and accept.

If there are no certificates listed here :

then that's a real issue / not normal.
Some one deleted something ^^
That said, you can create a new one with the click of a mouse button.

newbieuser1

I now had a chance to check.

There is a certificate in the dropdown list and it was already selected when I initially switched to HTTPS. I believe this is the self-generated default certificate.

I also see that same certificate in System - > Certificates. It is valid, and it also reads "CA: No" & "Server: Yes"

newbieuser1

@Gertjan The self-generated certificate is there (in "Certificates"). It says: "CA: No" & "Server: Yes" & "In Use: webConfigurator"

The same certificate is also in the dropdown menu in Systems->Advanced and the HTTPS box is selected. I am still not able to access the webGUI via https though...

Gertjan

@newbieuser1

Time to use the most important interface on your pfSense : the console.
This could be a serial connection, or if you have a VGA/HDMI interface, use that (and a usb keyboard)
You'll see the menu, selection 8)

Use this command :

ps aux | grep '\/nginx'

What did you see ?

sockstat -4 | grep 'nginx'

What did you see ?

newbieuser1

@Gertjan hey, thanks for following up and sorry for the delayed response. First typed the ps aux command and I see writings about two roots: "root 12345 Is ...." & "root 3456 v0 S+....."

Then I typed the sockstat -4 command but it did not bring up anything.

Please let me know what I should do next? Or if there is helpful read for me to do?

Gertjan

@newbieuser1 said in WebGUI page - no response / unable to configure pfSense:

ps aux command and I see writings about two roots: "root 12345 Is ...." & "root 3456 v0 S+....."

Like this :

[25.03-BETA][root@pfSense.bhf.tld]/root: ps aux | grep '\/nginx'
root    85586   0.0  0.3  32960  10756  -  Is   Mon03       0:00.00 nginx: master process /usr/local/sbin/nginx
root    86898   0.0  0.3  32960  10656  -  Is   Mon03       0:00.00 nginx: master process /usr/local/sbin/nginx
root    88506   0.0  0.3  43200  10828  -  Is   Mon03       0:00.00 nginx: master process /usr/local/sbin/nginx
root    83606   0.0  0.1  14076   2692  0  S+   07:54       0:00.00 grep \\/ngin

I've 3 nginx processes, as I'm also using the captive portal, which is also a web server serving a web page, the login page.
Default, the GUI of pfSense uses itself two nginx processes.
So, for me, that make 3. You should see two lines like this.

@newbieuser1 said in WebGUI page - no response / unable to configure pfSense:

Then I typed the sockstat -4 command but it did not bring up anythin

Impossible.
"sockstat -4 " by itself lists dozens of lines.
sockstat -4 | grep 'nginx' :

[25.03-BETA][root@pfSense.bhf.tld]/root: sockstat -4 | grep 'nginx'
.....
root     nginx      85884 5   tcp4   *:443                 *:*
root     nginx      85884 10  tcp4   *:80                  *:*
root     nginx      85586 5   tcp4   *:443                 *:*
root     nginx      85586 10  tcp4   *:80                  *:*

this shows the two pfSEnse GUI processes listing to the web server default ports, the very known "808" for http and 443 for https.
If these line don't show up : don't look any further : if the web server isn't using these ports, then it can do it's job : serve the GUI, which exactly matches your issue : "no reponse".

Why ? I can't tell. Give us the details, and we'll try to give the answers.

newbieuser1

@Gertjan thank you.

I went to the console again and this time I typed first the sockstat command, and this time it did bring up something. It looks exactly like your screenshot, except that I see 6 roots. Not sure if it makes a difference but my numbers are in the 6000s range, and instead of 5 and 10, I get 5 and 7. The tcp4 and the *443 and *80 are just like in your screenshot.

As to the ps aux command, I have only 2 nginx processes and what shows up is like in your screenshot, except I get for the for the first one (the - Is):

0:00.00 ngninx: master process /usr/local/sbin/nginx -c/var/etc/nginx-w

For the S+, the text is exactly like in your screenshot.

Gertjan

@newbieuser1 said in WebGUI page - no response / unable to configure pfSense:

I went to the console again and this time I typed first the sockstat command, and this time it did bring up something. It looks exactly like your screenshot, except that I see 6 roots. Not sure if it makes a difference but my numbers are in the 6000s range, and instead of 5 and 10, I get 5 and 7. The tcp4 and the *443 and *80 are just like in your screenshot.

The process ID numbers, also called PIDs are random, something between 2 and 65535. That's ok.

The good news is : the GUI web server is listeing on the http and http ports. So, that's not the issue.

Now, next question : what is/are the firewall rules on the LAN interface ?
When you install pfSense, there is one pas-all rule, so any device connected on LAN can access the pfSense GUI.

Use option 4 on the console menu, this will reset everything and the pfSense GUI access will work for sure.

@newbieuser1 said in WebGUI page - no response / unable to configure pfSense:

As to the ps aux command, I have only 2 nginx processes

I have use also the captive portal that needs a web server (nginx) process. That's why I have 3 of them.

newbieuser1

@Gertjan, thanks. Option 4 is a factory reset, right? Will that also reset absolutely everything, including the IP address for the WebGUI access I had to set up, admin access passwords etc? I have not played with any firewall rules and setting yet (only tried to set up Quad9 for the DNS settings).

My Protectli Vault is not connected to anything and I have not incorporated it my network yet (still struggling to put my router in Bridge Mode...and dealing with my ISP).

Gertjan

@newbieuser1 said in WebGUI page - no response / unable to configure pfSense:

Will that also reset absolutely everything, including the IP address for the WebGUI access

Not only the network "IP" assignment, but also the list with known NICs, which means that the initial setup has to be done using the 'serial' console access.
( Or USB keyboard and HDMI screen, if that's your boot option )

Normally, after assigning the interfaces 'WAN' and 'LAN', you should keep for WAN the dhcp (client) and assign a static IP for your LAN, which, in your case, can't be 192.168.1.1/24 as this one is already used by your upstream ISP router.
So, chose, for example 192.168.10.1/24
The LAN DHCP server has to set set up with a DHCP pool like 192.168.10.2 (start) to 192.168.10.50 (end) mask 24 or "255.255.255.0".
And done.

Btw : if possible, change your ISP's router LAN setup, and change it's LAN 192.168.1.1/24 and DHCP server seting, set it up to use, for example 192.168.50.1/24 and change the DHCP accordingly.
From that point on, you can keep pfSense 100 % with the default settings with only one exception :
The password.

** so it will always work.

newbieuser1

@Gertjan Is not there any other way/step to fix the https issue? It sounds like the factory reset will bring me to square one and it was already such a challenge to even set things up to this point....as you can probably tell, I am a complete beginner...

I could be wrong but if I try to create a new static LAN address and this time choose 'Yes' for https (instead of 'No' as I did initially), would that be an alternative? Or learn how to create and import a self-signed certificate?

Gertjan

@newbieuser1 said in WebGUI page - no response / unable to configure pfSense:

Is not there any other way/step to fix the https issue? It sounds like the factory reset will bring me to square one and it was already such a challenge to even set things up to this point....as you can probably tell, I am a complete beginner...

If the "http" access works, but not the "https" access, then there is a solution, its documented in the pfSense documentation.
There is a console menu option for that (afaik).

If, after a GUI setting change, the GUI becomes inaccessible : no panic, there is a console menu option that lets you pick the config file you had just before the GUI edit. This will undo what you did, and you have the GUI access back again.

And I know, all these options, you want to try and use the all. But there is a major 'but' : in case of emergency, when the drive fails, and you have to re install, and you 'forgot' to make a recent backup, you have to rebuld 'from scratch' anyway. That's why you should keep it simple (KIS).

Btw : Have a look here : /cf/conf/backup : you'll find the latest 100 config files.

Accessing pfSense over http isn't really an issue, as traffic flows over your own network, and doesn't contain private info, neither mail or credit card info ^^

newbieuser1

@Gertjan, thanks. Could you please point me to the right section in the documentation you are referring to?

I am assuming the static LAN address I was wondering about is not going to be a solution?

Gertjan

@newbieuser1

Troubleshooting GUI Connectivity

or

Troubleshooting Access when Locked Out of the Firewall

Gertjan

@newbieuser1

Can you show your :
LAN settings ?
DHCP server LAN settings ?
Your LAN firewall rules ?

After you tried to access the GUI using https, check the GUI web server log : Status > System Logs > System GUI Service - what did you see ?

edit : most networked devices have a GUI these days : Your ISP router, your printer, your NAS, the airco, fridge and even the fish tank.
Some, if not all of these devices offer both http and https access.
Can yo access any of your own 'LAN' devices with your browser ?

I'm asking this (test) so we know if your browser isn't just plain refusing self (auto) signed certificates.

newbieuser1

@Gertjan thanks for your continuous help! I ended up just restarting the GUI from the console (option 11) and this somehow fixed the issue....I am no longer getting the time out error and can use the https link.