[SOLVED] Getting SEC_ERROR_EXPIRED_CERTIFICATE trying to log into my router

jeffc

Hi,

I'm getting an error THAT I CAN'T BYPASS trying to log into my router.

I see:

The owner of router.XXXXX.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

When I ask for details, I see:

router.XXXXX.com uses an invalid security certificate.

The certificate expired on March 12, 2018, 12:12 AM.
The current time is March 14, 2018, 4:48 AM.

Error code: SEC_ERROR_EXPIRED_CERTIFICATE

I'm not entirely sure how to get into the router to fix this. I was using Acme (and it should have renewed the certificate, I'm not sure why it didn't).

Any suggestions of how to log in?

Thanks!

/Jeff

jimp

Connect by IP address, it should let you make an exception for the certificate. There is usually another way around it as well. If that doesn't work, try chrome.

jeffc

I tried Safari, Chrome, Firefox, all failed using the DNS name.

Using the IP address, however, I did get in. Thanks so much for the suggestion!

This generated a new question: What's wrong with Acme. It looks like the top-level cert is bad. I tried adding a new cert, and I don't think it was okay either, see attachment. The first certificate is the original one, the second two were added by me. All have an "X" (indicating bad?).

Any thoughts on what is the problem with my Acme root certificate?


jimp

That X isn't bad. Those are external CAs, so it's normal for them to NOT say "internal".

jeffc

So what's the problem with connecting directly? I don't understand what's expired with Acme!

Here's the cert itself. I thought of blanking out the domain, but I don't have proper software on this machine, and the router isn't externally reachable anyway.

Any thoughts on what, exactly, is expired?


jimp

Can't tell from there, it's just expired. First, go to System > Packages. Make sure you are on the latest version of the ACME package (0.2.4), then go to Services > ACME Certificates, certificates tab, and try to renew your certificate.

If that fails, post the error.

KOM

Any thoughts on what, exactly, is expired?

Check your browser and see what it's specifically complaining about by using your browser's tools.  The time/date on your box is correct?

jimp

@KOM:

Any thoughts on what, exactly, is expired?

Check your browser and see what it's specifically complaining about by using your browser's tools.  The time/date on your box is correct?

In the screenshot, his "router" cert expired on the 11th, so it's operating as expected in the browser. The problem now is figuring out why ACME didn't renew it in time.

KOM

Right.  I was looking at the CA screen and seeing a date of 2021.

jeffc

Wait, I'm sorry, I still don't understand.

My certificate renewed on February 10th, 2018, and is set to expire on May 11, 2018. Based on past observation, Acme will try to renew this one month prior to expiration (around April 11th). Today is March 14th.

How is the actual certificate expired? You guys said it expired on the 11th, but it expires on May 11th, not March 11th.

Please clarify so I can understand what went wrong, thanks!

/Jeff

KOM

Now my previous advice comes in handy.  Use your browser to see what it's squawking about since we don't know what's going on here.

jeffc

Hi KOM,

I did use my browser (see original post): SEC_ERROR_EXPIRED_CERTIFICATE.

But it sure isn't clear to me what it is that's expired. Let's Encrypt CA cert is fine, and mine is as well (expiring May 11th). Note that I tried to get in with three different browsers (Safari, Chrome, Firefox), and they all failed (although Safari gave lousy diagnostics of what was wrong).

I understand that Firefox/Chrome think my certificate is expired, but what exactly is expired? The browser doesn't seem to be giving me more data (unless there's some special screen to get further data, that's all I get even with the advanced button).

Thanks so much!

/Jeff

jimp

Ah, yeah, I misread that as March.

Did your GUI restart to pick up the new certificate?

Do you have a defined action to restart the GUI on renew, like the example shows?

Gertjan

Having acme generate a new certificate in time is one thing. This has been done,, I guess.
Having it used by the GUI is another. This part is ok, your GUI is still using an older certifcate - a newer should be present (renewed).
The GUI should be restarted when a new certificate was generated 'renewed' : check that that has been set up by your instructions.

edit : jimp was much faster … or I'm getting slow ...

KOM

I did use my browser (see original post): SEC_ERROR_EXPIRED_CERTIFICATE.

Sorry, I should have been more clear.  I meant, use your browser's tools to examine the cert it's complaining about and see what it says.  Click the error icon in the URL bar.  From Site Security, click More Information.  From there, click View Certificate.  Anything weird on the cert?  Does it also say May 2018?

jeffc

Hi Jimp,

That was it! I failed to restart the GUI after installation of the new cert. Thus, when the OLD cert expired, that was that. I modified the ACME rule to execute /etc/rc.restart_webgui after the new cert is updated.

Interestingly enough, I noted that when I went and executed /etc/rc.restart_webgui from the "Execute Command" capability, it wouldn't seem to work. But when I did it from the console, I was able to connect normally again.

I REALLY appreciate the help, thank you so much!!! You guys are awesome!

One more question: I noticed something about a new Acme API that was rolled out. Is that something I should go do? Does that work on the existing version of pfSense (2.4.2-RELEASE-p1), or would I need to install some sort of update to get that?

Thanks again guys.

Gertjan

@jeffc:

One more question: I noticed something about a new Acme API that was rolled out. Is that something I should go do? Does that work on the existing version of pfSense (2.4.2-RELEASE-p1), or would I need to install some sort of update to get that?

When a package update comes out, like 0.2.5 for acme yesterday, you should upgrade.

This newer version includes the possibility to obtain wildcard certs from Let's Encryopt - if you need them. See ACMEv2 is live!