Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Certificate

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 7 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L Offline
      labratt104
      last edited by

      When I login to pfSense, I get the following warning:

      You attempted to reach 192.xxx.xxx.xxx, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications.

      I have exported the Firewall cert from pfSense, Windows and Chrome tell me they have successfully imported the certificate, yet I continue to get the message above.

      Any help with this would be greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • M Offline
        MindfulCoyote
        last edited by

        This sounds like a problem with your Chrome installation specifically. Can you test with another browser like Firefox or MSIE?

        Err

        –
        Erreu Gedmon

        Firewalls are hard...
        but the book makes it easier: https://portal.pfsense.org/book/

        1 Reply Last reply Reply Quote 0
        • R Offline
          reggie14
          last edited by

          labratt104 - Did you ever fix your problem?  I'm running into the same issue with my pfsense box.

          1 Reply Last reply Reply Quote 0
          • D Offline
            doktornotor Banned
            last edited by

            You need to import the CA certificate to Trusted Root CAs store. Not the WebGUI one…

            1 Reply Last reply Reply Quote 0
            • R Offline
              reggie14
              last edited by

              @doktornotor:

              You need to import the CA certificate to Trusted Root CAs store. Not the WebGUI one…

              Thanks.  I think I screwed up by accepting wherever Windows decided to automatically import the CA cert to.  It wasn't imported as a Trusted Root CA certificate.

              When I created the new server certificate Chrome originally still rejected it, saying the name didn't match.  After remembering something about the move away from CNs to subject alt names I regenerated the cert to include the domain name in the subject alt name field.  After that change Chrome and IE happily accept and trust the cert.

              1 Reply Last reply Reply Quote 0
              • B Offline
                blacklabelskater2
                last edited by

                @reggie14:

                When I created the new server certificate Chrome originally still rejected it, saying the name didn't match.  After remembering something about the move away from CNs to subject alt names I regenerated the cert to include the domain name in the subject alt name field.  After that change Chrome and IE happily accept and trust the cert.

                Hello, I was wondering if you could go into more detail on this.  I am getting the "name didn't match" error.

                Here is what I have tried:
                In Pfsense -  certificates>Cert Manger, click on CAs, click add or import CA, create an internal certificate authority

                Then go to certificates>Cert Manger, click on certificates, create an internal certificate and then choose Certificate Authority from the drop down.
                I left all default values.
                For CN I left blank
                For Alternative Names - I put
                Type: DNS Value: Hostname of my PC
                Type: IP Value: IP address of my PC

                I do not know what to put in for the CN. I am not on a domain (Would I put in workgroup? or my hostname of the PC I am accessing from)?

                Also do you access the firewall by IP address in the web browser?  I have several IP addresses that I can access the firewall from, if I ping the firewall it replies back a different IP address network that what my host PC is on (Example: router is 192.168.1.1, wired PC is on 192.168.2.1, if I ping the router I get 192.168.3.1, which is my wireless network).

                I have HTTPS configured with a port number as well when logging into the router (Example https://192.168.2.1:9001/)

                Thanks,
                bskater

                1 Reply Last reply Reply Quote 0
                • GertjanG Offline
                  Gertjan
                  last edited by

                  @blacklabelskater2:

                  Also do you access the firewall by IP address in the web browser?  I have several IP addresses that I can access the firewall from, if I ping the firewall it replies back a different IP address network that what my host PC is on (Example: router is 192.168.1.1, wired PC is on 192.168.2.1, if I ping the router I get 192.168.3.1, which is my wireless network).

                  That's messy.

                  Your AP has contains a "router" setup  … ?
                  Normally: pfSense [LAN]= 192.168.1.1
                  AP on LAN (example) IP : 192.168.1.2 (NAT Off, DHCP Off, gateway and DNS on AP is 192.168.1.1)
                  Your PC : any IP pfSense gave it (192.168.2.2 - .254)

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Yeah this sounds like a mess

                    "router is 192.168.1.1, wired PC is on 192.168.2.1, if I ping the router I get 192.168.3.1, which is my wireless network)."

                    So you have multiple interfaces/vlan on pfsense.. ping the router I get 192.168.3.1 is your router?  Are you talking about pfsense interface on your wireless vlan or are you natting your wireless with a wifi router that is not in AP mode?

                    Why don't you access pfsense with name?  You can setup your rules to be able to hit the lan interface lets call it 192.168.1.1 of pfsenes for its web gui from any of your segments.  You could setup different names for your different segments and hit that interface via that name with cert for that name, etc.  for example pfsense.local.lan is 192.168.9.253 on my setup, and pfsense.wlan.local.lan is 192.168.2.253 this is the pfsense interface in my wireless segment, then a few more dmz, ps3, etc.

                    Personally I never access pfsense gui from anything other than the wired network.. Wifi shouldn't really be open to your firewall admin gui if you ask me ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.