Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Webconfigurator Server Cert (IP and DN with alternative names) does not work

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    7 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anderl
      last edited by

      i create a CA and a certificate (with domainname and ip with alternative names)
      activate in system->advanced the ssl certificate
      import the CA on my client

      now the dns works and gets the correct green sign in my browser, but the ip gets an error.
      isnt alternative names the correct way to get a certificate for domainname and ip?
      thx
      mike

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Could be due to this:
        https://redmine.pfsense.org/issues/3347

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • R
          reggie14
          last edited by

          @anderl:

          i create a CA and a certificate (with domainname and ip with alternative names)
          activate in system->advanced the ssl certificate
          import the CA on my client

          now the dns works and gets the correct green sign in my browser, but the ip gets an error.
          isnt alternative names the correct way to get a certificate for domainname and ip?
          thx
          mike

          I know this isn't particularly helpful, but it works fine for me.  I had to restart Chrome after loading the CA certificate, though. And make sure you import it as a Trusted Root CA certificate- it doesn't work if you accept the defaults in the certificate import wizard in Windows.

          1 Reply Last reply Reply Quote 0
          • A
            anderl
            last edited by

            @jimp:

            Could be due to this:
            https://redmine.pfsense.org/issues/3347

            looks, that it still doesnt work in 2.2
            thx

            1 Reply Last reply Reply Quote 0
            • R
              reggie14
              last edited by

              @anderl:

              @jimp:

              Could be due to this:
              https://redmine.pfsense.org/issues/3347

              looks, that it still doesnt work in 2.2
              thx

              Perhaps, but as I said in my post, SANs are working fine for me.  I've tried IE and Chrome under Windows 7, and Chrome under Android.  I've also verified that it works fine both for DNS names and IP addresses.

              Edit: Actually, I just noticed IP doesn't work on IE, although it does work on Chrome.  The certificate looks fine, though.  Has MS started rejecting SANs containing private IPs?  Here's an old, random blog post that seems to confirm that Microsoft doesn't like the IP address.  What browser are you using?  Here's a more official statement from MS confirming the limitation.  They suggest adding the IP address as a DNS name to the SAN list, rather than identifying it as an IP.  That's a weird work-around.  I'd keep the IP address in also as an IP entry also- other browsers might need that.

              Can you post a screenshot of the certificate warning message, and of the certificate details- particularly what's under SAN?

              1 Reply Last reply Reply Quote 0
              • A
                anderl
                last edited by

                i created the cert with pfsense and imported it in apache2 on my other server. this was my test. when i create one for pfsense server with dns and ip it works. so there is a problem in my other apache2 config and not in the cert.
                thx for the help
                mike

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Looks like that bug was fixed but not marked as such. The certs are indeed made properly, at least on 2.2.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.