Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL certificate signed

    Scheduled Pinned Locked Moved webGUI
    35 Posts 8 Posters 26.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JohnnyBeGood
      last edited by

      @Gertjan:

      Hi,

      Use this as a guide line : https://forum.pfsense.org/index.php?topic=63791.0 - it mentions an example with a certificate from StartSSL.

      I always used a self-generated certificate from pfSense - but already used a real -signed- certificate from StartSSL for my Portal page.

      I saw you message, so I decide to generate a valid certificate from StartSSL for my Web GUI pfSense access.

      My domain name, which also really exist on the net, is brit-hotel-fumel.net
      My host name (pfSense) is : "pfsense"

      First image :
      Add the Intermediate and Root certificate that you must obtain from StartSSL. (because I was already using one certificate from them for my portal interface, they ware already there for me).

      Next image:
      You obtain first from StartSSL a file called "ssl.key" - Keep this file, do not use it directly. Use the command openssl ….. or the tools from StartSSL to decrypt it (using the password you gave to StartSSL to generate it).

      The ssl.crt file goes into the first 'block' (Certificate data).
      Your ssl.key that you decrypted goes into the second block (Private key data).
      Give it also a name, like I did : "pfsense GUI Acces"

      You can see in the second image :
      The 'default' auto generated cert from pfSEnse which isn't used now anymore, so I could delete it.
      A second cert record for my portal interface : portal.brit-hotel-fumel.net
      A third cert record for my web GUI acces (pfsense.brit-hotel-fumel.net) which is, as you can see, generated today : 28 august, 2015 ;)

      After that, I was already using https acces, but I switch from the auto generated cert to the new StartSSL cert, and ..... looooo, no more warnings from my browser :)

      Thanks for the replies guys!

      I also have pfsense.mydomain.net and what I don't understand is how to retrieve Private key data.
      As suggested StartSSL website once certificate was generated I followed their instructions and backed up using Chrome https://www.startssl.com/?app=25#4 and I have certificate.pfx file.

      How did you get ssl.crt and ss.key files?

      Tool box on StartSSL did not help me.

      ![startssl tool box.JPG](/public/imported_attachments/1/startssl tool box.JPG)
      ![startssl tool box.JPG_thumb](/public/imported_attachments/1/startssl tool box.JPG_thumb)

      I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You can get the certificate using the "Retrieve Certificate" link there in the Toolbox on the left.

        Where the key is depends on how you generated the CSR.  Or did you let StartSSL create it?

        I've never done it that way.  I always generate CSRs locally and upload them (Keeping the private key with me the whole time).

        It generates an encrypted private key and gives you this command to decrypt it:

        openssl rsa -in ssl.key -out ssl.key

        –---BEGIN RSA PRIVATE KEY-----
        Proc-Type: 4,ENCRYPTED
        DEK-Info: AES-256-CBC,...
        -----END RSA PRIVATE KEY-----

        Worked for me.  I ended up with ssl.key containing the unencrypted rsa key in PEM format.

        That, coupled with the certificate you can get from "Retrieve Certificate" plus the intermediate certificate from "StartCom CA Certificates" (Both in the Toolbox) should be all you need. Their decryption tool worked for me too.

        ETA - It's easier just to generate a CSR using pfSense.  You can just put BS in the attributes (I just used Temp for everything except email.  There I used a@b.c.  CAs toss all that stuff anyway, replacing it with what they have verified.  All the CSR really needs to contain is the private key fingerprint.)

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          JohnnyBeGood
          last edited by

          @Derelict:

          You can get the certificate using the "Retrieve Certificate" link there in the Toolbox on the left.

          Where the key is depends on how you generated the CSR.  Or did you let StartSSL create it?

          I've never done it that way.  I always generate CSRs locally and upload them (Keeping the private key with me the whole time).

          It generates an encrypted private key and gives you this command to decrypt it:

          openssl rsa -in ssl.key -out ssl.key

          –---BEGIN RSA PRIVATE KEY-----
          Proc-Type: 4,ENCRYPTED
          DEK-Info: AES-256-CBC,...
          -----END RSA PRIVATE KEY-----

          Worked for me.  I ended up with ssl.key containing the unencrypted rsa key in PEM format.

          That, coupled with the certificate you can get from "Retrieve Certificate" plus the intermediate certificate from "StartCom CA Certificates" (Both in the Toolbox) should be all you need. Their decryption tool worked for me too.

          ETA - It's easier just to generate a CSR using pfSense.  You can just put BS in the attributes (I just used Temp for everything except email.  There I used a@b.c.  CAs toss all that stuff anyway, replacing it with what they have verified.  All the CSR really needs to contain is the private key fingerprint.)

          When I click on "Retrieve Certificate" link under certificate I don't get anything (see attached screenshot).

          Entire certificate was done using StartSSL and Chrome was used to back it up so nothing was done locally (command line).

          certificate.JPG
          certificate.JPG_thumb

          I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Then it hasn't been issued for some reason.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • J
              JohnnyBeGood
              last edited by

              @Derelict:

              Then it hasn't been issued for some reason.

              Thanks, I will email them.

              I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by

                If you can't retrieve a certificate under "Retrieve Certificate" then nothing has been generated yet.
                First: goto the "Validations Wizard" and do a "Domaine name validation".
                Then: goto "Certificates Wizard", select "Web server SSL/TLS Certificate" and run it down.

                Normally, I let them generate the files.
                Because I have a "Debian Jessie" server, I execute the "openssl rsa -in ssl.key -out ssl.key" myself with a detail:
                I use this:

                openssl rsa -in ssl.key -out ssl-decrypted.key
                

                this way I keep the original encrypted key and the decrypted key. You'll be needing the 'ssl-decypted.key' file afterwards.

                I'll join an image to motivate you  ;)

                startssl-pfsense.png
                startssl-pfsense.png_thumb

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • J
                  JohnnyBeGood
                  last edited by

                  @Gertjan:

                  If you can't retrieve a certificate under "Retrieve Certificate" then nothing has been generated yet.
                  First: goto the "Validations Wizard" and do a "Domaine name validation".
                  Then: goto "Certificates Wizard", select "Web server SSL/TLS Certificate" and run it down.

                  Normally, I let them generate the files.
                  Because I have a "Debian Jessie" server, I execute the "openssl rsa -in ssl.key -out ssl.key" myself with a detail:
                  I use this:

                  openssl rsa -in ssl.key -out ssl-decrypted.key
                  

                  this way I keep the original encrypted key and the decrypted key. You'll be needing the 'ssl-decypted.key' file afterwards.

                  I'll join an image to motivate you  ;)

                  Nice motivation :)

                  I was able to get "Retrieve Certificate" working and the reason was because I never finished the process :(
                  Now after I have both enter and without any errors like before I still get invalid, how did you "force" your browser to use new certificate?

                  still.JPG

                  I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Did you install the Intermediate as a CA?

                    Did you install the StartSSL certificate?

                    Does pfSense recognize that the Cert is signed by the CA?

                    Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??

                    Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • J
                      JohnnyBeGood
                      last edited by

                      @Derelict:

                      Did you install the Intermediate as a CA?

                      Did you install the StartSSL certificate?

                      Does pfSense recognize that the Cert is signed by the CA?

                      Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??

                      Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?

                      :(

                      So I went to check if I was using new certificate under System > Advanced > Admin Access and when I change from self generated to the one I created now I stuck and cannot login into pfsense interface. In chrome I get:

                      **This webpage is not available

                      ERR_CONNECTION_TIMED_OUT**

                      Tried w/ pfsense ip https://192.168.1.1 as well as domain that matched certificate https://linux.mydomain.net:81

                      I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Tried w/ pfsense ip https://192.168.1.1 as well as domain that matched certificate https://linux.mydomain.net:81

                        Connect to http://192.168.1.1/ and see what happens.

                        Did you change the listening port?  You're trying https:// and https://host:81 there.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • GertjanG
                          Gertjan
                          last edited by

                          @JohnnyBeGood:

                          ….. now I stuck and cannot login into pfsense interface. In chrome I get:

                          Been there - seen that.

                          My 'solution' : SSH intp pfSense. Option 8: shell.

                          Type
                          viconfig

                          Find
                          <protocol>https</protocol>
                          Change it for
                          <protocol>http</protocol>
                          Save.
                          Reboot.

                          Warning : editing the config.xml is "not done" (thats why it works ;)).
                          You are using editor vi - its somewhat special.

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          1 Reply Last reply Reply Quote 0
                          • J
                            JohnnyBeGood
                            last edited by

                            @Gertjan:

                            @JohnnyBeGood:

                            ….. now I stuck and cannot login into pfsense interface. In chrome I get:

                            Been there - seen that.

                            My 'solution' : SSH intp pfSense. Option 8: shell.

                            Type
                            viconfig

                            Find
                            <protocol>https</protocol>
                            Change it for
                            <protocol>http</protocol>
                            Save.
                            Reboot.

                            Warning : editing the config.xml is "not done" (thats why it works ;)).
                            You are using editor vi - its somewhat special.

                            I'm glad I'm not the only one with this issue  ;)

                            So using Putty SSH I tried to connect to 192.168.1.1 but it keeps timing out. I'm assuming that SSH deamon is not enabled.
                            My next step would be to physically connect keyboard and monitor and try to connect that way. Are above steps the same?

                            I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

                            1 Reply Last reply Reply Quote 0
                            • J
                              JohnnyBeGood
                              last edited by

                              @Derelict:

                              Tried w/ pfsense ip https://192.168.1.1 as well as domain that matched certificate https://linux.mydomain.net:81

                              Connect to http://192.168.1.1/ and see what happens.

                              Did you change the listening port?  You're trying https:// and https://host:81 there.

                              I did try connecting to http://192.168.1.1/ but it does not connect.
                              Neither port 80 or 81 worked.

                              I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

                              1 Reply Last reply Reply Quote 0
                              • GertjanG
                                Gertjan
                                last edited by

                                @JohnnyBeGood:

                                I'm assuming that SSH deamon is not enabled.

                                Possible.
                                But not for me.
                                A remote system without remote SSH enabled: unthinkable.
                                SSH is not some kind of 'emergency back door' : its the main maintenance port of any system. (GUI is just the next best thing)
                                For me, that is.  I guess its quiet usual for people born before 1970  ;)

                                @JohnnyBeGood:

                                My next step would be to physically connect keyboard and monitor and try to connect that way. Are above steps the same?

                                Of course.

                                No "help me" PM's please. Use the forum, the community will thank you.
                                Edit : and where are the logs ??

                                1 Reply Last reply Reply Quote 0
                                • J
                                  JohnnyBeGood
                                  last edited by

                                  @Gertjan:

                                  @JohnnyBeGood:

                                  ….. now I stuck and cannot login into pfsense interface. In chrome I get:

                                  Been there - seen that.

                                  My 'solution' : SSH intp pfSense. Option 8: shell.

                                  Type
                                  viconfig

                                  Find
                                  <protocol>https</protocol>
                                  Change it for
                                  <protocol>http</protocol>
                                  Save.
                                  Reboot.

                                  Warning : editing the config.xml is "not done" (thats why it works ;)).
                                  You are using editor vi - its somewhat special.

                                  Thanks for this, you're a life saver! I thought I need to re-install it  :'(

                                  I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    JohnnyBeGood
                                    last edited by

                                    @Derelict:

                                    Did you install the Intermediate as a CA?

                                    Did you install the StartSSL certificate?

                                    Does pfSense recognize that the Cert is signed by the CA?

                                    Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??

                                    Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?

                                    Lets try this again since I got locked out  :(

                                    Did you install the Intermediate as a CA?
                                    I thought I did, please see attached screenshot.

                                    Does pfSense recognize that the Cert is signed by the CA?
                                    I think it does, please see attached.

                                    Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??
                                    Everything was fine until I selected new certificate. After that that I was locked out until I tried Gertjan's solution.

                                    Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?
                                    When I created cert. it matched my pfSense hostname.

                                    Why did I got locked out once I selected new cert?

                                    CAs.JPG
                                    CAs.JPG_thumb
                                    certificates.JPG
                                    certificates.JPG_thumb
                                    advanced-admin-access.JPG
                                    advanced-admin-access.JPG_thumb

                                    I like to fill my tub up with water, then turn the shower on and act like I'm in a submarine that's been hit!

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      No.  You installed your certificate as a CA.  You need to install the StartSSL Class 1 Intermediate Server certificate as a CA.  Delete the Web gui linux from CAs and install this.

                                      http://www.startssl.com/certs/sub.class1.server.ca.pem

                                      –---BEGIN CERTIFICATE-----
                                      MIIF2TCCA8GgAwIBAgIHFxU9nqs/vzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG
                                      EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
                                      Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
                                      dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NDE3WhcNMjIxMDE0MjA1
                                      NDE3WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
                                      BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
                                      BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy
                                      IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj
                                      0PREGBiEgFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo
                                      /OenJOJApgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn6
                                      6+6CPAVvkvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+v
                                      WjhwRRI/ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxD
                                      KslIDlc5xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21T
                                      Lwb0pwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
                                      BAMCAQYwHQYDVR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaA
                                      FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw
                                      AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw
                                      Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg
                                      I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow
                                      OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w
                                      b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQCBnsOw7dxamNbdJb/ydkh4Qb6E
                                      qgEU+G9hCCIGXwhWRZMYczNJMrpVvyLq5mNOmrFPC7bJrqYV+vEOYHNXrzthLyOG
                                      FFOVQe2cxbmQecFOvbkWVlYAIaTG42sHKVi+RFsG2jRNZcFhHnsFnLPMyE6148lZ
                                      wVdZGsxZvpeHReNUpW0jh7uq90sShFzHs4f7wJ5XmiHOL7fZbnFV6uE/OoFnBWif
                                      CRnd9+RE3uCospESPCRPdbG+Q4GQ+MBS1moXDTRB6DcNoHvqC6eU3r8/Fn/DeA9w
                                      9JHPXUfrAhZYKyOQUIqcfE5bvssaY+oODVxji6BMk8VSVHsJ4FSC1/7Pkt/UPoQp
                                      FVh38wIJnvEUeNVmVl3HHFYTd50irdKYPBC63qi2V/YYI6bJKmbrjfP9Vhyt9uNr
                                      y3Kh4W22ktDuCCvWC7n/gqerdq+VlTRfNt7D/mB0irnaKjEVNCXBXm9V/978J+Ez
                                      8aplGZccQ9jnc9kiPtUp5dj45E3V8vKqzp9srSSI5Xapdg+ZcPY+6HNuVB+MadRp
                                      ZW2One/Qnzg9B4GnVX7MOETImdoP4kXpostFuxoY/5LxCU1LJAIENV4txvT50lX2
                                      GBXCkxllRLWOgdyll11ift/4IO1aCOGDijGIfh498YisM1LGxytmGcxvbJERVri+
                                      gGpWAZ5J6dvtf0s+bA==
                                      -----END CERTIFICATE-----

                                      After that, when you look at your certificate, it should show as being issued by that cert (Issuer)…

                                      ![Screen Shot 2015-09-17 at 10.19.58 PM.png](/public/imported_attachments/1/Screen Shot 2015-09-17 at 10.19.58 PM.png)
                                      ![Screen Shot 2015-09-17 at 10.19.58 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-09-17 at 10.19.58 PM.png_thumb)

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        You know you could of just used pfsense self signed cert.. All you have to do is install the pfsense CA into your machine so that certs signed by that CA are trusted.  There is no reason to get a cert from startssl or anyplace be it free or not.

                                        The only time you would need a cert from a public trusted CA would be for say our portal when clients that have not trusted pfsense CA would hit the page via https

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • DerelictD
                                          Derelict LAYER 8 Netgate
                                          last edited by

                                          That's your opinion. I get certs because I think it's inexcusable to have a user have to click through a certificate error. Trains them badly. With all the devices running around here and the amount of messing around I do, it's worth it to me to go through the yearly hassle of updating the certs with ones that won't throw errors at others.

                                          Chattanooga, Tennessee, USA
                                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            Who said anything about users clicking through bad certs?  I completely agree with you.. Its my machine on a server I admin, I can trust whatever CA I want, now I don't get errors.. Don't have to add an exception, etc.

                                            Notice I did state if using for say a captive portal you would use a public trusted CA for that cert..

                                            Once you trust the CA none of the certs that CA would create would throw errors, etc..

                                            trustedca.png
                                            trustedca.png_thumb

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.