SSL certificate signed

Derelict

You can get the certificate using the "Retrieve Certificate" link there in the Toolbox on the left.

Where the key is depends on how you generated the CSR.  Or did you let StartSSL create it?

I've never done it that way.  I always generate CSRs locally and upload them (Keeping the private key with me the whole time).

It generates an encrypted private key and gives you this command to decrypt it:

openssl rsa -in ssl.key -out ssl.key

–---BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,...
-----END RSA PRIVATE KEY-----

Worked for me.  I ended up with ssl.key containing the unencrypted rsa key in PEM format.

That, coupled with the certificate you can get from "Retrieve Certificate" plus the intermediate certificate from "StartCom CA Certificates" (Both in the Toolbox) should be all you need. Their decryption tool worked for me too.

ETA - It's easier just to generate a CSR using pfSense.  You can just put BS in the attributes (I just used Temp for everything except email.  There I used a@b.c.  CAs toss all that stuff anyway, replacing it with what they have verified.  All the CSR really needs to contain is the private key fingerprint.)

JohnnyBeGood

@Derelict:

You can get the certificate using the "Retrieve Certificate" link there in the Toolbox on the left.

Where the key is depends on how you generated the CSR.  Or did you let StartSSL create it?

I've never done it that way.  I always generate CSRs locally and upload them (Keeping the private key with me the whole time).

It generates an encrypted private key and gives you this command to decrypt it:

openssl rsa -in ssl.key -out ssl.key

–---BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,...
-----END RSA PRIVATE KEY-----

Worked for me.  I ended up with ssl.key containing the unencrypted rsa key in PEM format.

That, coupled with the certificate you can get from "Retrieve Certificate" plus the intermediate certificate from "StartCom CA Certificates" (Both in the Toolbox) should be all you need. Their decryption tool worked for me too.

ETA - It's easier just to generate a CSR using pfSense.  You can just put BS in the attributes (I just used Temp for everything except email.  There I used a@b.c.  CAs toss all that stuff anyway, replacing it with what they have verified.  All the CSR really needs to contain is the private key fingerprint.)

When I click on "Retrieve Certificate" link under certificate I don't get anything (see attached screenshot).

Entire certificate was done using StartSSL and Chrome was used to back it up so nothing was done locally (command line).

Derelict

Then it hasn't been issued for some reason.

JohnnyBeGood

@Derelict:

Then it hasn't been issued for some reason.

Thanks, I will email them.

Gertjan

If you can't retrieve a certificate under "Retrieve Certificate" then nothing has been generated yet.
First: goto the "Validations Wizard" and do a "Domaine name validation".
Then: goto "Certificates Wizard", select "Web server SSL/TLS Certificate" and run it down.

Normally, I let them generate the files.
Because I have a "Debian Jessie" server, I execute the "openssl rsa -in ssl.key -out ssl.key" myself with a detail:
I use this:

openssl rsa -in ssl.key -out ssl-decrypted.key

this way I keep the original encrypted key and the decrypted key. You'll be needing the 'ssl-decypted.key' file afterwards.

I'll join an image to motivate you  ;)

JohnnyBeGood

@Gertjan:

If you can't retrieve a certificate under "Retrieve Certificate" then nothing has been generated yet.
First: goto the "Validations Wizard" and do a "Domaine name validation".
Then: goto "Certificates Wizard", select "Web server SSL/TLS Certificate" and run it down.

Normally, I let them generate the files.
Because I have a "Debian Jessie" server, I execute the "openssl rsa -in ssl.key -out ssl.key" myself with a detail:
I use this:

openssl rsa -in ssl.key -out ssl-decrypted.key

this way I keep the original encrypted key and the decrypted key. You'll be needing the 'ssl-decypted.key' file afterwards.

I'll join an image to motivate you  ;)

Nice motivation :)

I was able to get "Retrieve Certificate" working and the reason was because I never finished the process :(
Now after I have both enter and without any errors like before I still get invalid, how did you "force" your browser to use new certificate?

Derelict

Did you install the Intermediate as a CA?

Did you install the StartSSL certificate?

Does pfSense recognize that the Cert is signed by the CA?

Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??

Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?

JohnnyBeGood

@Derelict:

Did you install the Intermediate as a CA?

Did you install the StartSSL certificate?

Does pfSense recognize that the Cert is signed by the CA?

Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??

Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?

:(

So I went to check if I was using new certificate under System > Advanced > Admin Access and when I change from self generated to the one I created now I stuck and cannot login into pfsense interface. In chrome I get:

**This webpage is not available

ERR_CONNECTION_TIMED_OUT**

Tried w/ pfsense ip https://192.168.1.1 as well as domain that matched certificate https://linux.mydomain.net:81

Derelict

Tried w/ pfsense ip https://192.168.1.1 as well as domain that matched certificate https://linux.mydomain.net:81

Connect to http://192.168.1.1/ and see what happens.

Did you change the listening port?  You're trying https:// and https://host:81 there.

Gertjan

@JohnnyBeGood:

….. now I stuck and cannot login into pfsense interface. In chrome I get:

Been there - seen that.

My 'solution' : SSH intp pfSense. Option 8: shell.

Type
viconfig

Find
<protocol>https</protocol>
Change it for
<protocol>http</protocol>
Save.
Reboot.

Warning : editing the config.xml is "not done" (thats why it works ;)).
You are using editor vi - its somewhat special.

JohnnyBeGood

@Gertjan:

@JohnnyBeGood:

….. now I stuck and cannot login into pfsense interface. In chrome I get:

Been there - seen that.

My 'solution' : SSH intp pfSense. Option 8: shell.

Type
viconfig

Find
<protocol>https</protocol>
Change it for
<protocol>http</protocol>
Save.
Reboot.

Warning : editing the config.xml is "not done" (thats why it works ;)).
You are using editor vi - its somewhat special.

I'm glad I'm not the only one with this issue  ;)

So using Putty SSH I tried to connect to 192.168.1.1 but it keeps timing out. I'm assuming that SSH deamon is not enabled.
My next step would be to physically connect keyboard and monitor and try to connect that way. Are above steps the same?

JohnnyBeGood

@Derelict:

Tried w/ pfsense ip https://192.168.1.1 as well as domain that matched certificate https://linux.mydomain.net:81

Connect to http://192.168.1.1/ and see what happens.

Did you change the listening port?  You're trying https:// and https://host:81 there.

I did try connecting to http://192.168.1.1/ but it does not connect.
Neither port 80 or 81 worked.

Gertjan

@JohnnyBeGood:

I'm assuming that SSH deamon is not enabled.

Possible.
But not for me.
A remote system without remote SSH enabled: unthinkable.
SSH is not some kind of 'emergency back door' : its the main maintenance port of any system. (GUI is just the next best thing)
For me, that is.  I guess its quiet usual for people born before 1970  ;)

@JohnnyBeGood:

My next step would be to physically connect keyboard and monitor and try to connect that way. Are above steps the same?

Of course.

JohnnyBeGood

@Gertjan:

@JohnnyBeGood:

….. now I stuck and cannot login into pfsense interface. In chrome I get:

Been there - seen that.

My 'solution' : SSH intp pfSense. Option 8: shell.

Type
viconfig

Find
<protocol>https</protocol>
Change it for
<protocol>http</protocol>
Save.
Reboot.

Warning : editing the config.xml is "not done" (thats why it works ;)).
You are using editor vi - its somewhat special.

Thanks for this, you're a life saver! I thought I need to re-install it  :'(

JohnnyBeGood

@Derelict:

Did you install the Intermediate as a CA?

Did you install the StartSSL certificate?

Does pfSense recognize that the Cert is signed by the CA?

Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??

Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?

Lets try this again since I got locked out  :(

Did you install the Intermediate as a CA?
I thought I did, please see attached screenshot.

Does pfSense recognize that the Cert is signed by the CA?
I think it does, please see attached.

Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??
Everything was fine until I selected new certificate. After that that I was locked out until I tried Gertjan's solution.

Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?
When I created cert. it matched my pfSense hostname.

Why did I got locked out once I selected new cert?

Derelict

No.  You installed your certificate as a CA.  You need to install the StartSSL Class 1 Intermediate Server certificate as a CA.  Delete the Web gui linux from CAs and install this.

http://www.startssl.com/certs/sub.class1.server.ca.pem

–---BEGIN CERTIFICATE-----
MIIF2TCCA8GgAwIBAgIHFxU9nqs/vzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG
EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NDE3WhcNMjIxMDE0MjA1
NDE3WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj
0PREGBiEgFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo
/OenJOJApgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn6
6+6CPAVvkvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+v
WjhwRRI/ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxD
KslIDlc5xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21T
Lwb0pwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAQYwHQYDVR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaA
FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw
AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw
Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg
I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow
OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w
b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQCBnsOw7dxamNbdJb/ydkh4Qb6E
qgEU+G9hCCIGXwhWRZMYczNJMrpVvyLq5mNOmrFPC7bJrqYV+vEOYHNXrzthLyOG
FFOVQe2cxbmQecFOvbkWVlYAIaTG42sHKVi+RFsG2jRNZcFhHnsFnLPMyE6148lZ
wVdZGsxZvpeHReNUpW0jh7uq90sShFzHs4f7wJ5XmiHOL7fZbnFV6uE/OoFnBWif
CRnd9+RE3uCospESPCRPdbG+Q4GQ+MBS1moXDTRB6DcNoHvqC6eU3r8/Fn/DeA9w
9JHPXUfrAhZYKyOQUIqcfE5bvssaY+oODVxji6BMk8VSVHsJ4FSC1/7Pkt/UPoQp
FVh38wIJnvEUeNVmVl3HHFYTd50irdKYPBC63qi2V/YYI6bJKmbrjfP9Vhyt9uNr
y3Kh4W22ktDuCCvWC7n/gqerdq+VlTRfNt7D/mB0irnaKjEVNCXBXm9V/978J+Ez
8aplGZccQ9jnc9kiPtUp5dj45E3V8vKqzp9srSSI5Xapdg+ZcPY+6HNuVB+MadRp
ZW2One/Qnzg9B4GnVX7MOETImdoP4kXpostFuxoY/5LxCU1LJAIENV4txvT50lX2
GBXCkxllRLWOgdyll11ift/4IO1aCOGDijGIfh498YisM1LGxytmGcxvbJERVri+
gGpWAZ5J6dvtf0s+bA==
-----END CERTIFICATE-----

After that, when you look at your certificate, it should show as being issued by that cert (Issuer)…


johnpoz

You know you could of just used pfsense self signed cert.. All you have to do is install the pfsense CA into your machine so that certs signed by that CA are trusted.  There is no reason to get a cert from startssl or anyplace be it free or not.

The only time you would need a cert from a public trusted CA would be for say our portal when clients that have not trusted pfsense CA would hit the page via https

Derelict

That's your opinion. I get certs because I think it's inexcusable to have a user have to click through a certificate error. Trains them badly. With all the devices running around here and the amount of messing around I do, it's worth it to me to go through the yearly hassle of updating the certs with ones that won't throw errors at others.

johnpoz

Who said anything about users clicking through bad certs?  I completely agree with you.. Its my machine on a server I admin, I can trust whatever CA I want, now I don't get errors.. Don't have to add an exception, etc.

Notice I did state if using for say a captive portal you would use a public trusted CA for that cert..

Once you trust the CA none of the certs that CA would create would throw errors, etc..

tsmets

I also had what most had.
Added the Class 1 & 3 root certificate from  https://www.cacert.org/index.php?id=3 as CA's.
Then I added the Certificate I generated :

• Method is : Import an Existing Certificate

• Descriptive name : SSL Firewall certificate

• Certificate data :```
  -----BEGIN CERTIFICATE REQUEST-----
  MIIEYzCCAksCAQAwHjEcMBoGA1UEAxMTcnV0aGVyLmEzLXN5c3RlbS5ldTCCAiIw
  DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL22lqy5GkaYOudPFljPax00GRUN
  BRZxINqUbu2QZekW0YW6I+I08RAAr5Ihq7bV5Hp31HCWV62oNVc+bk3wlHPpan8B
  HqiSXw3sFTw9007qlBtB/WdUJCMSg36WTj4iRBQE2kQnPN4FyBWVqQ68aclC8/5N
  WLwG5SIALaJ3QkTm89Jmce3JbH0fUsw7HlfkvGY3twtvoD4c9m7dzvIgXtqoKe0y
  XRKbd3Tnl9cF0ZKDtRI9WCwPsynhxnjX8GghES13exajutw12WwDp5cL82J2usdC
  SEWG5LTBbNTvJrdEr/PduZ4brVnOx0U+04zeGNfvBIvNfEB4APz+lkDuVczht2De
  YlL4DOjYHS7oqCcVuAUa25O5NUNKT/qThNFQfAaBnpc6FRV8I65SqnzkwTn+tbPW
  HQ6OvGYBBoWGRttI7chatCw+4VHmBqRf3vTRl6+bBcRfI5PxrB67UW4AfNaDXlu1
  5KGPHkO8l0kXJjRzjwB36Ho0MH9IXKUvYQbxdoJ9wntyV7NjvN8CJg0C6rORAcxN
  7Xp28MGwxEW6xEghCozj99KgNKwnlEn5ynDdLf/LfkIkpaheJ3p26MPMWeAtfICD
  XuJBVmwjn8mpHgq7d3AZIVF5vkLF9JvXqREA0UAiutuV/eFBVlBgUWHVvy2nMcDZ
  LOaIWk5rboaSvtwnAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAgEADV5FG87uRAbS
  8XowLqudKRIqNkftoUO/U7nhHSWj1XNKXdp6Y5e3U7BiJxYuKiZ3AuttyCMdBZ17
  28w6Vc/qsIRIvB//Xglj4ZRFLL+CKQ9PGX/w9lgtN9pEUSzl7LpKF2luvmySzDcD
  rULmUqB2Q6qyYgzMALK7eFLqnEYxeAXM6bw/64mvOoqviVFgtvMG3mx5QHBj98RS
  tOidaqwowKwfk112FXjikn/EKD2P5JI5zWkhHXNjha7YGCcxy/LwaubH3VnCz6bg
  HNoB6r1rGPwxz4YnspVOkCSPHdSHJiGCpwurF9zm4zNMk3SwbWtDW14dVoIXInIU
  tzdXfiS2UVPsgNtX3OQzt3LqwS+WiSFShjLKB3EgFHKibml99Bj+Ep55ptuhOkQt
  PRLo68VZV7tq03xvB2/pzCovQp06Fme8sZJyS6xVY7ir+YAyLsm+nwsRNktkiHWu
  NigfJhf6irRxwHf3lLXYgzEBRV7rzuxO2UxFeuluePZoXMZ7V3+zSQU3iKrpt8gp
  2P6tZbgJ/E/aQUPqokGgLXuRbpK3ywwebDSrWcc1LQCkQbBQylhWdcmHKylzhPzt
  k+yW2KNP69rQ1oobsTYyz9mHBHs5iT5vCz24K5TiIsToTqotVJGqFqsmujnEqD9w
  KgmjwdBTCEdpOcSLMwOxBiVvQ1LQ3fc=
  -----END CERTIFICATE REQUEST-----

*   Private key data :```
-----BEGIN RSA PRIVATE KEY-----
MIIJK ....
...
...MP5nAc/8IcadB9YQ7U91stzaDblm04iBr
-----END RSA PRIVATE KEY-----

but when I select that certificate to be used the webConsole becomes inaccessible  :'(

System log contains :

Sep 22 22:10:39	php-fpm[77403]: /rc.restart_webgui: Creating rrd update script
Sep 22 22:10:39	php-fpm[77403]: /rc.restart_webgui: The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '255', the output was '2015-09-22 22:10:39: (network.c.549) SSL: couldn't read X509 certificate from '/var/etc/cert.pem''
Sep 22 22:10:37	check_reload_status: webConfigurator restart in progress
Sep 22 22:10:37	php-fpm[14674]: /system_advanced_admin.php: webConfigurator configuration has changed. Restarting webConfigurator.
Sep 22 22:10:33	check_reload_status: Reloading filter

Any idea what could be wrong … ?

\T,