Unable to access pfsense box using hostname from LAN
-
Use of public domain name because have a signed public cert is again bad logic.. You do understand that pfsense has a CA you can create as many certs as you want for any fqdn you want. Who exactly accesses this gui - you? So why does it need to be trusted by the planet at large? How many different users/browsers access this?
Just create a cert with the name you use internally and then have your browser trust that CA - 2 seconds of work and there you go pretty green icon when you access your pfsense via its local fqdn..
So you open your gui to the public as a backup?? Why do you not just vpn if you need to make adjustments to your pfsense settings? If you need another backup?? I would suggest have someone run teamviewer on a box or run it as a service. this is more secure than opening up your admin gui for your firewall to the public with a usrename/password as your protection.
Or sure you could just use an override as Derelict suggest but I feel that is a work around more than proper setup.
-
I created a CA and certificate in pfSense. When I import the CA into Firefox Certificates->Authorities, it results in
SEC_ERROR_INADEQUATE_CERT_TYPE
I remove the CA and add the cert as exception to get webgui going. What am I doing wrong?
-
So did you create a Server Cert? From that CA and set your web gui to use that server cert?
So for example here is me importing mine.. So you can see the ca I created pfsense-ca (very original naming conventtion) hehee There is the cert I created that you can see my webconfig is using with the cn of pfsense.local.lan
I exported the CA, and then imported it into firefox trusted.. There you 2 seconds and Bobs your Uncle!
-
Thanks. Silly me. I created a user cert. Much better with server cert.
-
That happens way more than you know ;) or would even think possible really… So your saying the web gui came up even using a user cert.. That seems unlikely.. Even if you made exceptions I would think it should even work.
Mostly see it on the openvpn section.. Should prob be Big Bold letters with examples of usage for the 2 different types...
-
The webgui comes up with a user cert same as using the webConfigurator default cert. It is added as an exception so no green icon but a yellow icon.
-
I have no idea what your doing wrong dude - its 10 seconds to do this.. I have shown you the full setup.. What cert that is being used - if you have it using a user cert than yeah its going to be hosed.. Why would you create a user cert for a webserver??
As you saw before the name on the cert was strongcert, that is what is being used by my web config, here showing it in the actual web config area. You can see I have a green icon, you can see that the cert used is signed by my pfsense-ca and that its usage is for webserver auth..
Post the details of your ca, your cert your using in for web configurator in pfsense and then what cert and what fqdn your using to access the gui.. And the details it shows about the cert. If you want open it up remote and I will set it up in 10 seconds ;)
edit: Here just created a new cert, calling it my supercert I bumped it to 4096 with a sha fo 512.. I also added the IP and another name from one of my other networks wlan.local.lan which on my 192.168.2/24 segment. I then added that pfsense.wlan.local.lan to my alternative names in the admin section to preven the rebind and reffer protection if hitting that altname. I changed the web config to use the new supercert. And there you go can access with green on 2 different pfsense names and their IP address. Notice the cert is valid for all those uri
-
No. No. It is all good now with your excellent instructions. I also generated certs for my Cisco switch using Cert Manager and openssl. Now I get a green icon in pfSense gui and Cisco switch gui too.
Thank you for your help.
-
Then what was this about?
"The webgui comes up with a user cert same as using the webConfigurator default cert."
-
Sorry. Too much information.
My goof was in creating the cert and did not change setting to type server.