Help - pfsense web interface wont load
-
How are you running p1? Pretty sure the install is for 2.3.2, how did you upgrade to p1 before you even hit the gui?
What browser are you using? What is the output of connecting with openssl from a client.. This will give you the details of the certs, etc. and way more info to troubleshoot what the problem is. Does it work with http?
HI,
Thanks for replying
p1… i just run "update from console" and this is what happened.
I've tried firefox, chrome and even IE on 2 machines.OpenSSL output from SSL client on my windows desktop:
OpenSSL> s_client -connect IP_ADDRESS:443
Loading 'screen' into random state - done
CONNECTED(000001B8)
4084:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782:no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 291 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1482232950
Timeout : 300 (sec)
Verify return code: 0 (ok)error in s_client
OpenSSL> -
Well you not getting anything that is for sure.. You sure your not trying to listen for http and https on 443 with something else? Post up your settings, and why are you hiding your lan IP?? Are you not using rfc1918?
Whats listening on 443?
[2.3.2-RELEASE][root@pfsense.local.lan]/root: sockstat -L | grep :443
root nginx 40320 6 tcp4 *:443 :
root nginx 40320 7 tcp6 *:443 :
root nginx 40113 6 tcp4 *:443 :
root nginx 40113 7 tcp6 *:443 :
root nginx 40029 6 tcp4 *:443 :
root nginx 40029 7 tcp6 *:443 :
root openvpn 23586 5 tcp4 24.13.snipped:443 :Your not using transparent proxy or anything are you? That error your getting is exactly what would happen if you try to connect ssl/tls to a box that is not running it..
Here this is me trying to https to just my linux box running http
> openssl s_client -connect 192.168.9.7:80 CONNECTED(00000138) 9820:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:794: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 307 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1482234752 Timeout : 300 (sec) Verify return code: 0 (ok) ---That is the EXACT error your getting.. If you were actually running ssl on 443, you should get your cert details, etc..
-
Hey John
output for you:
sockstat -L | grep :443
root nginx 32267 6 tcp4 *:443 :
root nginx 32267 7 tcp6 *:443 :
root nginx 32214 6 tcp4 *:443 :
root nginx 32214 7 tcp6 *:443 :
root nginx 31959 6 tcp4 *:443 :
root nginx 31959 7 tcp6 *:443 :if I try openSSL from shell on the server this is what happens:
openssl s_client -connect l ocalhost:80
connect: Operation timed out
connect:errno=60openssl s_client -connect localhost:443
CONNECTED(00000004)
34379196936:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/builder/pfsense-232/tmp/FreeBSD-src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
–-
no peer certificate availableNo client certificate CA names sent
SSL handshake has read 7 bytes and written 291 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1482247774
Timeout : 300 (sec)
Verify return code: 0 (ok)this machine is a production server thats been in use 2-3 years, I have recently changed the IP of the WAN as the old IP we had issues with, so I am guessing its related. I've tried rebooting a few times too to see if it helps.
-
Your wan IP has nothing to do with it..
Change it from https to http.. Does that work? Once you have access to the gui and working we can tackle your https problem.
So production for 2,3 years.. So this has been upgraded a few times.. You did a clean install and restore a config?
-
What commands do I enter on ssh to enable http?
Ps I didn't do fresh install, same server just updated to latest version.
-
if you reset the web configurator password, pretty sure that does it. Or asks if you want to do it, etc. #3 on the console menu
-
HI
I did this, it says its now default password. still web interface dont load. I today run update again which installed
Installed packages to be UPGRADED:
pfSense-pkg-AutoConfigBackup: 1.45 -> 1.46 [pfSense]Number of packages to be upgraded: 1
it then rebooted, still no working web interface.
-
fixed it! visiting http://IP:443 opened web interface. I could then login and fix issues that were stopping it from working
-
I still don't get it.
When you ask for a connection on a web server on port '443', meaning https (== SSL) then you do not use an "IP" but a qualified domaine name (URL). This domain name should be part of the certicate that will be used to 'serve' that' page.
This certificate might be auto signed (generated by pfSense), your browser will warn about this, but you will connect eventually - just acknowledge the warning.
Using https and an IP, that's just NOT possible - not logic - it's counter productive ….
A simple solution might be : do not activate https access if you are not ready to deal with the consequences. -
Hi
This machine was setup by Pfsense team as apart of my gold support subscription some years ago and something had clearly gone wrong somewhere after a recent update which they helped me resolve on chat today.
-
"Using https and an IP, that's just NOT possible - not logic - it's counter productive …"
Huh??? An IP is no different than FQDN, you can for sure put IP as SAN in your cert so you do not get any warning..
Notice my pretty green icon, and hitting it via IP.. Notice the SAN have 2 different IPs in them and another fqdn for another interface - so I can hit it with that name or that IP and still trust the cert..
