Externally Signed SSL Certificate Showing up as Server: No
-
No, because when you don't configure things properly, you end up with everyone with a certificate issued by that CA being able to connect to your VPN.
(As for the certificate purpose fix, kindly use 2.4 if you want it fixed.)
Ah i see, I think we may have been talking about different certificates, I am talking about the SSL Server cert for the OpenVPN server, the Server certificate.
I was still issuing a client certificate from my internal private CA using Remote Access (SSL/TLS + User Auth)
As I stated, I thought that my Server certificate had to match my public fqdn.
Are you saying I should use pfsense Latest Base System 2.4 to fix this? I think knowing that the names don't need to match, and i don't need the public ssl server cert, i'll wait.
The info here i
Again, thanks for the help, i didn't think it would be this painful for everyone..
I'm looking forward to my Gold Membership.
-
No, I am saying that if you want that COSMETIC issue with certificate PURPOSE fixed, you should use 2.4 because you clearly are UNABLE to apply the patch properly. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION.
Next time, choose a thread subject to match your REAL issue, to avoid GIANT waste of time. And with that, I'm outta here.
-
No, I am saying that if you want that COSMETIC issue with certificate PURPOSE fixed, you should use 2.4 because you clearly are UNABLE to apply the patch properly. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION. IT WILL NOT FIX VERIFICATION.
Next time, choose a thread subject to match your REAL issue, to avoid GIANT waste of time. And with that, I'm outta here.
Dude, you are rude, and unhelpful, The subject is what it is, the cert is a server cert, but pfsense doesn't see it as such regardless to why, it used to.
That said you linked to a bugpost for a version i'm not running and expected me to know to upgrade to a experimental version.
Then you contradict yourself by saying it is cosmetic, but needs o be fixed.
I am unable to apply a patch, do you think you are a developer or created an awesome patch because you added a line of code to an existing config file?
Thanks for all your help dude, you make this a great community, and a friendly environment.
Be gone then..
-
dok - you gained another smite I see ;) Your going for the board record maybe?…
dok is a very helpful and knowledgeable part of this community.. And like a big friendly cuddly teddy bear when you get to know him - his bark can be loud, but he doesn't bite.. I would take dok advice over almost everyone here other than my own ;) And to be honest I can not recall a time where he was not right on the money with his assessment and advice.
As to your client connect issue with android.. The openvpn client for android works just fine in every case I have tried out of the box.. I can not think of an instance when you would want a public signed cert for a vpn connection. When would such a cert need to be trusted by the masses - the only one that need to trust this cert are your vpn users. Which would normally be set to trust your cert when they are set to connect to your vpn. Normally these devices would always be in control by the owner of the vpn, or atleast the users of such the vpn would be controlled by the owner of the vpn that gave them the info needed to access it and auth, etc.
The only thing a publc signed cert would get you for a vpn connection would be added cost, added complexity and quite possible less security since its possible that any client cert also signed by that public ca could access the vpn. Just doesn't make sense to use a public signed cert in the vpn use case.
-
Yeah his character flaws are not that interesting to me really to be honest with you. I came for some simple advice regarding my externally signed SSL certificate regardless to the use case and regardless of the scenario pfSense is stating that it is not a server certificate.
I guess maybe I'm a different kind of individual where I would say listen this isn't the best practice to use a publicly signed SSL certificate for VPN server.
That being said this is a known bug and to resolve it you would need to go to 2.4 and apply the following line in your config file.
Do you agree that that would have been the easiest way to approach my question? Or is sending me a link and having me go back and forth with him while he ridicules me and behaves in a condescending manner the typical theme for support in this type of community?
-
Yeah his character flaws are not that interesting to me really to be honest with you. I came for some simple advice regarding my externally signed SSL certificate regardless to the use case and regardless of the scenario pfSense is stating that it is not a server certificate.
I guess maybe I'm a different kind of individual where I would say listen this isn't the best practice to use a publicly signed SSL certificate for VPN server.
That being said this is a known bug and to resolve it you would need to go to 2.4 and apply the following line in your config file.
Do you agree that that would have been the easiest way to approach my question? Or is sending me a link and having me go back and forth with him while he ridicules me and behaves in a condescending manner the typical theme for support in this type of community?
All help on this forum is on voluntary basis and we kindly ask you to acknowledge that.
-
Yeah his character flaws are not that interesting to me really to be honest with you. I came for some simple advice regarding my externally signed SSL certificate regardless to the use case and regardless of the scenario pfSense is stating that it is not a server certificate.
I guess maybe I'm a different kind of individual where I would say listen this isn't the best practice to use a publicly signed SSL certificate for VPN server.
That being said this is a known bug and to resolve it you would need to go to 2.4 and apply the following line in your config file.
Do you agree that that would have been the easiest way to approach my question? Or is sending me a link and having me go back and forth with him while he ridicules me and behaves in a condescending manner the typical theme for support in this type of community?
All help on this forum is on voluntary basis and we kindly ask you to acknowledge that.
That doesn't give anyone a pass to be rude or condescending. That's like that age-old no offense but you're an a****** type mentality. I appreciate your help that you have volunteered.
-
Take a break and cool off, see you in 7 days.
-
Hey all, sorry if i was giving you all a hard time a week back. I guess maybe i was misunderstanding, and being overly sensitive. Sorry..
-
"a pass to be rude or condescending."
And what gives you a pass to read into tone what your feeling? Just because your having a bad day does not mean that some comment was not given in the best possible intentions. That you read it as rude is quite often on the reader..
I just read through this thread again.. And dok was nothing but helpful and nice until much later in the thread after you just didn't seem to be getting it ;) And then even then - he just stated this was a waste of time and he was out..
-
Hense my apology.
