Recent changes to Chrome and Firefox result in invalid self-signed certificates

Majik

"If you’re using a Self-Signed certificate for your HTTPS server, a deprecation coming to Chrome may affect your workflow.

Chrome 58 will require that certificates specify the hostname(s) to which they apply in the SubjectAltName field; values in the Subject field will be ignored. This follows a similar change in Firefox 48."

https://textslashplain.com/2017/03/10/chrome-deprecates-subject-cn-matching/

Apparently the solution is to instruct openssl to generate a V3 compatible subjectAltName:

https://fbcs.co.uk/self-signed-multiple-domain-ssl-certificates/

I've not looked at how this can be done using the pfSense certificate manager yet, but thought I would post this as a warning to those who are using self-signed certificates for WebConfigurator.

At the moment, Chrome 58 blocks me from visiting my pfSense admin page completely due to " the website sent back unusual and incorrect credentials.", but Firefox 53 still works for me.

Cheers,

Keith

jimp

I committed a fix for this a few moments ago. This fix will be in 2.4 and 2.3.4 snapshots shortly. To apply the fix early, or to apply the fix to existing 2.3.3-p1 systems, follow these steps:

• Install the System Patches package ( https://doc.pfsense.org/index.php/System_Patches )
• Add a new patch under System > Patches
• Give it a Description such as "certsanfix"
• Enter the appropriate URL/Commit ID for the firewall version:

* 2.4 snapshots:    a636256cf9a7e27cf5d26c7677d0b7961e0fb143
  * 2.3.4 snapshots:  cad0d5bc8da8034c4fa7f41e5476a80b0c38b04f
  * 2.3.3-RELEASE-p1: c1a42e25a35b16821eaf88418c449741d1638c00

• Set Path Strip Count to 2 (this should be set automatically on save, but do it anyhow just in case)
• Click Save
• Click Fetch on the patch entry in the list
• Click Apply on the patch entry in the list
• Open a console or shell prompt, enter option 8 for the shell
• Run the following command:

pfSsh.php playback generateguicert

The firewall will generate and activate a fresh GUI certificate.

Connect to the GUI with a browser to test.

Majik

Wow fast work!

Thanks jimp. I will try this out shortly.

Cheers,

Keith

johnpoz

Or just create signed cert using a CA you create in pfsense, using the SANs and common name you want/need to use to access.  For example I have one that I can access via fqdn or its IP (on multiple interfaces) and then have my browser trust the CA.

This way get pretty green icon ;)  All of 30 seconds to setup.

jimp

Sure, there are ways around it. But using your own CA won't help you if you forget to add the SAN, which is now done automatically.

Or use Let's Encrypt with the ACME package and have it be trusted for real.

The main point is that the default out-of-the-box cert was broken by this browser behavior, which needed to be fixed no matter what. :-)

johnpoz

True!

Majik

I can confirm the patch works. Thanks again!

Cheers,

Keith