Certificate and password for web GUI for login? Basic instructions…Argggg
-
I use firefox and on the latest 58.01, it trusts my pfsense cert just fine with green lock. ….
I always kept that self-signed, local cert around in my cert list, generated way, way back, when I first installed pfSense. It was still good up until 2021, so I activated it.
When I hit my pfSense box again using the URL I normally use https://pfsense.mynetwork.tld, using my 58.01 FF, FF was upset and complaining, and no way to introduce an exception (the 'name' pfsense.mynetwork.tld was not found in the certificate, etc).
So I hit it using the http://192.168.1.1 and now I had the possibility to add an exception. FF is happy now, and I have the green lock. -
You sure do not have a green lock with an exception…
That would have to be signed by a CA you trust and what you are hitting has to be listed as CN or SAN, etc. be it a fqdn or IP..
As to the 2FA auth - took only a few minutes to setup.. And sure you can use it to login to the webgui.. But here is the thing it will default back to the local database if fails on freerad.. So you can login with just what the password is not having to know the pin and OTP..
Guess you could make your password for the localdatabase something like 64 character long random, while the 2fa would end up being your 8 character pin you created and the OTP generated by google auth or authy...
You could prob prevent all access to webgui unless your vpn in... Then you would have to vpn in from the lan side.. You could lock this vpn connection down to having to have the cert and OTP even... Then login to your webgui with username and password no 2fa.. But WOW that would be a PITA for no point at all.. Since only your devices are able to even get to the web gui from your private network...
if you could set webgui auth to not fall back to local database then you could for sure enforce the 2fa with google authenticator..
-
-
And what does it say for your CA and the exclamation?
Firefox must of changed how they present an exception before they use to show a slash through it or it was grey - my guess is they got a lot of users thinking it meant not secure even though they had added an exception to the self-signed or misconfigured https site.. I just looked at older firefox and shows the grey lock on a site with exception.
When you highlight the icon what does it say? You notice mine doesn't have such a little exclamation mark.. And says verified by home - the name I called my CA..
I will have to go through the firefox release notes to when they changed that.
edit: Seems FF changed it now that it grey if padlock if there are http stuff on the page.. Green with ! if exception but no http code under, etc. Like the pfsense forum page.. Shows grey with ! and states part of this page is not secure.
-
And what does it say for your CA and the exclamation?
…
When you highlight the icon what does it say? You notice mine doesn't have such a little exclamation mark.. And says verified by home - the name I called my CA..The original cert from pfSense, generated by pfSense years ago, is very old.
Everything is 'wrong' in it (SAN, whatever) only the dates are still ok.edit: Seems FF changed it now that it grey if padlock if there are http stuff on the page.. Green with ! if exception but no http code under, etc. Like the pfsense forum page.. Shows grey with ! and states part of this page is not secure.
This is easy to 'repair' ;)
Visit Profile -> Forum profile. Then "Modify profile" -> "Look and Layout" Check "Don't show users' avatars." (and know you understand why the green pas is black/grey ? with the exclamation sign) and the pas stays green :) -
"Everything is 'wrong' in it (SAN, whatever) only the dates are still ok."
And you can not trust a selfsigned, there is no CA to trust.. You can only make an exception for it.. You would need to create a CA, create cert for your web interface and then trust the CA to get full green without the ! on it..
-
I know.
But I was lazy, installed jimp's latest miracle, had a small hard time setting it up, and clicked ones on "Issue/renew".
I'm using certs from Letsenscrypt now. Major overkill, but it works. -
And forces you to use public domain, and can not access via rfc1918.. Yeah really no reason to be honest.. When you can just create a cert with whatever domain you want - I use local.lan, and could put in multiple names and or rfc1918 address on your different interfaces you might be hitting the webgui from.
Takes all of 30 seconds to do - once.. Since you can set the cert to be good for 10 years ;)
-
Thanks John(and Gertjan) for the thoughts…
I did manage to get the "Nice little green lock"...your previous instructions were good to make this work on Firefox quantum.
Step 1: Create CA Authority
Step 2: Create internal cert(using the new CA)
Step 3: Upload the CA created in the CA tab to your browser. In my case Firefox (Preferences->Privacy & Security -> View Certificates -> "Authorities" Tab - Import)John your details here are clear even with the new Firefox:
https://forum.pfsense.org/index.php?topic=118807.0What was tripping me up before was "Common name" field and the "Alternative Names". What got it to work for me with my config. was I chose the "IP address" from the dropdown field in "Alternative field" and added my webGUI IP address and it worked(I access my webGUI via IP only)...yay nice "little green box".
In terms of a cert. and password for the webGUI the threat I am trying to mitigate against is exactly what you say, someone gets remote access to my admin PC(email attachment likely...i.e. BEC or Business email compromise).
I can limit the webGUI access:
- via a firewall rule(no access to this port by any other interface)
- No access to to this dedicated admin LAN by any other VLANs or interfaces via rules
- Phisycally protect the box and lock it up in a cage
- disable default admin user
- Dedicated "airgapped" PC(although a dedicated VM might be a slight less secure but good alternative)
Regarding the added authentication, my initial thought following the Hangout from January (and 2015 archive on the same topic) was to disable the default "admin" and create a hardened limited access user (2 step, cert or other hardened authentication) thereby protection my pfSense box. In terms of a second step I was thinking a seperate VM with a cert, YubiKey, maybe thumb drive, google authenticator, etc...but agree it needs to NOT be a PIA but simple.
Today the only way I know to authenticate the admin device is with a fixed IP and a Mac address for authentication both I believe easily spoofed.
I'll check out nginx...I also keep digging into FreeRadius3.
Just out of curiosity after you disable the default admin, the only way to get it back is via the console on the box directly? Depending on the access I give to the new admin user this might be good enough...I can at least protect against an attacker savy in pfSense from deleting logs, writing commands, etc...
Thanks again...pfSense rocks!
V
-
@V3lcr0 : good !! (and sorry for the thread hi-jacking)
@johnpoz :
I know ;) Good things are not always for free : I needed a domain name, let's call it "this-is-my-business.net".But I guess I had no alternative, because I'm also using the pfSense's captive portal on a public site.
I wanted the login to happen on a "https://captiveportal.this-is-my-business.net.net"** and in this case the company was good for the couple of $ a year for the domain name
A public portal with a self signed cert is a no-go.** I actually don't know why I preferred "https" captive portal login above http login, but it works great for everybody (read : my clients) so they are happy, which makes me happy.
Maybe because wifi networks placed in front of a captive portal are not (should not) WPS or EAS encoded - the radio connection is "open" - everybody can join right away.
And, everything is https these days, right ? ;)And because I was using the acme package for this cert, I also added "pfsense.captiveportal.this-is-my-business.net", and some more, for free ^^
-
Dude if your box has been compromised and remoted.. What is 2FA going to do for your password to your firewall? And how would they know your password? You storing it in clear text on your machine..
I think your tin foil hat is a bit too tight really… But as stated if you want to really lock it down - only allow vpn in.. to hit your gui, and use OTP for that...