PFSense Squid Reverse Proxy Wildcard problem
-
Hello Everyone!
I'm new to Revers proxy and Squid so I though I should ask here.
I've configured Squid on PFSense with a wildcard certificate through ACME configured as following:
mydomain.com
*.mydomain.comI then used this wildcardcertificate for the Squid Reverse Proxy.
I have then tried to check if till here is all ok, and through https://www.digicert.com/help/
it seems to be all ok. (I had to configure in the Squid also the Intermediate Certificate)I have then created (through ACME Again) a certificate for my website: mywebsite.mydomain.com.
I took the fullchain certificate (the one that include also the intermediate certificate) and the privatekey.
I then applied it to my webserver (nginx).
When I try to connect through https://mywebsite.mydomain.com I receive the following error:The system returned:
(92) Protocol error (TLS code: SQUID_X509_V_ERR_DOMAIN_MISMATCH) Certificate does not match domainname: /CN=mywebsite.mydomain.com
To check, I've reached my website from my internal network, and obviously I receive a certificate error because it tells me that the certificate is ONLY VALID for mywebsite.mydomain.com
What I'm missing here?
Thanks in advice. -
Hmm, hard to say without actual details.
Did you try checking 'ignore internal cert validation'?
Something is redirecting Squid?
Steve
-
@stephenw10 Hello Stephen,
Which details you need?
I don't know if something is redirecting... like said I configured on PFSense Squid with the wildcard certificate.
On the internal webserver (Bitwarden) I've configured a certificate with a subdomain. -
Well it looks like that error is from Squid seeing something it doesn't like in it's request to the server. Or rather the servers reply to that.
Is there any more to that error shown? Without seeing what actual values you have entered and what is coming back we can only guess.
Steve
-
@stephenw10 Just ask for the needed data... the error is what I've posted... no more... :(
-
@tda said in PFSense Squid Reverse Proxy Wildcard problem:
mywebsite.mydomain.com
I assume that is not actually your site.
Screenshots of you squid config would help. Any relevant log entries.
Did you try that setting I asked about?
Steve
-
@stephenw10 Hello Stephen,
Thank you for the answer.
I just tried what you suggested (Ignore Internal Cert Validation) - and it works like a charm.
My only question is now ... why I have to Ignore it? Should be possible also with the internal cert validation or ? -
Possibly because Squid is using the IPs directly to open connections to the servers and those certs don't have the internal IPs as SANs. Just a guess really, I've never dug too deep into that.
Steve