GUI cert limit

jimp

OK, it looks like there is a limit around there, due to how many variables the page tries to submit:

Warning: Unknown: Input variables exceeded 5000. To increase the limit change max_input_vars in php.ini. in Unknown on line 0

I opened an issue to track it at https://redmine.pfsense.org/issues/9368

You could hand edit /etc/rc.php_ini_setup and change the line that sets max_input_vars to a higher value to work around it temporarily, but I wouldn't consider that the best (or a proper) solution.

Increasing it to 15000 would ensure you could make around 100 entries which is the SAN limit per ACME certificate.

After editing that file, either reboot or use options 16 then 11 from the console menu to restart PHP and the GUI.

maverick_slo

Ok thanks.
But what is proper solution?
If acme supports up to 100 so should pfsense package...

jimp

I'm not sure what the proper solution will end up being. The way that form submits information it submits a lot of unnecessary form fields, so fixing that somehow will probably be the right way, but I'm not sure how easy that will be. I didn't write that part of the code.

Safe to say it will be some time before that is fixed. Yes, the ACME limit is 100 but in practice few people need anywhere near that many domains on a single certificate, especially now that you can get wildcards.

maverick_slo

Its microsoft app.
Wildcard not supported
Has to use one cert only otherwise popups occur
Believe me I would go different way if it was supported

jimp

Why are you using ACME on pfSense to make its cert then? Use an ACME Client on windows to do it.

maverick_slo

Im reverse proxying the requests to lan

jimp

Ah, so the client doesn't support wildcards, not the server. I'd call it dumb, but that's implied from it being a Microsoft app.

If you are using HAProxy to reverse proxy, I believe it can still use a different cert for specific domains. You don't have to stuff them all in a single cert if it's handling the SSL/TLS.

maverick_slo

Now I have 4 certs covering 3 domains each. And I get popups about different domain stuff because of certs... If I have 1 big fat cert no popups

maverick_slo

Skype for business is simple answer.
Tried with wildcard but no go...
Also cant tinker whole lot because of 450 users

maverick_slo

The temp fix works OK.

jimp

There is a patch to try on the redmine issue I linked to previously. I'll try it out today and if it works, then I'll add it into ACME. Looks good at a glance.

maverick_slo

Hi!

Will try it out later today with staging cert :)

Thanks a lot guys!

jimp

If you update to the latest version of the ACME package, the patch is included. You will no longer need that max_input_vars workaround.