WebConfigurator default certificate expired yesterday
-
The new pfsense version was just released 2 months ago!, and it already has a few point releases so i know its not super duper stable for everyone yet.
That logic fails since everything that went into 2.3.5 and 2.3.5_1 was to correct defects in 2.3.4_1.
The easiest way to refresh the webgui certificate is to go to the menu, open option 12, then type playback generateguicert then type exit. That will generate the webgui certificate using current best practices.
Enter an option: 12
Starting the pfSense developer shell….
Welcome to the pfSense developer shell
Type "help" to show common usage scenarios.
Available playback commands:
changepassword disablecarp disablecarpmaint disabledhcpd disablereferercheck enableallowallwan enablecarp enablecarpmaint enablesshd externalconfiglocator gatewaystatus generateguicert gitsync installpkg listpkg pfanchordrill pftabledrill removepkgconfig removeshaper resetwebgui restartdhcpd restartipsec svc uninstallpkgpfSense shell: playback generateguicert
Playback of file generateguicert started.
Generating a new self-signed SSL certificate for the GUI...Done.
Restarting webConfigurator...Done.
pfSense shell: -
My 32 bit D2700 is immune to spectre by the way… Funny. So is my old AMD x2.
Saved by old junk!
-
@johnpoz I assume you mean "just use the CA". Would you please post how this can be accomplished when it is impossible to log into the GUI?
-
-
That's exactly what I ended up doing -- I used kde konqueror.
I had tried console/ pfsense-shell / generateguicert but it didn't do anything, didn't generate any output and offered no help with '--help'. -
Derelict gave you how you could redo the self signed via console.. Or as it seems you did used a browser that allows you to make exception for old certs.
As to how to create your own signed cert via pfsense CA... Have been over this many many times already..
Here is latest version - previous versions lost their images when forum was updated
https://forum.netgate.com/post/831783 -
@johnpoz As I've said too many times, the gui was unreachable and once I used a less secure browser, I was able to fix it. I truly don't need instructions for how to use a gui I couldn't reach and which I successfully used with the less secure browser. generateguicert did nothing as I've said a couple of times.
-
Well NO SHIT its not going to do anything if you don't use the playback command as instructed
Clearly it generates new cert.. And sets the gui to use it..
My point was since you already stated your in - is NOW do it with your own CA and set it for like 10 years so you don't have to worry about it expiring again.
-
@adamf663 said in WebConfigurator default certificate expired yesterday:
generateguicert did nothing as I've said a couple of times.
It generates and puts in place a new cert with valid date boundaries.
Still, the new cert it signed by an authority that your browser doesn't trust.
That can be circumvented by importing the cert details into the 'database' of your system or browser. A working GUI is of course needed to do so.
Not the GUI, but the console access can stop https access to the GUI, if needed. Many forum posts explain what to do.I've just used t to generate a new cert, my Fifefox was still complaining of course, had to use the IPv4 of my pfSense, and got in after telling Firefox to allow an exception. So, the instructions work.
I was using the console access.The fact that browsers become more more picky every day is known.
Up to you to disable the https access to the GUI, or use really trusted certificates out of the box (brower's box).edit @johnpoz went down the same way, posted faster.
-
@Gertjan My ca goes out 10 years. The problem was with the server cert and generateguicert did nothing and didn't write any information.
-
pfSense shell:
playback generateguicert -
@Derelict I know this is old... I just wanted to thank you for the steps. Got me back up and running quick when a certificate was accidentally revoked. Thank you!
