NET::ERR_CERT_AUTHORITY_INVALID
-
This post is deleted! -
-
You're not posting much details .... So I choose them myself.
Correct me if I'm wrong - and please : give details.You are using a proxy ?
You are using a web browser that wants to visit www.facebook.com, but some one else gave back a page that wasn't www.facebook.com - This some one is your proxy.So, easy solution : stop using the proxy and your issue will be over.
The certificate used by www.facebook.com uses HSTS (I leave it up to you to wiki-page up that term) which means : no one can impersonate a sites like www.facebook.com - this "no-one" includes your proxy.
To make a very long story very short : It's 2020 now, and making proxies work has become very difficult. The practice MITM (remember wiki ?) is not allowed by your browser any more - and shutting down that protection has been removed from any browser.
Note that the package "Unofficial E2guardian package for pfSense" is not official, only the author could support it.
Also, note that Marcelloc, the author, isn't very active any more on this forum - last post October 2019. But he is active here https://github.com/e2guardian/e2guardian/issues/567 (just read the official e2guardian support => github. If you can understand what they are talking about over there, then you're the expert - if you don't : well, see my advise above)
I'm not sure if "Unofficial E2guardian" runs well on pfSense 2.4.5.A known advise is : Proxies can work. They should be installed in front of a firewall device, on ON it.
-
Hi ,
thanks for your reply
My query is- when i am using network which is bypassed through pf sense to firewall i am unbale to login to facebook or twitter.
- but if switch the my network connection to moblie or any other network i can able to access facbook or twiiter.
coming to proxy : No we are not using
pl help in resolving the issue.
-
@yogeesh said in NET::ERR_CERT_AUTHORITY_INVALID:
Unofficial E2guardian package for pfSense
Then how is your question related to Unofficial E2guardian package for pfSense ?
Why did you also crosspost here https://forum.netgate.com/topic/113757/unofficial-e2guardian-package-for-pfsense/1189 ?You are aware that a pfSense freshly installed - without modification - permits you to visit any site on the Internet without any restrictions ?
So : speak to your network admin, have him repair your issue ! -
Hi
I am the network admin here I am unable to trace this.
Previously they have installed pf sense very long back. -
In that case you will be able to make it work in less then 5 minutes !!
As said a thousands times already the last week or so, since the outcome of pfSense 2.4.5 :
Backup you settings.
Optional : If possible, backup your VM if you are using a bare-bone system, swap the drive. Tis permits you to go back.
Upgrade to - or even better - install a fresh pfSense 2.4.5.
Make WAN and LAN work.
Done !!If needed, import your backup up settings back in.
If it fails the,, redo the re install - and do not use your backed up settings any more.
Just set up the minimal needed things and you'll be fine.Remember, it's a router/firewall : it just takes 10 minutes or so.
-
Thank you
recently we have performed this but no use -
@yogeesh said in NET::ERR_CERT_AUTHORITY_INVALID:
recently we have performed this but no use
What do you mean ?
You installed pfSense 2.4.5 vanilla and no more facebook ?
(which I tend to see as a feature ... )
-
I don't know whether its vanilla or not
2.4.5-RELEASE (amd64)
built on Tue Mar 24 15:25:50 EDT 2020
FreeBSD 11.3-STABLEThe system is on the latest version.
Version information updated at Thu Apr 2 13:19:58 IST 2020 -
And facebook doesn't work ??????
Use another PC to test again.
-
yes it is not working
I have tried in all other PCs -
Applied these advices https://www.facebook.com/notes/protect-the-graph/upgrades-to-facebooks-link-security/2015650322008442/ ?
edit : and you're using Chrome so for example https://www.thesslstore.com/blog/clear-hsts-settings-chrome-firefox/
-
even if I use safari or any other browser i face the same error.
IMP: if I switch from the network connection(pfsense bypassed) immediately I am able to access all these websites.
So I feel this is an issue with pfsense -
@yogeesh said in NET::ERR_CERT_AUTHORITY_INVALID:
So I feel this is an issue with pfsense
I agree.
Do you agree with this : a detail : your pfSense and mine are the same. The only difference is : your settings and mine.
Do what do you think : "Install pfSense, and no more facebook.com for your network members". Do you think pfSense would last long ?So, what so different with your setup ?
-
So your running through proxy? Your running through VPN..
Out of the box pfsense would have zero to do with your connection..It just routes and nats it, all outbound connections are allowed. I take if you were trying to filter with e2guardian, your running proxy.. Disable that! Does it now work?
Running pfsense here, and zero issues with accessing facebook.
-
@Gertjan Don't know might be
How to verify the setting? -
You posted this :
@yogeesh said in NET::ERR_CERT_AUTHORITY_INVALID:
Re: Unofficial E2guardian package for pfSense
Do you know what E2guardian is ?
@johnpoz said in NET::ERR_CERT_AUTHORITY_INVALID:
Running pfsense here, and zero issues with accessing facebook.
Yeah. Lucky you.
And that's why I want to know why @yogeesh has issues with this.
( because I'm gonna sell this knowledge as a huge feature ) -
@Gertjan said in NET::ERR_CERT_AUTHORITY_INVALID:
E2guardian is ?
No I don't have any idea about E2guardian
-
Well why are you asking about it then???
You started this thread with
Re: Unofficial E2guardian package for pfSense
Look under your package manager - what do you show installed? If you have a proxy setup, disable it!
Your in the cache/proxy section - so you have proxy installed... If you have no idea how to run one or troubleshoot one.. Then you should disable it!
-
@johnpoz said in NET::ERR_CERT_AUTHORITY_INVALID:
your package manager
Nice catch !!
It could be, for example, a pfBlockerNG case, set up with the 'click on all the feeds cause it's free'. That would block facebook for sure, redirected to a pfBlockerNG notification web page, so the wrong cert is being returned and the browser start to yell about HSTS issues. -
Yeah that could be it... But his pic didn't include the address he was going to.. It could be redirection to the 10.10.10.10 address pfblocker uses by default.
Oh wait it does just show facebook.com - stupid chrome hiding actual urls!
Picture is so small can barely see anything anyway ;)
-
-
Show your package manger installed - this page.
Show all the packages you have installed.
-
@johnpoz said in NET::ERR_CERT_AUTHORITY_INVALID:
stupid chrome hiding actual urls!
That address bar is the best pishing detection tool possible, it will never lie to you, so Google decide to hide it .... Makes me wonder.
Anyway ....@johnpoz said in NET::ERR_CERT_AUTHORITY_INVALID:
Picture is so small can barely see anything anyway ;)
It's a generic picture we all see. Doesn't contain any useful information except for the error code and the four letter word HSTS. I guess @yogeesh will find out very soon that the only information we have are his words.
Quiet unreadable for use.I already suggested to use pfSense without any changes in the settings, which include of course packages (none should be used / installed).
The answer was :@yogeesh said in NET::ERR_CERT_AUTHORITY_INVALID:
I don't know whether its vanilla or not
I guess it's time to ask if there is actually a pilot on that plain
@yogeesh don't worry, the case will get resolved. It will take some time, though.
-
-
Well if you have no packages installed... Then pfsense would not be interfering with any traffic, it just routes/nats it...
Do you have anything setup in port forwards.. Show us your port forwards, and show us your lan rules please.
-
Oh.
That's a formal reply !
That removes many possible issues.Can you tell us what DNS servers you are using ?
Do you use the DNS Resolver - and did you chance something in it's settings ?
At the bottom of the ServicesDNS ResolverGeneral Settings page, do you have any overrides :Can you resolve www.facebook.com using this :
edit : also : Your are using the DHCP Server for your LAN ?
Any settings have been chaged there ?
At the bottom of the page Status > DHCP Leases, all the devices from your LAN(s) are listed ?On the PC on your LAN, what are the IP settings ?
Typeipconfig /alll
to see the gateway, DNS and IP
The gateway and DNS should be the IP of pfSense. By default, 192.168.1.1 the device IP would be something like 192.168.1.101 where 101 can by any number except 0, 1 and 255.
-
Great questions! All would be good info, maybe someone redirecting facebook.com - I was thinking a port forward to a proxy or something
-
@johnpoz said in NET::ERR_CERT_AUTHORITY_INVALID:
proxy or something
Might as well forget about the proxy.
He was just posting 'some where'.It all started here : https://forum.netgate.com/topic/113757/unofficial-e2guardian-package-for-pfsense/1189 post number 1189 using an ancient e2guardian thread. That thread mentions for sure the words "facebook" and "error" and "pfSense" and Google isn't always your friend (they made Chrome, so .... ).
edit @yogeesh : on a windows PC, can you check this file :
C:\Windows\System32\drivers\etc\hosts
?
Does it contains "facebook" entries ?
Every possible PC using any OS has this file.
Linux/FreBSD devices have this file here :/etc/hosts
-
So should prob remove that stuff from his thread, and move this to general area
edit: edited and moved.
-
-
;; QUESTION SECTION: ;106.61.112.146.in-addr.arpa. IN PTR ;; ANSWER SECTION: 106.61.112.146.in-addr.arpa. 3600 IN PTR hit-adult.opendns.com.
looks like being blocked as adult in opendns!
Would explain why when not using pfsense works, because not using opendns..
-
@johnpoz said in NET::ERR_CERT_AUTHORITY_INVALID:
adult in opendns!
So, DNS isn't being done by pfSense, but relayed to opendns.
Using default pfSense settings would probably have solved the issue right away.I have an account with OpenDNS, so I tested. Activated the "adult" level.
I visited https://www.facebook.com and ..................
Case closed ^^
-
Yup closed - finally!
Is it really an adult-hit for facebook, or is a timewaster hit? The ptr on that IP returned say adult hit.. hehehehe
-
Exact.
I somehow remembered that DNS IP - I've been playing with OpenDNS, as they offer a useful service for home type installation with 'clients' that are kids that need be be checked upon.
When I saw the setting 'High' blocking social media, I decided to test it myself.But all this isn't a pfSense issue.
It's just OpenDNS, installed, activated by the admin of pfSense, doing what it is told to do.And black holing sites like facebook is triggering the MITM/HSTS browser protection.
-
To be honest there are actually very few actual pfsense issues.. Most are layer 8 issues.. misconfig. Which this is for sure. Configuration set without understand what that could mean, and how to troubleshoot it.. Only reason this took so long is lack of information.
-
I didn't understand
help me -
Ok,
First do this : https://docs.netgate.com/pfsense/en/latest/backup/configuration-backup-and-restore.html
Then do this : https://docs.netgate.com/pfsense/en/latest/config/factory-defaults.htmlLast step : use this https://docs.netgate.com/pfsense/en/latest/book/interfaces/ipv4-wan-types.html to activate your Internet access.
Do not change anything else. Not now, not later.
You'll be safe.
You'll be having access to the internet, facebook.com included. -
Thank you for reply
i will try this and update you on this.