NET::ERR_CERT_AUTHORITY_INVALID
-
Well why are you asking about it then???
You started this thread with
Re: Unofficial E2guardian package for pfSense
Look under your package manager - what do you show installed? If you have a proxy setup, disable it!
Your in the cache/proxy section - so you have proxy installed... If you have no idea how to run one or troubleshoot one.. Then you should disable it!
-
@johnpoz said in NET::ERR_CERT_AUTHORITY_INVALID:
your package manager
Nice catch !!
It could be, for example, a pfBlockerNG case, set up with the 'click on all the feeds cause it's free'. That would block facebook for sure, redirected to a pfBlockerNG notification web page, so the wrong cert is being returned and the browser start to yell about HSTS issues. -
Yeah that could be it... But his pic didn't include the address he was going to.. It could be redirection to the 10.10.10.10 address pfblocker uses by default.
Oh wait it does just show facebook.com - stupid chrome hiding actual urls!
Picture is so small can barely see anything anyway ;)
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
-
Show your package manger installed - this page.
Show all the packages you have installed.
-
@johnpoz said in NET::ERR_CERT_AUTHORITY_INVALID:
stupid chrome hiding actual urls!
That address bar is the best pishing detection tool possible, it will never lie to you, so Google decide to hide it .... Makes me wonder.
Anyway ....@johnpoz said in NET::ERR_CERT_AUTHORITY_INVALID:
Picture is so small can barely see anything anyway ;)
It's a generic picture we all see. Doesn't contain any useful information except for the error code and the four letter word HSTS. I guess @yogeesh will find out very soon that the only information we have are his words.
Quiet unreadable for use.I already suggested to use pfSense without any changes in the settings, which include of course packages (none should be used / installed).
The answer was :@yogeesh said in NET::ERR_CERT_AUTHORITY_INVALID:
I don't know whether its vanilla or not
I guess it's time to ask if there is actually a pilot on that plain
@yogeesh don't worry, the case will get resolved. It will take some time, though.
-
-
Well if you have no packages installed... Then pfsense would not be interfering with any traffic, it just routes/nats it...
Do you have anything setup in port forwards.. Show us your port forwards, and show us your lan rules please.
-
Oh.
That's a formal reply !
That removes many possible issues.Can you tell us what DNS servers you are using ?
Do you use the DNS Resolver - and did you chance something in it's settings ?
At the bottom of the ServicesDNS ResolverGeneral Settings page, do you have any overrides :
Can you resolve www.facebook.com using this :
edit : also : Your are using the DHCP Server for your LAN ?
Any settings have been chaged there ?
At the bottom of the page Status > DHCP Leases, all the devices from your LAN(s) are listed ?On the PC on your LAN, what are the IP settings ?
Typeipconfig /alllto see the gateway, DNS and IP
The gateway and DNS should be the IP of pfSense. By default, 192.168.1.1 the device IP would be something like 192.168.1.101 where 101 can by any number except 0, 1 and 255.
-
Great questions! All would be good info, maybe someone redirecting facebook.com - I was thinking a port forward to a proxy or something
-
@johnpoz said in NET::ERR_CERT_AUTHORITY_INVALID:
proxy or something
Might as well forget about the proxy.
He was just posting 'some where'.It all started here : https://forum.netgate.com/topic/113757/unofficial-e2guardian-package-for-pfsense/1189 post number 1189 using an ancient e2guardian thread. That thread mentions for sure the words "facebook" and "error" and "pfSense" and Google isn't always your friend (they made Chrome, so .... ).
edit @yogeesh : on a windows PC, can you check this file :
C:\Windows\System32\drivers\etc\hosts?
Does it contains "facebook" entries ?
Every possible PC using any OS has this file.
Linux/FreBSD devices have this file here :/etc/hosts -
So should prob remove that stuff from his thread, and move this to general area
edit: edited and moved.
-
-
;; QUESTION SECTION: ;106.61.112.146.in-addr.arpa. IN PTR ;; ANSWER SECTION: 106.61.112.146.in-addr.arpa. 3600 IN PTR hit-adult.opendns.com.looks like being blocked as adult in opendns!
Would explain why when not using pfsense works, because not using opendns..
-
@johnpoz said in NET::ERR_CERT_AUTHORITY_INVALID:
adult in opendns!
So, DNS isn't being done by pfSense, but relayed to opendns.
Using default pfSense settings would probably have solved the issue right away.I have an account with OpenDNS, so I tested. Activated the "adult" level.
I visited https://www.facebook.com and ..................
Case closed ^^
-
Yup closed - finally!
Is it really an adult-hit for facebook, or is a timewaster hit? The ptr on that IP returned say adult hit.. hehehehe
-
Exact.
I somehow remembered that DNS IP - I've been playing with OpenDNS, as they offer a useful service for home type installation with 'clients' that are kids that need be be checked upon.
When I saw the setting 'High' blocking social media, I decided to test it myself.But all this isn't a pfSense issue.
It's just OpenDNS, installed, activated by the admin of pfSense, doing what it is told to do.And black holing sites like facebook is triggering the MITM/HSTS browser protection.
-
To be honest there are actually very few actual pfsense issues.. Most are layer 8 issues.. misconfig. Which this is for sure. Configuration set without understand what that could mean, and how to troubleshoot it.. Only reason this took so long is lack of information.
-
I didn't understand
help me -
Ok,
First do this : https://docs.netgate.com/pfsense/en/latest/backup/configuration-backup-and-restore.html
Then do this : https://docs.netgate.com/pfsense/en/latest/config/factory-defaults.htmlLast step : use this https://docs.netgate.com/pfsense/en/latest/book/interfaces/ipv4-wan-types.html to activate your Internet access.
Do not change anything else. Not now, not later.
You'll be safe.
You'll be having access to the internet, facebook.com included.
