@jeffshead
That is correct. Snort/Suricata operates outside the firewall so to speak so it cannot inspect ssl traffic. There is no mechanism within pfsense to decrypt a flow and send to an engine to inspect. This largely,in my opinion, makes the threat prevention aspect of pfsense quite useless. It would be more useful to have your endpoint mitigation tools on the clients do the protection.

@gamehoundsdev NVM im a idiot, I forgot to disable a 443 mapping on nat ..

@ahole4sure no, it is not required if you're using SSL Offloading option on Haproxy frontend. In this case it is better to use http for backend (or issue some internal ssl cert on pfsense for your synology)

@zwiebelspaetzle Mobile could be IPv6, could be a different web server entirely as they have multiple IPv4s.

https://www.ssllabs.com/ssltest/analyze.html?d=www.podtrac.com&s=44.239.236.149&hideResults=on&latest looks pretty good but does show "Chain issues Incorrect order, Contains anchor". If the client had an issue with that, I would expect it to be a problem regardless of connection...but again could be different web servers.

Solved in https://forum.netgate.com/topic/153028/haproxy-deleting-acl-on-modify-bug-or-am-i-missing-something/14

@johnpoz

Thanks for reply.

After you replyed, I investigated and I understand now that this warning has nothing to do with pfsense.

The file is a saved web page:
https://www.ceos3c.com/pfsense/pfsense-generate-ssl-certificate-https-pfsense/

The scanner is on my ReadyNAS v 6.10.1, i dont know who is the "produser".

Thanks for the info. Astounding is what this is. :-)

Where are you getting your cert from? Your going to have to give us more details if you want anyone to be able to figure out what your doing wrong.

For what possible reason would you want to use a wildcard cert for the webgui? How many possible fqdn/IPs could you point to the web gui?

The web gui should be accessed by limited number of users. Create as cert with your own ca, have the users that will access it trust your ca. Put in whatever SANs you want to access it by. Done - set the cert to be good for 10 years. Never have to deal with this issue again.