Inherited firewalls with no SSL on webgui



  • hello, i have inherited 25 firewalls that seem to all have no SSL on the webgui.

    i tried to create a CA, create a cert, but when i applied it, the webgui restarted and then chrome said the data was garbled.  i had to undo the change by resetting the LAN IP and choosing non-SSL webgui (console restore function didint work for me, first time i tried to use that).

    is there a quick way i can successfully switch these over to SSL without breaking it?

    i cant count how many pfsense installs ive dont over the years and i have never noticed an option to completely discard all SSL option, no idea how or why the previous IT company did that.

    anyone have suggesstions?


  • Rebel Alliance Global Moderator

    What version are these 25 firewalls on?

    The revert works just fine, no matter what version your on.  What is most likely happening is your browser seeing that it connected https to this fqdn wants to go back there!!  Many browsers do this these days..

    You have to clear your browser wanting to go to https for that fqdn.

    As to enable ssl, pfsense comes with a cert out of the box to use for its web gui ssl.  If your wanting to create another CA for that - sure that works fine too.  Just make sure your creating the correct type of cert and using the correct one when you setup pfsense ssl, it likes to default to user cert.

    Another issue is that browsers don't like self signed these days, some browsers more friendly than others allowing you to add exceptions..  But its best to just install the pfsense CA you create as a trusted CA so that your browser trust certs signed by this cert.

    If was me and you have 25 of them to do.. I would prob use same CA for all of them and trust this CA, and then create the certs from that CA for all your 25 devices.  This could be a CA off one of the pfsense, or it could be your own, or it could be public.. Your choice there.




  • they all say:

    No Certificates have been defined. A certificate is required before SSL can be enabled. Create or Import a Certificate.

    other firewalls that i have installed myself all say "webConfigurator default".


  • Rebel Alliance Developer Netgate

    From a shell, run:

    pfSsh.php playback generateguicert
    

    That'll make you a new cert using the current hostname as the base for the CN and such.



  • worked like a charms!! thank you!!