Upgraded to 2.3.1-p5, now I can't login to 192.168.0.1 from Safari b/c of Cert



  • Yesterday I used my 3 year old bookmark to log into https://192.168.0.1:xyzw to upgrade from 2.2.? to 2.3.1-ps. The upgrade seemed to go fine, but now I can no longer log into https://192.168.0.1:xyzw from Safari, which reports

    Safari can't open the page "https://192.168.0.1:xyzw" because Safari can't establish a secure connection to the server "192.168.0.1"

    The port is correct, because I can log into https://mycompany.dyndns.org:xyzw from Safari.

    I tried https://192.168.0.1:xyzw from Firefox, which reports:

    Your connection is not secure. The owner of 192.168.0.1 has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

    and allows me to create an exception.

    I went to System / Certificate Manager / Certificates and see this:

    Name
    webConfigurator default
    CA: Yes, Server: No	
    
    Issuer 
    self-signed
    
    Distinguished Name
    emailAddress=Email Address, ST=Somewhere, OU=Organizational Unit Name (eg, section), O=CompanyName, L=Somecity, CN=Common Name (eg, YOUR name), C=US	
    Valid From: [b]Wed, 13 Sep 2000 11:50:34 -0700[/b]
    Valid Until: [b]Mon, 06 Mar 2006 10:50:34 -0800[/b]
    
    In Use	
    webConfigurator 
    OpenVPN Server
    
    

    I'm assuming the expiry is the problem. This must be some sort of default certificate included with my original install, because I first started using pfsense far after 2006, so there's no way I could have created this cert.

    How do I edit or create a new certificate?

    Or how can I create a similar exception for Safari?

    And why does this work from https://mycompany.dyndns.org:xyzw but not from https://192.168.0.1:xyzw?

    Thanks!



  • Hi,

    You are aware that
    https://192.168.0.1:443
    is a dirty.
    https implies (it that is enforteced now) that you should use the domaine mane (that points to the IP 192.168.0.1) and this domaine name should be declared in the certifcate that the GUI uses …..
    Using an IP for https is ... well .... not good to start with.

    Example: my local domain is called "brit-hotel-fumel.net".
    My pfsense host anme is aclled "pfsense".
    I combined the two to pfsense.brit-hotel-fumel.net (and yes, I bought the domaine name brit-hotel-fumel.net on the Internet) so (example) startssl.com gave a a valid, signed and trused certificate.
    I installed the certificate on my pfsense and all is well.

    You can also use 'self made' certificates, you'll be seeing the message "can't trust that one" ones.
    Of course, using a certificate that dates from 2006 will never work Instruct pfSense to make a new one.


Log in to reply