Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Weird SSL issue

    Scheduled Pinned Locked Moved NAT
    5 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PantsManUK
      last edited by

      I'm hoping this is the right place for this, couldn't see anywhere else more apropos.

      We're NATing an internal/external webserver behind a 2.3.2 install. Internally, everything is great. Externally however, the pfSense install appears to be MITMing and it's causing grief - it's using an HSTS self-signed server cert. None of the other external website/SSL NATs are exhibiting this issue, just this one.

      Any hints? NAT reflection is disabled, I've tried disabling Squid (not that we had SSL MITM enabled).

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        so your saying you have https (443) forwarded to an internal server, lets call it 192.168.1.100.  So when I hit your public IP say 1.2.3.4 via https I am getting a different cert?  Than what your server is using?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • P
          PantsManUK
          last edited by

          Precisely John.

          Being somewhat specific, the Internet talks to a vIP of x.x.x.245 (/24), and that is NATed to 10.0.0.11 on the "green" (internal) network. 10.0.0.11 has a valid current certificate on it and internally that's what you "see" when you go to https://blah.example.com (internal DNS points at 10.0.0.11).

          Externally, https://blah.example.com points at x.x.x.245 (totally separate DNS) and you "see" the pfSense web GUI cert (I've checked multiple times now) and you get no further than that due to the self-signed HSTS nature of the cert. I've done a packet cap, the traffic arrives normally on WAN, but nothing comes out on the LAN interface, but the NAT/rule is in there and hadn't changed in a good few weeks (replaced it today to see if anything would be different; it wasn't - according to AutoConfigBackup, the last change I can definitely attribute to something in the firewall section was 10 August).

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            can you post your wan rules and your forwards..  And if you don't mine can you send me the actual fqdn via pm and I can check from public.

            Do you have anything that could reorder your rules?  Say for example pfblocker likes to do a reorder of the rules, etc..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • P
              PantsManUK
              last edited by

              Oh, I feel like such a fool.  Turns out our internal DNS service (WINS as well) was not running (following a server restart on Tuesday), but we didn't notice until this morning after restarting a few other servers and they refused to let us log in after. I would guess either the firewall was trying to lookup the IP of the web server(s), getting no response and trying to be helpful, or the web server(s) were trying to do lookup(s), getting no response and giving up.

              Many apologies John, please accept a karma for your troubles.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.