The own pfsense exchange the certificate configured.



  • Hello guys,

    The own pfsense exchange the certificate configured. I have a pfsense configured to use captiveportal as an access service to our wi-fi network. I recently set up a self-signed certificate for access via webGui. This is the second time that pfsense itself exchanges the certificate for one generated by itself. That way, losing access via webGui. Below is an image of backups made by pfsense and one of them is the backup reverted to the generated certificate.

    I use pfsense + captiveportal virtualized with xen and it is in the last stable version.

    2.3.2-RELEASE-p1 (amd64) 
    built on Tue Sep 27 12:13:07 CDT 2016 
    FreeBSD 10.3-RELEASE-p9 
    
    

    In the log below shows the first day that the problem happened and also a change that occurred today. The certificate and the key that I use are valid as we use the same in other services that never gave error.

    Log:

    ./system.log:658:Jan  9 17:29:36 captiveportal php-fpm[41149]: /rc.restart_webgui: The command '/usr/local/sbin/nginx -c /var/etc/nginx-cpzone-CaptivePortal-SSL.conf' returned exit code '1', the output was 'nginx: [emerg] SSL_CTX_use_PrivateKey_file("/var/etc/ca-cpzone-portal.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)'
    ./system.log:1484:Jan 13 08:15:24 captiveportal php-cgi: rc.bootup: Creating SSL Certificate for this host
    

    Some know bug?



  • Using your own certificates would work, if you insist in having a huge warning on every visitor's web browser.

    But why not using signed certificates, accepted by every browser on the planet ?
    I used this thread as a guide line. Worked just great (And I also learned how to insert other certificates without messing up the pfSense GUI certificates, which, by the way, I totally wiped to have them replaced by other certificates signed by an recognized authority  ;))



  • But why not using signed certificates, accepted by every browser on the planet ?

    First attach. :D

    I used this thread as a guide line. Worked just great (And I also learned how to insert other certificates without messing up the pfSense GUI certificates, which, by the way, I totally wiped to have them replaced by other certificates signed by an recognized authority  ;))

    I also used this tutorial for the setup. The problem is that the pfsense itself is changing the certificates! I set up our certificate - see attach 2 - and the problem occurs. Where is my certificate - "captiveportal…br" - is changed to one with the initial name of "webconfigurator...".

    Something?






  • Strange.
    Your missing the default certificate called "WebConfigurator Default (xxxxxx)".
    Check out your disk : the generated files aren't saved when created ?



  • I deleted the default certificate. It's wrong? :o


  • Banned

    You obviously are NOT supposed to delete certificates that are being in use. In fact, I filed a bug about thing being allowed, already fixed in 2.4.x - except for the WebGUI case.

    https://redmine.pfsense.org/issues/6947



  • @doktornotor:

    You obviously are NOT supposed to delete certificates that are being in use. In fact, I filed a bug about thing being allowed, already fixed in 2.4.x - except for the WebGUI case.

    https://redmine.pfsense.org/issues/6947

    I did NOT delete the certificate while it was in use. I selected our certificate and deleted the default.


Log in to reply