Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NTOPNG and Let's Encrypt Certificates

    Scheduled Pinned Locked Moved Traffic Monitoring
    12 Posts 6 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      e8link
      last edited by

      I'm using a lets encrypt certificate with Pfsense.  Whenever I change the default webconfigurator cert to the let's encrypt certificate ntop becomes inaccessible.  As soon as I revert back to the default it's available again.

      Anyone know of a workaround?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        How do you have ntopng set? It should work for that. It did the last time I tried it.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • E
          e8link
          last edited by

          Looks to be the default configuration - included in the attachment.  When accessing I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH

          If I change the Advanced - admin access from the acme (lets encrypt) issued certificate back to the webconfiguration default certificate ntop is accessible again.  My acme issued cert is EC384, but not sure that makes a difference.

          ntopng.png
          ntopng.png_thumb

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            That could be why. I haven't tried it with an EC cert, it worked fine for me with a regular cert.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • E
              eduardr
              last edited by

              Replying to this because it may be related to the issue I just ran across.

              I just added a new Let's Encrypt Cert via manual import in the Certificates page, and after switching to it in Advanced settings, the Ntop GUI (myfirewall:3000) was still using the old cert.

              I had to go to Ntop NG pfsense config, and click 'Save' on the ntop settings. This "activated" the new cert for the :3000 ntop web interface.

              So the issue appears to be that adding a new cert does not automatically activate it for the ntop web app on port :3000. Having to "resave" ntop settings each time a new cert is added is maybe a bug?

              1 Reply Last reply Reply Quote 1
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                How would ntopng know you made that cert change? It has no way to know, resaving its settings makes it re-read the certificate and pull in the new settings.

                You have to remember that ntopng is a package and is not going to have its settings automatically updated by changes in the base system.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • E
                  eduardr
                  last edited by

                  Thanks for the followup. Ntop wouldn't know, but the Pfsense UI knows (assuming I made the cert change using PfSense UI, which I did). Was hoping/assuming pfsense would notify the ntop package to refresh its cert/settings in this scenario. That's not how it works, fair enough.

                  Previously I used the acme package to set up the Let's Encrypt cert - maybe the acme package DOES trigger ntop to re-read its cert? Not sure, I may be remembering wrong.

                  Additional motivation to go back to using paid SSL certs rather than the frequently expiring Let's Encrypt ones which cause additional manual work, or additional dev effort to put in place automation to deal with all these scenarios.

                  Also - we're running a number of firewalls. If it was just one firewall, with a cert that expires every 2 years, it would not be an issue to document somewhere the need to click the save button on ntop settings every 2 years when the cert is renewed.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    The correct path forward in that case is to add an action to the ACME package cert entry to restart the ntopng service.

                    The rc script doesn't appear to rewrite the cert, though, so you'd need to do something a little more drastic, like have ACME run /etc/rc.start_packages in the renew actions.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • E
                      eduardr
                      last edited by

                      Thank you for those ideas! I'll also look into whether there's a way to trigger Ntop to "Save Settings" using a script.

                      1 Reply Last reply Reply Quote 0
                      • S
                        spambait
                        last edited by

                        I have the same issue. Also using ACME 2.0 for an EC384 certificate. People are reporting that old school Letsencrypt certs work fine. May try that this weekend.

                        Edit: No dice on the standard RSA cert. Same issue. Doesn't seem EC384 related after all.

                        1 Reply Last reply Reply Quote 0
                        • R
                          R3Z3N
                          last edited by

                          Has anyone else found an answer? I have tried adding my cert to the package but am still failing.

                          Supermicro A1SRi-2558F
                          Samsung 850 Evo 120GB

                          1 Reply Last reply Reply Quote 0
                          • D
                            drcstang
                            last edited by

                            I was having an issue with Lets Encrypt certs as well. They worked fine for PFSense GUI, they just were not working for ntopng. As other's have indicated, when using the LE certs, the browser was giving a "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" and the process core dumps when restarting. When using other SSL/TLS testing tools (like testssl.sh), the port was open by no TLS handshake was happening, no cipher was being offered.

                            Originally I was using a 384bit ECDSA LE certificate.

                            What seems to have allowed me to work around the issue was switching to a 2048 bit RSA certificate. Earlier in the thread @spambait mentioned that didn't help him, so not sure why it's working for me. I did manually cat the key and fullchain into the ntopng/httpdocs/ssl/ntopng-cert.pem file.

                            Switching certificate types in the existing certificate did not seem to actually change the type of certificate being generated. I had to create an entirely new certificate (Services -> Acme Certificates -> Certificates -> + Add).

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.