WebConfigurator default certificate expired yesterday

adamf663

@johnpoz I assume you mean "just use the CA". Would you please post how this can be accomplished when it is impossible to log into the GUI?

Gertjan

@adamf663 : use an old browser that doesn't bark and refuses to trust old certs.
If that's a no-go, @Derelict posted here what to to without using the GUI.

adamf663

That's exactly what I ended up doing -- I used kde konqueror.
I had tried console/ pfsense-shell / generateguicert but it didn't do anything, didn't generate any output and offered no help with '--help'.

johnpoz

@adamf663

Derelict gave you how you could redo the self signed via console.. Or as it seems you did used a browser that allows you to make exception for old certs.

As to how to create your own signed cert via pfsense CA... Have been over this many many times already..

Here is latest version - previous versions lost their images when forum was updated
https://forum.netgate.com/post/831783

adamf663

@johnpoz As I've said too many times, the gui was unreachable and once I used a less secure browser, I was able to fix it. I truly don't need instructions for how to use a gui I couldn't reach and which I successfully used with the less secure browser. generateguicert did nothing as I've said a couple of times.

johnpoz

Well NO SHIT its not going to do anything if you don't use the playback command as instructed

Clearly it generates new cert.. And sets the gui to use it..

My point was since you already stated your in - is NOW do it with your own CA and set it for like 10 years so you don't have to worry about it expiring again.

Gertjan

@adamf663 said in WebConfigurator default certificate expired yesterday:

generateguicert did nothing as I've said a couple of times.

It generates and puts in place a new cert with valid date boundaries.
Still, the new cert it signed by an authority that your browser doesn't trust.
That can be circumvented by importing the cert details into the 'database' of your system or browser. A working GUI is of course needed to do so.
Not the GUI, but the console access can stop https access to the GUI, if needed. Many forum posts explain what to do.

I've just used t to generate a new cert, my Fifefox was still complaining of course, had to use the IPv4 of my pfSense, and got in after telling Firefox to allow an exception. So, the instructions work.
I was using the console access.

The fact that browsers become more more picky every day is known.
Up to you to disable the https access to the GUI, or use really trusted certificates out of the box (brower's box).

edit @johnpoz went down the same way, posted faster.

adamf663

@Gertjan My ca goes out 10 years. The problem was with the server cert and generateguicert did nothing and didn't write any information.

Derelict

pfSense shell: playback generateguicert

jwaterman

@Derelict I know this is old... I just wanted to thank you for the steps. Got me back up and running quick when a certificate was accidentally revoked. Thank you!