SSL Certificate Authority Error Upon Initial Install



  • Guys, do I actually have to get my own SSL cert signed by a secure server for this thing to work properly out of the box ?If so I need some advice on obtaining one, or otherwise information on how to get rid of this Chrome version 58+ SSL Certificate Authority Error that is now plaguing the internet as of such...

    ERROR REPORT LOGIN 192.168.1.1
    FIRST DAMN THING YOU SEE

    Your PC doesn’t trust this website’s security certificate.
    The hostname in the website’s security certificate differs from the website you are trying to visit.
    Error Code: DLG_FLAGS_INVALID_CA
    DLG_FLAGS_SEC_CERT_CN_INVALID
    HELP ME FIX THIS PLEASE WORD FOR WORD
    all-ready made new CA & Certificate authoritive signatures
    Now do they need to be signed by a secure encoder online?
    If so I need step by step instructions from there
    Thank YOU
    MWHN


  • Netgate Administrator

    That's not a problem, that's the expected behaviour. The Certificate is self-signed so Chrome does not trust it by default.
    You can replace it with a cert signed by a known CA.
    You can import the CA you just created so it sees the new server cert as valid.
    You could use a Let's Encrypt cert: https://www.netgate.com/docs/pfsense/certificates/acme-package.html
    You could just use a different browser and import the certificate permanently.
    Or you could accept that behaviour in Chrome and just acknowledge the warning every time. It forces you to check the site is correct rather than just entering your password in something that looks like your firewall because it has a green padlock.

    Steve



  • Thanks Stephen,
    All that you stated is true; however, in general I tried the ACME approach and got a secure signed certificate now the web configurator still has a certificate error even though its signed. Imported the certificate as well still s no go.
    What am I missing
    Thanks
    NWB


  • Netgate Administrator

    The certificate probably doesn't match the server name. You need to add the fqdn as an alternate name. I also added an IP address in there so I can connect either way. It worked here for me in Chromium after I imported the CA that signed the new cert.

    Steve