Issue with SSL



  • HI
    I got a strange behviour with a pfsense 2.4

    I got one seafile server with ssl certificate given by let's Encrypt.
    This Web server is protected by pfsense with 443 an 80 Nat to it.

    The issue is that when i try to verify ssl certificate with a machine inside the lan protected by the pfsense i got an error because the certificate is check using pfsense ??

    Information :

    Server url : cloud.conseil-info-30.com
    I checked ssl certificate on both pfsense shell and one other linux machine connected to same LAN with command :

    openssl s_client -showcerts -connect cloud.conseil-info-30.com:443

    Result :
    CONNECTED(00000003)
    depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain, CN = pfSense-58f17eb4cf8d1
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain, CN = pfSense-58f17eb4cf8d1
    verify error:num=21:unable to verify the first certificate
    verify return:1

    Certificate chain
    0 s:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-58f17eb4cf8d1
    i:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-58f17eb4cf8d1
    -----BEGIN CERTIFICATE-----
    MIIFjzCCBHegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMx
    DjAMBgNVBAgTBVN0YXRlMREwDwYDVQQHEwhMb2NhbGl0eTE4MDYGA1UEChMvcGZT
    ZW5zZSB3ZWJDb25maWd1cmF0b3IgU2VsZi1TaWduZWQgQ2VydGlmaWNhdGUxKDAm
    BgkqhkiG9w0BCQEWGWFkbWluQHBmU2Vuc2UubG9jYWxkb21haW4xHjAcBgNVBAMT
    FXBmU2Vuc2UtNThmMTdlYjRjZjhkMTAeFw0xNzA0MTUwMjAwMjFaFw0yMjEwMDYw
    MjAwMjFaMIG0MQswCQYDVQQGEwJVUzEOMAwGA1UECBMFU3RhdGUxETAPBgNVBAcT
    CExvY2FsaXR5MTgwNgYDVQQKEy9wZlNlbnNlIHdlYkNvbmZpZ3VyYXRvciBTZWxm
    LVNpZ25lZCBDZXJ0aWZpY2F0ZTEoMCYGCSqGSIb3DQEJARYZYWRtaW5AcGZTZW5z
    ZS5sb2NhbGRvbWFpbjEeMBwGA1UEAxMVcGZTZW5zZS01OGYxN2ViNGNmOGQxMIIB
    IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5GKqS+EirKhKo2yifwxwHYPc
    NFQ8zMY9J/Xwkab3sc7/WVaD/qePYZfxUbupIkJGpDw4fWWOVUdv951QH0CtJe3B
    7yheUiV0JXifP/0ZMFoqi1UWeICR97FPlFNjplvXyAyzBBy/EtK37LjV+WqF5fUX
    HoHqsZpUYyWFWumiHUgkhnYtQwJkQRoU/GVd21HdEAli3TBKRFDf7QCPufcEHjWQ
    6gNLzGGVQlOhsiOQ29Qh7PJZsfVsSJ3oCLOyDLD7RyAR7Q/62aPDLsU50bZ8tAWt
    JMv81DG5ihM6L6tepJ6Y7EwZJHuGRUp4QNOyAq12oTI765wP0eViRdytEOcC9wID
    AQABo4IBqDCCAaQwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0P
    BAQDAgWgMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIg
    Q2VydGlmaWNhdGUwHQYDVR0OBBYEFExVwr1jCtVnZahaj0kRY17Jqx94MIHhBgNV
    HSMEgdkwgdaAFExVwr1jCtVnZahaj0kRY17Jqx94oYG6pIG3MIG0MQswCQYDVQQG
    EwJVUzEOMAwGA1UECBMFU3RhdGUxETAPBgNVBAcTCExvY2FsaXR5MTgwNgYDVQQK
    Ey9wZlNlbnNlIHdlYkNvbmZpZ3VyYXRvciBTZWxmLVNpZ25lZCBDZXJ0aWZpY2F0
    ZTEoMCYGCSqGSIb3DQEJARYZYWRtaW5AcGZTZW5zZS5sb2NhbGRvbWFpbjEeMBwG
    A1UEAxMVcGZTZW5zZS01OGYxN2ViNGNmOGQxggEAMB0GA1UdJQQWMBQGCCsGAQUF
    BwMBBggrBgEFBQgCAjAgBgNVHREEGTAXghVwZlNlbnNlLTU4ZjE3ZWI0Y2Y4ZDEw
    DQYJKoZIhvcNAQELBQADggEBAIE5Cpo9PpxVYu6Tg8as03HpoA4ZeeVYIb9EI4ov
    3+IRa/zSJ18pFr7pL7IHRpX1SrLpCu6VLoKoWNIlxEt0D5+mIS2VRus4q/rk/OQ7
    CkEvd5JOr1hMN2qdBtQgBX/cewERn5lD7LAjCQgDw6R0iHW1OD0/+Dye6FQ43Xtv
    DoMYQG5zQ+rjiJKcVqM8GSj6yGEbe04b+fB+wBiBkQlgnEiUsnnWJtbWYcFOpsR9
    XdDzQz5kui7Jbf1yETQ+0gVeTTB8V/pYt5RJdif8LsjMUZpQFgLSXlNy0QqVEUIM
    OET8/PjU2jWrpcXO/bCax8cHHiZW0WA04GBUSDKIfrAmtcQ=
    -----END CERTIFICATE-----

    Server certificate
    subject=/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-58f17eb4cf8d1
    issuer=/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-58f17eb4cf8d1

    No client certificate CA names sent
    Peer signing digest: SHA512
    Server Temp Key: ECDH, P-256, 256 bits

    SSL handshake has read 1934 bytes and written 302 bytes
    Verification error: unable to verify the first certificate

    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 2E9AF3C6A6E082F44875A97E7E0B63A78ABFA5E852EAF51C7A42AB65EE8851A3
    Session-ID-ctx:
    Master-Key: 757E3625639E62E27311734C988A4EF7BE3550682B0326746EF568D0DDF3E6F4FDF39209C0DCCBE45D150D7CECA12553
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1535968489
    Timeout : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no

    If i try same command on other machine not connected to this pfsense it s works

    CONNECTED(00000004)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = cloud.conseil-info-30.com
    verify return:1

    Certificate chain
    0 s:/CN=cloud.conseil-info-30.com
    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    -----BEGIN CERTIFICATE-----
    MIIHHTCCBgWgAwIBAgISA1DMlJ1j55zuCfahFDpXyyQVMA0GCSqGSIb3DQEBCwUA
    MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
    ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA3MDUxODMyMjFaFw0x
    ODEwMDMxODMyMjFaMCQxIjAgBgNVBAMTGWNsb3VkLmNvbnNlaWwtaW5mby0zMC5j
    b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC54ghW7WzAc0SIDPpB
    4EH33JHArcVA9pI1tBMiEeYI6T91gGcF8SFP6ljrMfYXRSam8vQwiXPawoUD6MzS
    8/Jc2L1dRFYUdQ6Bu5d2OFrhacVdMG0c0flE9QfV5akl9HDZCU5j7LVh8ePCkWrh
    TFwY7rPr6/5jo8EgAY60mnHLX7nQg3kuyPuH4HlN4MCzLP8guDfTAcutzMjTFotk
    h7+p0esiWZiZIil9siQ/5AOOx6i9Bm2B5aAmaGoTswOCdgI71HL+YO3fqs1hJGI9
    9ui1gECT0GJTGU8CaEvCdbnSDaXZFXzSfWVmKBSAi6N4fG/+Sg2s9rOq2I8q1yUw
    6/Vin4v1u6VlzsMhpNst45mB3HO+s2CEor3yNkNlfkzu1yUK7rOG1bbLzIGRBlaO
    aTBRP0VTpUhOsJUrbVYdg6shHVeGUK0baozapwEFPdoerQdtnkSLf/zHktlzSQIn
    2u5uyI+sTjc4orb24lHHnr8XBb1sx39Oly88jgxlIYunXITjS6JI14m1jzSVUMfT
    peMV7s7CWj2hFfWyad4glmzx7uq/5fTxoOxzMH1Iad8DfDO09S0pQdvpL9RujJf/
    7sayPgkOb/pgNZVAvIZcVwXl7xbm9RDhgngyiS6eRhKEXUsUA1dmOxrpgs6vMdnN
    aBRsYIy2YGI3E+6AuzAjMhzmCQIDAQABo4IDITCCAx0wDgYDVR0PAQH/BAQDAgWg
    MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
    A1UdDgQWBBQ1MdZDwSx6lmNnv8NoAU/L60RkSzAfBgNVHSMEGDAWgBSoSmpjBH3d
    uubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6
    Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6
    Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMCQGA1UdEQQdMBuCGWNsb3Vk
    LmNvbnNlaWwtaW5mby0zMC5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYG
    CysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNy
    eXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBv
    bmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBp
    biBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBh
    dCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisGAQQB
    1nkCBAIEgfUEgfIA8AB2ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12dTze2H79k
    AAABZGvuYB0AAAQDAEcwRQIhALFB8uUgSuqcrw3kClXQpDwfmgaZNRzYy6+9yMJU
    hfY/AiBxZAjOFIhX1R/Y6nm1/2/GaBpQE/eKv9CbQdesXgJL+gB2ACk8UZZUyDll
    uqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABZGvuYC4AAAQDAEcwRQIgIl2GDKtv
    a4ZI8HR5Kstbo89ibVW7as9eiPDSEjzI5wkCIQC26qrBX/bsinwV5NRIjbGXWJhx
    L0y5UtkDb9R0xKJ5+TANBgkqhkiG9w0BAQsFAAOCAQEAMG5za6ls+Aa9xGtkz25B
    YIFtIip3qDKhxo0ynmmEVzmFrnuh9LQsEBdU8c30aml/u/h0eRblgViPFQRX1yuA
    PLNCRyOHpgKNo6QM+yaPlgjMlhOICO3JiEAvGs7ewoEuiQMAlpKdR8EPdCYV1LKS
    g0zmOC6st5Ia84IH5cshI5FM+Br67VA/P96dQN0ki/4BTLFz93FG2OR6To3tJgoe
    hKFLzoPm9asWWia8KsvLBaqqbgpkRDLmZ7Pfi0kzWCoxVkmpj5AwFxp85Vboc5Op
    jd2SNZ+B3XrukbR7QV1dhx/55XjntJw1jT+QmbJGI8SH2fM3FYk+HxjNJ6dWQHxz
    rw==
    -----END CERTIFICATE-----
    1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    -----BEGIN CERTIFICATE-----
    MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
    MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
    DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
    SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
    GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
    AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
    q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
    SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
    Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
    a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
    /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
    AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
    CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
    bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
    c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
    VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
    ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
    MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
    Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
    AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
    uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
    wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
    X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
    PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
    KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
    -----END CERTIFICATE-----

    Server certificate
    subject=/CN=cloud.conseil-info-30.com
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

    No client certificate CA names sent
    Peer signing digest: SHA512
    Server Temp Key: ECDH, P-256, 256 bits

    SSL handshake has read 3928 bytes and written 433 bytes

    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 4096 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 1C9BC59D3E1BABD4BF77784097235F9E622D52FC82E84126C9601D900F1168C5
    Session-ID-ctx:
    Master-Key: D917581B92522291A5EC89EF8AEDE76D5697BF531A8952735D27BBFE09520577FCBAE19D7212BBD2D40F0F5D31FA8C32
    Key-Arg : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 3b 8d 96 d0 35 6f 79 2e-10 97 ec 4d 4e 54 ae 5b ;...5oy....MNT.[
    0010 - 53 9d d2 d0 05 fe 52 8c-d6 a6 f8 de a0 20 8b 02 S.....R...... ..
    0020 - 78 95 8a 3f 35 54 d9 70-8a d5 b5 f1 cd bd 1f 65 x..?5T.p.......e
    0030 - 69 86 82 97 54 9e 44 f3-28 f7 85 fa 97 eb f5 c5 i...T.D.(.......
    0040 - 38 6e 09 ea 14 88 d4 dc-7f 69 31 ae 60 71 70 3b 8n.......i1.`qp;
    0050 - 5e 79 62 14 16 dd 18 c9-e3 4e c8 49 74 69 65 4e ^yb......N.ItieN
    0060 - e9 65 4e 4c a5 9d 6b c5-4c 35 61 c2 d0 86 2b f1 .eNL..k.L5a...+.
    0070 - e2 82 ab e4 eb 89 e1 48-aa 29 8c f8 28 fb b9 d1 .......H.)..(...
    0080 - dd 9e 93 40 27 b6 f4 9a-e0 b0 d2 14 d5 56 57 f4 ...@'........VW.
    0090 - 50 7e 63 1f a4 ee 98 e2-65 5e 7b 56 91 75 9c 2d P~c.....e^{V.u.-
    00a0 - 91 28 72 43 61 56 27 2f-1b cb 29 20 bf e7 39 13 .(rCaV'/..) ..9.

    Start Time: 1535968539
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
    

    NO idea of why i got this behaviour.


  • Rebel Alliance Global Moderator

    @max33 said in Issue with SSL:

    cloud.conseil-info-30.com

    What does that resolve too - your hitting your pfsense web gui, which is why you get presented with the web gui cert..

    Its resolve to 185.220.x.x on the public side.. Have to assume that is pfsense WAN.. So yeah if you hit pfsense wan from the lan side you would get the web gui.. Your local side stuff should resolve that to your rfc1918 address. Or you would have to setup nat reflection and move pfsense web gui off the standard ports or your going to run into problems trying to use nat reflection hitting your wan IP to get reflected back in, etc. Just setup host override so local box resolves that to its local IP.



  • hi and thanks for taking time to respond

    I solved the issue by setting up host override in the /etc/hosts of the server.

    By the way it s still difficult for me to understand why i reach the pfsense webconfigurator CA .

    I understand that the local machine get dns resolution correct and then get Public IP of the Pfsense WAN.

    I Nat the 443 port to the local machine

    So why i reach the web GUI as for me the Web gUi is on the lan side ?

    PS: it s more to understand cleary what happen .........


  • Rebel Alliance Global Moderator

    Default lan rules are what - any any by default... Your wan IP can be reached by lan clients... The web gui listens on all IPs of pfsense.. So yeah if you hit wan IP on port gui is listening on - then you get the web gui..

    why would you setup host record on server - why would you not just set it up on pfsense dns so that all clients of pfsense dns would get the local IP?


  • Netgate Administrator

    Yes, correcting this on the firewall for all clients is a much better solution here:
    https://www.netgate.com/docs/pfsense/nat/accessing-port-forwards-from-local-networks.html

    Steve



  • HI thanks both for your explanation that make more sense now for me.

    Effectively it s better to use Split DNS and to add entry for all i just forget this simple solution.

    KR