Issue with SSL
-
HI
I got a strange behviour with a pfsense 2.4I got one seafile server with ssl certificate given by let's Encrypt.
This Web server is protected by pfsense with 443 an 80 Nat to it.The issue is that when i try to verify ssl certificate with a machine inside the lan protected by the pfsense i got an error because the certificate is check using pfsense ??
Information :
Server url : cloud.conseil-info-30.com
I checked ssl certificate on both pfsense shell and one other linux machine connected to same LAN with command :openssl s_client -showcerts -connect cloud.conseil-info-30.com:443
Result :
CONNECTED(00000003)
depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain, CN = pfSense-58f17eb4cf8d1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain, CN = pfSense-58f17eb4cf8d1
verify error:num=21:unable to verify the first certificate
verify return:1Certificate chain
0 s:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-58f17eb4cf8d1
i:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-58f17eb4cf8d1
-----BEGIN CERTIFICATE-----
MIIFjzCCBHegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMx
DjAMBgNVBAgTBVN0YXRlMREwDwYDVQQHEwhMb2NhbGl0eTE4MDYGA1UEChMvcGZT
ZW5zZSB3ZWJDb25maWd1cmF0b3IgU2VsZi1TaWduZWQgQ2VydGlmaWNhdGUxKDAm
BgkqhkiG9w0BCQEWGWFkbWluQHBmU2Vuc2UubG9jYWxkb21haW4xHjAcBgNVBAMT
FXBmU2Vuc2UtNThmMTdlYjRjZjhkMTAeFw0xNzA0MTUwMjAwMjFaFw0yMjEwMDYw
MjAwMjFaMIG0MQswCQYDVQQGEwJVUzEOMAwGA1UECBMFU3RhdGUxETAPBgNVBAcT
CExvY2FsaXR5MTgwNgYDVQQKEy9wZlNlbnNlIHdlYkNvbmZpZ3VyYXRvciBTZWxm
LVNpZ25lZCBDZXJ0aWZpY2F0ZTEoMCYGCSqGSIb3DQEJARYZYWRtaW5AcGZTZW5z
ZS5sb2NhbGRvbWFpbjEeMBwGA1UEAxMVcGZTZW5zZS01OGYxN2ViNGNmOGQxMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5GKqS+EirKhKo2yifwxwHYPc
NFQ8zMY9J/Xwkab3sc7/WVaD/qePYZfxUbupIkJGpDw4fWWOVUdv951QH0CtJe3B
7yheUiV0JXifP/0ZMFoqi1UWeICR97FPlFNjplvXyAyzBBy/EtK37LjV+WqF5fUX
HoHqsZpUYyWFWumiHUgkhnYtQwJkQRoU/GVd21HdEAli3TBKRFDf7QCPufcEHjWQ
6gNLzGGVQlOhsiOQ29Qh7PJZsfVsSJ3oCLOyDLD7RyAR7Q/62aPDLsU50bZ8tAWt
JMv81DG5ihM6L6tepJ6Y7EwZJHuGRUp4QNOyAq12oTI765wP0eViRdytEOcC9wID
AQABo4IBqDCCAaQwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0P
BAQDAgWgMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIg
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFExVwr1jCtVnZahaj0kRY17Jqx94MIHhBgNV
HSMEgdkwgdaAFExVwr1jCtVnZahaj0kRY17Jqx94oYG6pIG3MIG0MQswCQYDVQQG
EwJVUzEOMAwGA1UECBMFU3RhdGUxETAPBgNVBAcTCExvY2FsaXR5MTgwNgYDVQQK
Ey9wZlNlbnNlIHdlYkNvbmZpZ3VyYXRvciBTZWxmLVNpZ25lZCBDZXJ0aWZpY2F0
ZTEoMCYGCSqGSIb3DQEJARYZYWRtaW5AcGZTZW5zZS5sb2NhbGRvbWFpbjEeMBwG
A1UEAxMVcGZTZW5zZS01OGYxN2ViNGNmOGQxggEAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQgCAjAgBgNVHREEGTAXghVwZlNlbnNlLTU4ZjE3ZWI0Y2Y4ZDEw
DQYJKoZIhvcNAQELBQADggEBAIE5Cpo9PpxVYu6Tg8as03HpoA4ZeeVYIb9EI4ov
3+IRa/zSJ18pFr7pL7IHRpX1SrLpCu6VLoKoWNIlxEt0D5+mIS2VRus4q/rk/OQ7
CkEvd5JOr1hMN2qdBtQgBX/cewERn5lD7LAjCQgDw6R0iHW1OD0/+Dye6FQ43Xtv
DoMYQG5zQ+rjiJKcVqM8GSj6yGEbe04b+fB+wBiBkQlgnEiUsnnWJtbWYcFOpsR9
XdDzQz5kui7Jbf1yETQ+0gVeTTB8V/pYt5RJdif8LsjMUZpQFgLSXlNy0QqVEUIM
OET8/PjU2jWrpcXO/bCax8cHHiZW0WA04GBUSDKIfrAmtcQ=
-----END CERTIFICATE-----Server certificate
subject=/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-58f17eb4cf8d1
issuer=/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-58f17eb4cf8d1No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bitsSSL handshake has read 1934 bytes and written 302 bytes
Verification error: unable to verify the first certificateNew, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 2E9AF3C6A6E082F44875A97E7E0B63A78ABFA5E852EAF51C7A42AB65EE8851A3
Session-ID-ctx:
Master-Key: 757E3625639E62E27311734C988A4EF7BE3550682B0326746EF568D0DDF3E6F4FDF39209C0DCCBE45D150D7CECA12553
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1535968489
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: noIf i try same command on other machine not connected to this pfsense it s works
CONNECTED(00000004)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = cloud.conseil-info-30.com
verify return:1Certificate chain
0 s:/CN=cloud.conseil-info-30.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIHHTCCBgWgAwIBAgISA1DMlJ1j55zuCfahFDpXyyQVMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA3MDUxODMyMjFaFw0x
ODEwMDMxODMyMjFaMCQxIjAgBgNVBAMTGWNsb3VkLmNvbnNlaWwtaW5mby0zMC5j
b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC54ghW7WzAc0SIDPpB
4EH33JHArcVA9pI1tBMiEeYI6T91gGcF8SFP6ljrMfYXRSam8vQwiXPawoUD6MzS
8/Jc2L1dRFYUdQ6Bu5d2OFrhacVdMG0c0flE9QfV5akl9HDZCU5j7LVh8ePCkWrh
TFwY7rPr6/5jo8EgAY60mnHLX7nQg3kuyPuH4HlN4MCzLP8guDfTAcutzMjTFotk
h7+p0esiWZiZIil9siQ/5AOOx6i9Bm2B5aAmaGoTswOCdgI71HL+YO3fqs1hJGI9
9ui1gECT0GJTGU8CaEvCdbnSDaXZFXzSfWVmKBSAi6N4fG/+Sg2s9rOq2I8q1yUw
6/Vin4v1u6VlzsMhpNst45mB3HO+s2CEor3yNkNlfkzu1yUK7rOG1bbLzIGRBlaO
aTBRP0VTpUhOsJUrbVYdg6shHVeGUK0baozapwEFPdoerQdtnkSLf/zHktlzSQIn
2u5uyI+sTjc4orb24lHHnr8XBb1sx39Oly88jgxlIYunXITjS6JI14m1jzSVUMfT
peMV7s7CWj2hFfWyad4glmzx7uq/5fTxoOxzMH1Iad8DfDO09S0pQdvpL9RujJf/
7sayPgkOb/pgNZVAvIZcVwXl7xbm9RDhgngyiS6eRhKEXUsUA1dmOxrpgs6vMdnN
aBRsYIy2YGI3E+6AuzAjMhzmCQIDAQABo4IDITCCAx0wDgYDVR0PAQH/BAQDAgWg
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
A1UdDgQWBBQ1MdZDwSx6lmNnv8NoAU/L60RkSzAfBgNVHSMEGDAWgBSoSmpjBH3d
uubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6
Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6
Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMCQGA1UdEQQdMBuCGWNsb3Vk
LmNvbnNlaWwtaW5mby0zMC5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYG
CysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNy
eXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBv
bmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBp
biBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBh
dCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisGAQQB
1nkCBAIEgfUEgfIA8AB2ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12dTze2H79k
AAABZGvuYB0AAAQDAEcwRQIhALFB8uUgSuqcrw3kClXQpDwfmgaZNRzYy6+9yMJU
hfY/AiBxZAjOFIhX1R/Y6nm1/2/GaBpQE/eKv9CbQdesXgJL+gB2ACk8UZZUyDll
uqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABZGvuYC4AAAQDAEcwRQIgIl2GDKtv
a4ZI8HR5Kstbo89ibVW7as9eiPDSEjzI5wkCIQC26qrBX/bsinwV5NRIjbGXWJhx
L0y5UtkDb9R0xKJ5+TANBgkqhkiG9w0BAQsFAAOCAQEAMG5za6ls+Aa9xGtkz25B
YIFtIip3qDKhxo0ynmmEVzmFrnuh9LQsEBdU8c30aml/u/h0eRblgViPFQRX1yuA
PLNCRyOHpgKNo6QM+yaPlgjMlhOICO3JiEAvGs7ewoEuiQMAlpKdR8EPdCYV1LKS
g0zmOC6st5Ia84IH5cshI5FM+Br67VA/P96dQN0ki/4BTLFz93FG2OR6To3tJgoe
hKFLzoPm9asWWia8KsvLBaqqbgpkRDLmZ7Pfi0kzWCoxVkmpj5AwFxp85Vboc5Op
jd2SNZ+B3XrukbR7QV1dhx/55XjntJw1jT+QmbJGI8SH2fM3FYk+HxjNJ6dWQHxz
rw==
-----END CERTIFICATE-----
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----Server certificate
subject=/CN=cloud.conseil-info-30.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bitsSSL handshake has read 3928 bytes and written 433 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 1C9BC59D3E1BABD4BF77784097235F9E622D52FC82E84126C9601D900F1168C5
Session-ID-ctx:
Master-Key: D917581B92522291A5EC89EF8AEDE76D5697BF531A8952735D27BBFE09520577FCBAE19D7212BBD2D40F0F5D31FA8C32
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 3b 8d 96 d0 35 6f 79 2e-10 97 ec 4d 4e 54 ae 5b ;...5oy....MNT.[
0010 - 53 9d d2 d0 05 fe 52 8c-d6 a6 f8 de a0 20 8b 02 S.....R...... ..
0020 - 78 95 8a 3f 35 54 d9 70-8a d5 b5 f1 cd bd 1f 65 x..?5T.p.......e
0030 - 69 86 82 97 54 9e 44 f3-28 f7 85 fa 97 eb f5 c5 i...T.D.(.......
0040 - 38 6e 09 ea 14 88 d4 dc-7f 69 31 ae 60 71 70 3b 8n.......i1.`qp;
0050 - 5e 79 62 14 16 dd 18 c9-e3 4e c8 49 74 69 65 4e ^yb......N.ItieN
0060 - e9 65 4e 4c a5 9d 6b c5-4c 35 61 c2 d0 86 2b f1 .eNL..k.L5a...+.
0070 - e2 82 ab e4 eb 89 e1 48-aa 29 8c f8 28 fb b9 d1 .......H.)..(...
0080 - dd 9e 93 40 27 b6 f4 9a-e0 b0 d2 14 d5 56 57 f4 ...@'........VW.
0090 - 50 7e 63 1f a4 ee 98 e2-65 5e 7b 56 91 75 9c 2d P~c.....e^{V.u.-
00a0 - 91 28 72 43 61 56 27 2f-1b cb 29 20 bf e7 39 13 .(rCaV'/..) ..9.Start Time: 1535968539 Timeout : 300 (sec) Verify return code: 0 (ok)
NO idea of why i got this behaviour.
-
@max33 said in Issue with SSL:
cloud.conseil-info-30.com
What does that resolve too - your hitting your pfsense web gui, which is why you get presented with the web gui cert..
Its resolve to 185.220.x.x on the public side.. Have to assume that is pfsense WAN.. So yeah if you hit pfsense wan from the lan side you would get the web gui.. Your local side stuff should resolve that to your rfc1918 address. Or you would have to setup nat reflection and move pfsense web gui off the standard ports or your going to run into problems trying to use nat reflection hitting your wan IP to get reflected back in, etc. Just setup host override so local box resolves that to its local IP.
-
hi and thanks for taking time to respond
I solved the issue by setting up host override in the /etc/hosts of the server.
By the way it s still difficult for me to understand why i reach the pfsense webconfigurator CA .
I understand that the local machine get dns resolution correct and then get Public IP of the Pfsense WAN.
I Nat the 443 port to the local machine
So why i reach the web GUI as for me the Web gUi is on the lan side ?
PS: it s more to understand cleary what happen .........
-
Default lan rules are what - any any by default... Your wan IP can be reached by lan clients... The web gui listens on all IPs of pfsense.. So yeah if you hit wan IP on port gui is listening on - then you get the web gui..
why would you setup host record on server - why would you not just set it up on pfsense dns so that all clients of pfsense dns would get the local IP?
-
Yes, correcting this on the firewall for all clients is a much better solution here:
https://www.netgate.com/docs/pfsense/nat/accessing-port-forwards-from-local-networks.htmlSteve
-
HI thanks both for your explanation that make more sense now for me.
Effectively it s better to use Split DNS and to add entry for all i just forget this simple solution.
KR
