Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue with SSL

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      max33
      last edited by

      HI
      I got a strange behviour with a pfsense 2.4

      I got one seafile server with ssl certificate given by let's Encrypt.
      This Web server is protected by pfsense with 443 an 80 Nat to it.

      The issue is that when i try to verify ssl certificate with a machine inside the lan protected by the pfsense i got an error because the certificate is check using pfsense ??

      Information :

      Server url : cloud.conseil-info-30.com
      I checked ssl certificate on both pfsense shell and one other linux machine connected to same LAN with command :

      openssl s_client -showcerts -connect cloud.conseil-info-30.com:443

      Result :
      CONNECTED(00000003)
      depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain, CN = pfSense-58f17eb4cf8d1
      verify error:num=20:unable to get local issuer certificate
      verify return:1
      depth=0 C = US, ST = State, L = Locality, O = pfSense webConfigurator Self-Signed Certificate, emailAddress = admin@pfSense.localdomain, CN = pfSense-58f17eb4cf8d1
      verify error:num=21:unable to verify the first certificate
      verify return:1

      Certificate chain
      0 s:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-58f17eb4cf8d1
      i:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-58f17eb4cf8d1
      -----BEGIN CERTIFICATE-----
      MIIFjzCCBHegAwIBAgIBADANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMCVVMx
      DjAMBgNVBAgTBVN0YXRlMREwDwYDVQQHEwhMb2NhbGl0eTE4MDYGA1UEChMvcGZT
      ZW5zZSB3ZWJDb25maWd1cmF0b3IgU2VsZi1TaWduZWQgQ2VydGlmaWNhdGUxKDAm
      BgkqhkiG9w0BCQEWGWFkbWluQHBmU2Vuc2UubG9jYWxkb21haW4xHjAcBgNVBAMT
      FXBmU2Vuc2UtNThmMTdlYjRjZjhkMTAeFw0xNzA0MTUwMjAwMjFaFw0yMjEwMDYw
      MjAwMjFaMIG0MQswCQYDVQQGEwJVUzEOMAwGA1UECBMFU3RhdGUxETAPBgNVBAcT
      CExvY2FsaXR5MTgwNgYDVQQKEy9wZlNlbnNlIHdlYkNvbmZpZ3VyYXRvciBTZWxm
      LVNpZ25lZCBDZXJ0aWZpY2F0ZTEoMCYGCSqGSIb3DQEJARYZYWRtaW5AcGZTZW5z
      ZS5sb2NhbGRvbWFpbjEeMBwGA1UEAxMVcGZTZW5zZS01OGYxN2ViNGNmOGQxMIIB
      IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5GKqS+EirKhKo2yifwxwHYPc
      NFQ8zMY9J/Xwkab3sc7/WVaD/qePYZfxUbupIkJGpDw4fWWOVUdv951QH0CtJe3B
      7yheUiV0JXifP/0ZMFoqi1UWeICR97FPlFNjplvXyAyzBBy/EtK37LjV+WqF5fUX
      HoHqsZpUYyWFWumiHUgkhnYtQwJkQRoU/GVd21HdEAli3TBKRFDf7QCPufcEHjWQ
      6gNLzGGVQlOhsiOQ29Qh7PJZsfVsSJ3oCLOyDLD7RyAR7Q/62aPDLsU50bZ8tAWt
      JMv81DG5ihM6L6tepJ6Y7EwZJHuGRUp4QNOyAq12oTI765wP0eViRdytEOcC9wID
      AQABo4IBqDCCAaQwCQYDVR0TBAIwADARBglghkgBhvhCAQEEBAMCBkAwCwYDVR0P
      BAQDAgWgMDMGCWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIg
      Q2VydGlmaWNhdGUwHQYDVR0OBBYEFExVwr1jCtVnZahaj0kRY17Jqx94MIHhBgNV
      HSMEgdkwgdaAFExVwr1jCtVnZahaj0kRY17Jqx94oYG6pIG3MIG0MQswCQYDVQQG
      EwJVUzEOMAwGA1UECBMFU3RhdGUxETAPBgNVBAcTCExvY2FsaXR5MTgwNgYDVQQK
      Ey9wZlNlbnNlIHdlYkNvbmZpZ3VyYXRvciBTZWxmLVNpZ25lZCBDZXJ0aWZpY2F0
      ZTEoMCYGCSqGSIb3DQEJARYZYWRtaW5AcGZTZW5zZS5sb2NhbGRvbWFpbjEeMBwG
      A1UEAxMVcGZTZW5zZS01OGYxN2ViNGNmOGQxggEAMB0GA1UdJQQWMBQGCCsGAQUF
      BwMBBggrBgEFBQgCAjAgBgNVHREEGTAXghVwZlNlbnNlLTU4ZjE3ZWI0Y2Y4ZDEw
      DQYJKoZIhvcNAQELBQADggEBAIE5Cpo9PpxVYu6Tg8as03HpoA4ZeeVYIb9EI4ov
      3+IRa/zSJ18pFr7pL7IHRpX1SrLpCu6VLoKoWNIlxEt0D5+mIS2VRus4q/rk/OQ7
      CkEvd5JOr1hMN2qdBtQgBX/cewERn5lD7LAjCQgDw6R0iHW1OD0/+Dye6FQ43Xtv
      DoMYQG5zQ+rjiJKcVqM8GSj6yGEbe04b+fB+wBiBkQlgnEiUsnnWJtbWYcFOpsR9
      XdDzQz5kui7Jbf1yETQ+0gVeTTB8V/pYt5RJdif8LsjMUZpQFgLSXlNy0QqVEUIM
      OET8/PjU2jWrpcXO/bCax8cHHiZW0WA04GBUSDKIfrAmtcQ=
      -----END CERTIFICATE-----

      Server certificate
      subject=/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-58f17eb4cf8d1
      issuer=/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-58f17eb4cf8d1

      No client certificate CA names sent
      Peer signing digest: SHA512
      Server Temp Key: ECDH, P-256, 256 bits

      SSL handshake has read 1934 bytes and written 302 bytes
      Verification error: unable to verify the first certificate

      New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
      Server public key is 2048 bit
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
      Protocol : TLSv1.2
      Cipher : ECDHE-RSA-AES256-GCM-SHA384
      Session-ID: 2E9AF3C6A6E082F44875A97E7E0B63A78ABFA5E852EAF51C7A42AB65EE8851A3
      Session-ID-ctx:
      Master-Key: 757E3625639E62E27311734C988A4EF7BE3550682B0326746EF568D0DDF3E6F4FDF39209C0DCCBE45D150D7CECA12553
      PSK identity: None
      PSK identity hint: None
      SRP username: None
      Start Time: 1535968489
      Timeout : 7200 (sec)
      Verify return code: 21 (unable to verify the first certificate)
      Extended master secret: no

      If i try same command on other machine not connected to this pfsense it s works

      CONNECTED(00000004)
      depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
      verify return:1
      depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
      verify return:1
      depth=0 CN = cloud.conseil-info-30.com
      verify return:1

      Certificate chain
      0 s:/CN=cloud.conseil-info-30.com
      i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
      -----BEGIN CERTIFICATE-----
      MIIHHTCCBgWgAwIBAgISA1DMlJ1j55zuCfahFDpXyyQVMA0GCSqGSIb3DQEBCwUA
      MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
      ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA3MDUxODMyMjFaFw0x
      ODEwMDMxODMyMjFaMCQxIjAgBgNVBAMTGWNsb3VkLmNvbnNlaWwtaW5mby0zMC5j
      b20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC54ghW7WzAc0SIDPpB
      4EH33JHArcVA9pI1tBMiEeYI6T91gGcF8SFP6ljrMfYXRSam8vQwiXPawoUD6MzS
      8/Jc2L1dRFYUdQ6Bu5d2OFrhacVdMG0c0flE9QfV5akl9HDZCU5j7LVh8ePCkWrh
      TFwY7rPr6/5jo8EgAY60mnHLX7nQg3kuyPuH4HlN4MCzLP8guDfTAcutzMjTFotk
      h7+p0esiWZiZIil9siQ/5AOOx6i9Bm2B5aAmaGoTswOCdgI71HL+YO3fqs1hJGI9
      9ui1gECT0GJTGU8CaEvCdbnSDaXZFXzSfWVmKBSAi6N4fG/+Sg2s9rOq2I8q1yUw
      6/Vin4v1u6VlzsMhpNst45mB3HO+s2CEor3yNkNlfkzu1yUK7rOG1bbLzIGRBlaO
      aTBRP0VTpUhOsJUrbVYdg6shHVeGUK0baozapwEFPdoerQdtnkSLf/zHktlzSQIn
      2u5uyI+sTjc4orb24lHHnr8XBb1sx39Oly88jgxlIYunXITjS6JI14m1jzSVUMfT
      peMV7s7CWj2hFfWyad4glmzx7uq/5fTxoOxzMH1Iad8DfDO09S0pQdvpL9RujJf/
      7sayPgkOb/pgNZVAvIZcVwXl7xbm9RDhgngyiS6eRhKEXUsUA1dmOxrpgs6vMdnN
      aBRsYIy2YGI3E+6AuzAjMhzmCQIDAQABo4IDITCCAx0wDgYDVR0PAQH/BAQDAgWg
      MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
      A1UdDgQWBBQ1MdZDwSx6lmNnv8NoAU/L60RkSzAfBgNVHSMEGDAWgBSoSmpjBH3d
      uubRObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6
      Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6
      Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMCQGA1UdEQQdMBuCGWNsb3Vk
      LmNvbnNlaWwtaW5mby0zMC5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYG
      CysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNy
      eXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBv
      bmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBp
      biBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBh
      dCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisGAQQB
      1nkCBAIEgfUEgfIA8AB2ANt0r+7LKeyx/so+cW0s5bmquzb3hHGDx12dTze2H79k
      AAABZGvuYB0AAAQDAEcwRQIhALFB8uUgSuqcrw3kClXQpDwfmgaZNRzYy6+9yMJU
      hfY/AiBxZAjOFIhX1R/Y6nm1/2/GaBpQE/eKv9CbQdesXgJL+gB2ACk8UZZUyDll
      uqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABZGvuYC4AAAQDAEcwRQIgIl2GDKtv
      a4ZI8HR5Kstbo89ibVW7as9eiPDSEjzI5wkCIQC26qrBX/bsinwV5NRIjbGXWJhx
      L0y5UtkDb9R0xKJ5+TANBgkqhkiG9w0BAQsFAAOCAQEAMG5za6ls+Aa9xGtkz25B
      YIFtIip3qDKhxo0ynmmEVzmFrnuh9LQsEBdU8c30aml/u/h0eRblgViPFQRX1yuA
      PLNCRyOHpgKNo6QM+yaPlgjMlhOICO3JiEAvGs7ewoEuiQMAlpKdR8EPdCYV1LKS
      g0zmOC6st5Ia84IH5cshI5FM+Br67VA/P96dQN0ki/4BTLFz93FG2OR6To3tJgoe
      hKFLzoPm9asWWia8KsvLBaqqbgpkRDLmZ7Pfi0kzWCoxVkmpj5AwFxp85Vboc5Op
      jd2SNZ+B3XrukbR7QV1dhx/55XjntJw1jT+QmbJGI8SH2fM3FYk+HxjNJ6dWQHxz
      rw==
      -----END CERTIFICATE-----
      1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
      i:/O=Digital Signature Trust Co./CN=DST Root CA X3
      -----BEGIN CERTIFICATE-----
      MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
      MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
      DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
      SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
      GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
      AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
      q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
      SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
      Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
      a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
      /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
      AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
      CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
      bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
      c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
      VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
      ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
      MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
      Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
      AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
      uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
      wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
      X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
      PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
      KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
      -----END CERTIFICATE-----

      Server certificate
      subject=/CN=cloud.conseil-info-30.com
      issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

      No client certificate CA names sent
      Peer signing digest: SHA512
      Server Temp Key: ECDH, P-256, 256 bits

      SSL handshake has read 3928 bytes and written 433 bytes

      New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
      Server public key is 4096 bit
      Secure Renegotiation IS supported
      Compression: NONE
      Expansion: NONE
      No ALPN negotiated
      SSL-Session:
      Protocol : TLSv1.2
      Cipher : ECDHE-RSA-AES256-GCM-SHA384
      Session-ID: 1C9BC59D3E1BABD4BF77784097235F9E622D52FC82E84126C9601D900F1168C5
      Session-ID-ctx:
      Master-Key: D917581B92522291A5EC89EF8AEDE76D5697BF531A8952735D27BBFE09520577FCBAE19D7212BBD2D40F0F5D31FA8C32
      Key-Arg : None
      PSK identity: None
      PSK identity hint: None
      SRP username: None
      TLS session ticket lifetime hint: 300 (seconds)
      TLS session ticket:
      0000 - 3b 8d 96 d0 35 6f 79 2e-10 97 ec 4d 4e 54 ae 5b ;...5oy....MNT.[
      0010 - 53 9d d2 d0 05 fe 52 8c-d6 a6 f8 de a0 20 8b 02 S.....R...... ..
      0020 - 78 95 8a 3f 35 54 d9 70-8a d5 b5 f1 cd bd 1f 65 x..?5T.p.......e
      0030 - 69 86 82 97 54 9e 44 f3-28 f7 85 fa 97 eb f5 c5 i...T.D.(.......
      0040 - 38 6e 09 ea 14 88 d4 dc-7f 69 31 ae 60 71 70 3b 8n.......i1.`qp;
      0050 - 5e 79 62 14 16 dd 18 c9-e3 4e c8 49 74 69 65 4e ^yb......N.ItieN
      0060 - e9 65 4e 4c a5 9d 6b c5-4c 35 61 c2 d0 86 2b f1 .eNL..k.L5a...+.
      0070 - e2 82 ab e4 eb 89 e1 48-aa 29 8c f8 28 fb b9 d1 .......H.)..(...
      0080 - dd 9e 93 40 27 b6 f4 9a-e0 b0 d2 14 d5 56 57 f4 ...@'........VW.
      0090 - 50 7e 63 1f a4 ee 98 e2-65 5e 7b 56 91 75 9c 2d P~c.....e^{V.u.-
      00a0 - 91 28 72 43 61 56 27 2f-1b cb 29 20 bf e7 39 13 .(rCaV'/..) ..9.

      Start Time: 1535968539
      Timeout   : 300 (sec)
      Verify return code: 0 (ok)
      

      NO idea of why i got this behaviour.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        @max33 said in Issue with SSL:

        cloud.conseil-info-30.com

        What does that resolve too - your hitting your pfsense web gui, which is why you get presented with the web gui cert..

        Its resolve to 185.220.x.x on the public side.. Have to assume that is pfsense WAN.. So yeah if you hit pfsense wan from the lan side you would get the web gui.. Your local side stuff should resolve that to your rfc1918 address. Or you would have to setup nat reflection and move pfsense web gui off the standard ports or your going to run into problems trying to use nat reflection hitting your wan IP to get reflected back in, etc. Just setup host override so local box resolves that to its local IP.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          max33
          last edited by

          hi and thanks for taking time to respond

          I solved the issue by setting up host override in the /etc/hosts of the server.

          By the way it s still difficult for me to understand why i reach the pfsense webconfigurator CA .

          I understand that the local machine get dns resolution correct and then get Public IP of the Pfsense WAN.

          I Nat the 443 port to the local machine

          So why i reach the web GUI as for me the Web gUi is on the lan side ?

          PS: it s more to understand cleary what happen .........

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Default lan rules are what - any any by default... Your wan IP can be reached by lan clients... The web gui listens on all IPs of pfsense.. So yeah if you hit wan IP on port gui is listening on - then you get the web gui..

            why would you setup host record on server - why would you not just set it up on pfsense dns so that all clients of pfsense dns would get the local IP?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Yes, correcting this on the firewall for all clients is a much better solution here:
              https://www.netgate.com/docs/pfsense/nat/accessing-port-forwards-from-local-networks.html

              Steve

              1 Reply Last reply Reply Quote 0
              • M
                max33
                last edited by

                HI thanks both for your explanation that make more sense now for me.

                Effectively it s better to use Split DNS and to add entry for all i just forget this simple solution.

                KR

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.