When creating self signed certificate, no prompts

markn6262 · Oct 27, 2018, 2:50 AM

Trying to create a self signed certificate that validates following the directions here. When I issue command "openssl req -new -x509 -days 365 -key cert.key -out cert.crt -sha256", no prompts follow. Therefore command "openssl verify cert.crt" reports "error 18 at 0 depth lookup:self signed certificate". Appreciate any suggestions.

Grimson · Oct 27, 2018, 2:51 AM

https://www.netgate.com/docs/pfsense/certificates/index.html

markn6262 · Oct 27, 2018, 2:58 AM

I'm running mini_httpd alongside PfSense 2.4.4. Will creating certs in the PfSense GUI work with a dameon? I would need to know where the GUI created certs are stored. Need to reference a .PEM file in mini_httpd.conf .

markn6262 · Oct 27, 2018, 5:08 PM

I instead could use an https server if a pfsense pkg existed. A portal seems too intrusive for the need. Using mini_httpd to display a basic notification page explaining to clients why service is interrupted. I have mini_https working as an http server with many misses “page not found” because most web sites are https. Don’t find a method to redirect an https web browser request to a static http page.

stephenw10 · Oct 29, 2018, 2:55 PM

Where and when exactly are you trying to show these pages?

Steve

johnpoz · Oct 29, 2018, 3:25 PM

If you need to create and sign certs use the CA manager that is part of pfsense. You can download the file in PEM format and install to whatever you want.. Using some openssl cmd line from some freebsd doc is not how you would do it in pfsense.

stephenw10 · Oct 29, 2018, 4:13 PM

I suspect he may be running mini_httpd in pfSense.
Which is why he's attempting to do it like this.

jimp · Oct 29, 2018, 4:34 PM

A self-signed cert will result in browser errors for that kind of setup anyhow. Do not do this to/with your firewall. It is not going to have the result you want.

Back up and explain in more detail what you're trying to accomplish and why, maybe there will be an alternative solution that doesn't involve compromising the security of your firewall.

markn6262 · Oct 29, 2018, 4:43 PM

@johnpoz Thanks I’ll try the CA Mgr & report back.
@ stephenw10 I installed mini_httpd via ssl command line. Lauching with PfSense Cron so it survives PfSense reboots & updates. I have a few alias ip lists with rules that redirects webpage requests to the applicable mini_httpd hosted webpage to notify of RIAA violations, non-payment & maintenance downtime to reduce complaint calls & letters. Saves staff time & customer confusion.

johnpoz · Oct 29, 2018, 4:46 PM

Unless customers trust the CA you create in the CA manager - they are still going to balk at any certs you create.. If you want to strangers to trust your certs - they have to be signed by public CA that everyone's browsers trust out of the box. You could use ACME for such certs.

markn6262 · Oct 29, 2018, 4:50 PM

@jimp Plan on purchasing a signed cert. Self-signed is for testing at this point. Dont want users to have to accept an unsigned cert through prompts. The rule after the redirect rule is to block all traffic in alias so a response to the redirect webpage is needed before a client is unblocked. Hope this helps the security question. Open to other approaches.

markn6262 · Oct 29, 2018, 4:52 PM

@johnpoz Thats my intent, thanks. Looking @ others, I’ll check out ACME.

markn6262 · Oct 29, 2018, 5:00 PM

@johnpoz Also should mention I’m running mini_httpd localhost with access only by client pool on private lan subnet.

johnpoz · Oct 29, 2018, 5:24 PM

If access is by clients under your control - then very simple to have them all trust your CA... Then you can issue whatever certs you want for any fqdn and or IP address via SAN and they will accept it without complaining.. This allows for use of domains and or IPs that no public CA would ever sign off on...

stephenw10 · Oct 29, 2018, 5:28 PM

So this is to redirect customers trying to access pages on servers hosted behind your firewall?

Or your customers are on the inside trying to connect out and need to be notified?

I still expect a cert error there since users will be trying to connect to https://somehost and your error page will not be that host.

Steve

markn6262 · Oct 29, 2018, 5:33 PM

@stephenw10 Customers are on the inside trying to connect out and need to be notified.

johnpoz · Oct 29, 2018, 5:35 PM

Well that is always going to FAIL with cert error..

If I try and go to https://www.google.com you can not redirect me to https://whatever and expect it not to throw an error.. Not unless you doing MITM with a proxy - where your generating the certs for whatever fqdn they are trying to access.

markn6262 · Oct 29, 2018, 5:36 PM

@johnpoz You lost me a bit. I'm new to this CA stuff other than that needed for OpenVpn that I employ. I do know mini_httpd needs a CA with a common name equal to the host ip, 127.0.0.1 Are you saying ACME or other will not offer a signed CA to a private IP? Not understanding your work-around solution. Via SAN (storage area network)?

markn6262 · Oct 29, 2018, 5:40 PM

@stephenw10 Right now I'm getting cert warning because it's self-signed. View of self-signed shows company name, contact info, etc. but don't expect many will bother looking. When self-signed is accepted by client it does take the client to the proper hosted html page. Testing with myself as a client currently.

johnpoz · Oct 29, 2018, 5:41 PM

No you can offer up whatever cert you want... But since the common name or SAN does not match where your going the clients browser is going to throw a flag about it..