Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    [bug] ntopng - Broken SSL, inaccessible web with own cert from pfSense

    Traffic Monitoring
    1
    2
    307
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hova last edited by

      I've installed a newest/freshest pfSense yesterday: 2.4.4_2. Today I've installed ntopng 0.8.13_3. The package ntopng took the certificate from the pfSense, which is a self-signed, from my own intermediate CA, from my own root CA.

      Now, the ntopng created the .pem file:
      /usr/local/share/ntopng/httpdocs/ssl/ntopng-cert.pem

      This ntopng-cert.pem does NOT contain the intermediate+root .cer public keys from the pfSense, only the server's public/private key => the final resulting certificate is invalid.

      It's also not possible to connect via http (without SSL), as the /usr/local/etc/rc.d/ntopng.sh script has configured the "-w 0".

      So, after a fresh install, without doing anything special, the package is just broken.

      I've tried quite hard to fix this - but the ntopng-cert.pem gets rewritten always after the restart (?), so it just replaces my own fixed .pem (with the intermediate/root certs inside).

      Like this, Chrome just tells me:
      NET::ERR_CERT_AUTHORITY_INVALID

      And when I inspect the cert in Chrome, I see this:
      The issuer of this certificate could not be found.

      Anybody ;-)? Thank you!

      1 Reply Last reply Reply Quote 0
      • H
        hova last edited by

        UPD:

        Context:

        • The package manifest: /usr/local/pkg/ntopng.xml uses:
        • Config: /usr/local/pkg/ntopng.xml which includes:
        • Include: /usr/local/pkg/ntopng.inc which includes:
        • Include: /etc/inc/certs.inc which holds the cert-functions

        The cert-functions are then used like this:

        $cert = lookup_cert($config['system']['webgui']['ssl-certref']);
        ntopng_write_cert_file("/usr/local/share/ntopng/httpdocs/ssl/ntopng-cert.pem", $cert);
        

        Which is the problem I guess, as the ['ssl-certref'] is used alone, without any dependent intermediate certs.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post