[bug] ntopng - Broken SSL, inaccessible web with own cert from pfSense



  • I've installed a newest/freshest pfSense yesterday: 2.4.4_2. Today I've installed ntopng 0.8.13_3. The package ntopng took the certificate from the pfSense, which is a self-signed, from my own intermediate CA, from my own root CA.

    Now, the ntopng created the .pem file:
    /usr/local/share/ntopng/httpdocs/ssl/ntopng-cert.pem

    This ntopng-cert.pem does NOT contain the intermediate+root .cer public keys from the pfSense, only the server's public/private key => the final resulting certificate is invalid.

    It's also not possible to connect via http (without SSL), as the /usr/local/etc/rc.d/ntopng.sh script has configured the "-w 0".

    So, after a fresh install, without doing anything special, the package is just broken.

    I've tried quite hard to fix this - but the ntopng-cert.pem gets rewritten always after the restart (?), so it just replaces my own fixed .pem (with the intermediate/root certs inside).

    Like this, Chrome just tells me:
    NET::ERR_CERT_AUTHORITY_INVALID

    And when I inspect the cert in Chrome, I see this:
    The issuer of this certificate could not be found.

    Anybody ;-)? Thank you!



  • UPD:

    Context:

    • The package manifest: /usr/local/pkg/ntopng.xml uses:
    • Config: /usr/local/pkg/ntopng.xml which includes:
    • Include: /usr/local/pkg/ntopng.inc which includes:
    • Include: /etc/inc/certs.inc which holds the cert-functions

    The cert-functions are then used like this:

    $cert = lookup_cert($config['system']['webgui']['ssl-certref']);
    ntopng_write_cert_file("/usr/local/share/ntopng/httpdocs/ssl/ntopng-cert.pem", $cert);
    

    Which is the problem I guess, as the ['ssl-certref'] is used alone, without any dependent intermediate certs.


Log in to reply