cPanel + pfSense = few weird problems

Flegy

Hello,

I have some weird problems in the webserver who is using cPanel. Before several days we set up a webserver behind pfSense NAT 1:1 after than we have several problems, maybe they are related to each other.

1. curl no longer want to work on domains hosted on a web server but when curl google it work fine

   • When I setup ZeroSSL curl give the error
     curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
   • After I generate with cPanel SSL than give
     curl: (60) Issuer certificate is invalid.

2. cannot ping 90% public IPs on the local network /24 subnet but other public networks in subnet /22 work

   • example when I ping .3 to .9 what host on same server webs it working but when trying ping .63 - .75 who also host webs on the same server it does not work, also cannot ping same network subnet outside of server example .48 what is used on another dedicated server and not behind pfSense.
   • ping from office PC works fine on all IPs

Any idea or hint about what can be a problem is welcome because I am trying to solve it several days without success.

Thanks in advance

PhlMike

Any reason you don't have the destination set in the WAN firewall rule?

Flegy

Can you mark wich rule is wrong or how I need to set up to solve a problem? The rules are the most default because it is the first time I am working with pfSense.

When I run curl on the server with debug -v

* About to connect() to www.maxko-hosting.com port 443 (#0)
*   Trying 45.95.168.7...
* Connected to www.maxko-hosting.com (45.95.168.7) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=server.maxko-hosting.com,E=ssl@server.maxko-hosting.com
*       start date: Jul 13 13:57:15 2020 GMT
*       expire date: Jul 13 13:57:15 2021 GMT
*       common name: server.maxko-hosting.com
*       issuer: CN=server.maxko-hosting.com,E=ssl@server.maxko-hosting.com
* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
* Issuer certificate is invalid.
* Closing connection 0
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

The main question is why it can curl all webs what is not on the same machine where is curl run.

Flegy

I am sorry for bump, but still looking for a solution to get curl to work with NAT 1:1.