navigating to subdomain resulting with Error 522
-
Previously accessed pfsense via IP (ie 192.168...) with self-signed certificate. I wanted to move to an CA signed certificate for internal use.
Using videos and tutorials like https://www.youtube.com/watch?v=Tc_8PAE8S28, I
- Bought a domain
- Set the domain's name servers to CloudFlair
- Set up an API key to update CloudFlair DNS settings
- Added a CNAME to redirect the primary domain (domain.com) to a personal website
- Added an A record to redirect the subdomain (pfsense.domain.com) to my internet's external IP.
On my pfsense
- Installed ACME
- Added two account keys (Staging and Production)
- Under Certificate, I created a certificate for subdomain (ie pfsense.domain.com). It was initially setup for Staging and then switched it to Production)
- After successful credential creation (confirmed via recent Last renewed date), I navigated to System > Advanced and updated the certificate to the new subdomain and set alternate hostname to the new subdomain (pfsense.domain.com).
So far everything work well. I was able to navigate to pfsense.domain.com and control my pfsense without opening any ports to exposed it to the internet.
The next day it stopped working. Every time I navigated to pfsense.domain.com, it would end with a Error 522. The only things I was playing with was Post-ACME scripts to create ssl certificates on Windows but I doubt it has anything to do with this issue. Also, as an FYI (if it makes a difference), my DNS resolver for my primary network is on a Windows machine. I'm not using DNS anything on my pfsense.
What must I do to get my subdomain working again?
-
Where is that 522 error coming from?
Is it a browser error page, or an error page from the firewall?
Does it work if you load the page by IP address?
If you connect to ssh or the console and run option 16 then 11, does it start to work again? Or reboot?
-
@jimp said in navigating to subdomain resulting with Error 522:
Where is that 522 error coming from?
When I navigate to subdomain (ie pfsense.domain.com), the error is generated. Looks like it sent by CloudFlare. It states the browser and cloudflare are working but the host (pfsense.domain.com) is in Error.
Is it a browser error page, or an error page from the firewall?
I believe its generated by cloudflare.
Does it work if you load the page by IP address?
If I navigate it via my local ip (192.168...), yes. It does complain that "This server could not prove that it is 192.168...; its security certificate is from pfsense.domain.com. This may be caused by a misconfiguration or an attacker intercepting your connection." I click on "Proceed to 192.168... (unsafe)"
If you connect to ssh or the console and run option 16 then 11, does it start to work again? Or reboot?
I previously restarted the system. I tried your suggestion and logged into the console and ran 16 and then 11. Unfortunately, nothing changed.
I'm trying to learn more about how this process works so I can debug this better but I'm unclear how the browser knows pfsense.domain.com should resolve to my local ip 192.168... Is the domain server suppose to inform it?
A tracert of the subdomain shows its hopping the pfsense ip to some third party ip.
ie.Tracing route to pfsense.domain.com [172.67...] over a maximum of 30 hops:
- <1ms <1ms <1ms 192.168... (pfsense ip)
.... - 16ms 16ms 14ms 172.67...
- <1ms <1ms <1ms 192.168... (pfsense ip)
-
Askimet preventing me from correcting the previous post
I'm trying to learn more about how this process works so I can debug this better but I'm unclear how the browser knows pfsense.domain.com should resolve to my local ip 192.168... Is the local dns server suppose to inform it? I'm not using pfsense as a dns resolver. Instead, I have a Windows DNS server.
A tracert of the subdomain shows its hopping from the pfsense ip to some third party ip.
ie
Tracing route to pfsense.domain.com [172.67...] over a maximum of 30 hops:
1. <1ms <1ms <1ms 192.168... (pfsense ip) .... 11. 16ms 16ms 14ms 172.67... -
I was able to get it working by creating an A record on my local DNS server and pointed the IP to pfsense.
-
That makes sense, since the firewall GUI wouldn't involve CloudFlare. The fact that you were seeing that means it must not have been resolving to something local. A DNS host override is the right thing to do there.