• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Problem with webGUI certificate

Scheduled Pinned Locked Moved Cache/Proxy
4 Posts 2 Posters 894 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    SamDond
    last edited by Oct 15, 2021, 9:55 PM

    I have a fresh install of pfSense and added the squid and squidGuard packages. Everything works fine and squidGuard blocks things. However, when a website is blocked I do not get the normal "This website has been blocked" page, but instead an error message from Squid.

    (92) Protocol error (TLS code: X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
    Self-signed SSL Certificate: /O=pfSense webConfigurator Self-Signed Certificate/CN=pfSense=3c3100c2b0dda

    From what I gather there is some problem with the certificate that the web gui uses. I've tried googling for a solution but there is little information about this, and what few things I found do not work. I tried renewing the webGUI certificate as it was expired straight away when I installed pfSense, then I tried changing the web GUI to use HTTP, then I tried changing the proxy settings in Squid to have "Bypass Proxy for Private Address Destination" enabled, as well as the IP for pfSense in "Bypass Proxy for These Destination IPs", but these all did nothing. Any help is appreciated. Thanks.

    For reference my version of pfSense is 2.5.2-RELEASE, squid is 0.4.45_5, and squidGuard is 1.16.18_20

    1 Reply Last reply Reply Quote 0
    • S
      SamDond
      last edited by Oct 16, 2021, 4:32 AM

      I've done a bit of digging for the error message here: https://www.openssl.org/docs/man1.1.0/man3/X509_STORE_CTX_set_current_cert.html

      I looked up the error message code and found this:

      X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate
      the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates.

      1 Reply Last reply Reply Quote 0
      • S
        SamDond
        last edited by Oct 16, 2021, 5:39 AM

        Ok so I sorta fixed it with a slight workaround.

        Set pfSense's web gui to use http rather than https. Go to Services > SquidGuard Proxy Filter, and go to Common ACL tab. Here change the Redirect Mode to ext url move (enter URL) and then in Redirect Info you add: http://<my_pfsense_ip>/sgerror.php?url=403%20Error&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u (replace <my_pfsense_ip> with the actual value, by default it's 192.168.1.1

        There is probably a better solution to this involving the web gui's certificate not clashing with squidguard out of the box, but I can't find any help on it anywhere.

        G 1 Reply Last reply Oct 18, 2021, 10:09 AM Reply Quote 0
        • G
          Gertjan @SamDond
          last edited by Oct 18, 2021, 10:09 AM

          @samdond

          Browsers will always warn if a certificate is self signed.
          When you access the pfSense GUI over https, pfSense will use a self generated - thus self signed - certificate. You can instruct your browser to make an exception.

          Or get a certificate from a trusted certificate authority, like Letsencrypt and the acme.sh pfSense package.

          @samdond said in Problem with webGUI certificate:

          Set pfSense's web gui to use http rather than https.

          That's another solution.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received