Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WebGUI SSL cert for HA cluster

    Scheduled Pinned Locked Moved
    webGUI
    4
    15
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jinat @jimp
      last edited by

      @jimp Hi, thanks, that sounds good. I have applied method 1 already.

      1 Reply Last reply Reply Quote 0
      • J
        Jinat @johnpoz
        last edited by

        @johnpoz Hi, what is the reasoning behind to consider method 1 as a better option?

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @Jinat
          last edited by

          @jinat because you can access either or and the carp address with just 1 cert ;)

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.03 | Lab VMs 2.7.2, 24.03

          J 1 Reply Last reply Reply Quote 0
          • J
            Jinat @johnpoz
            last edited by

            @johnpoz Here I am using Web GUI SSL cert for accessing GUI, following the configuration System->Advanced->AdminAccess->HTTPS->Certs. Not sure about the CARP VIP address you are talking about. How SSL cert can be used in CARP configuration? There should be a backend HTTPS configuration that I am aware of.

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @Jinat
              last edited by johnpoz

              @jinat You have your carp vip right, pick a name - setup dns to resolve that name firewall-c.yourdomain.tld for example.. Since the cert has the san for firewall-c its valid.

              This would just load the node that is primary and owns the vip at the time..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.03 | Lab VMs 2.7.2, 24.03

              J 1 Reply Last reply Reply Quote 0
              • J
                Jinat @johnpoz
                last edited by

                @johnpoz I am not using CARP VIP for pfsense nodes. But yes, what I have done is I have given the certificate a shared common name and the certificate includes SAN with fqdn of primary and 2ndary node.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @Jinat
                  last edited by

                  @jinat said in WebGUI SSL cert for HA cluster:

                  I am not using CARP VIP for pfsense nodes.

                  Then they are not really in a HA setup.. The only way you could get client to move over to the other node would be manually. If there is no vip that the nodes pass shared that one ones and the other does not unless the primary fails.

                  How do your clients move to the other node.. You would manually have to change their gateway to point to the other node.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                  J 1 Reply Last reply Reply Quote 0
                  • J
                    Jinat @johnpoz
                    last edited by

                    @johnpoz Hi yes as I am not using CARP VIP it is not fully redundant HA setup. Is there any way I can change the certificate with CLI? I have lost GUI access.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @Jinat
                      last edited by johnpoz

                      @jinat said in WebGUI SSL cert for HA cluster:

                      Is there any way I can change the certificate with CLI?

                      like pick which one? I do not believe so other than rolling back to another restore recent config.

                      You could use

                      pfSsh.php playback generateguicert

                      To generate a selfsigned and use that. or just revert to http for the gui, etc.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                      J 1 Reply Last reply Reply Quote 0
                      • J
                        Jinat @johnpoz
                        last edited by

                        @johnpoz I recovered the GUI Acces with generating new web configurator cert. Thanks.

                        Now, I am having A communications error occurred while attempting to call XMLRPC method merge_installedpackages_section: @ 2021-12-14 08:52:20 and GUI access is not stable it is very often giving 504 gateway timeout error.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post