Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense and google Trust anchor

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 460 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      menethoran
      last edited by

      I couldnt find the right place for this question to go, so, just crammed it in here :)

      Anyway, it seems that Google has implemented (a little while ago) a tighter network connection validation that cant be interrupted or you'll get thrown a "trust anchor for certification path not found" when trying to access your own ssl sites and im trying to figure out what part of my network it doesnt like, and i figured id start with PfSense, or at least ask you guys first as you seem WAY more knowledgeable about this kind of stuff than my usual forums :)

      SO, complete hain of trust on my specific network goes: Applet>Traefik>NAS>PfSense>Cloudflare>>> Back down.

      Knowing that theres an interruption somewhere in that chain, where is the best place to start looking for a solution (what part is the likely culprit that needs "fixed")?

      Just an FYI, this is specifically happening on an application called Moon+ Pro Reader (its an ebook reader) that links to my calibre library via calibre-web). My deployment uses SSL the entire length of the info trip from applet to cloudflare and out.

      OR, rather than spend time and energy trying to figure out WTF is going on, would it just make sense to run the calibre-web instance through a VPN for privacy and just set really strong passwords?
      (I had messaged the developer of the app about this, and hes the one who pointed out to me the google/android security part. Specifically, he said "Hi, the network connection validation is managed by the Android system automatically, Google doesn't allow an app in GooglePlay to interrupt the verification process, so please configure your network to fit the security strategy of Google, we can do nothing.")

      If anyone wants to test it, feel free to PM me and ill supply you with the test account credentials I created for the dev

      Anyways, thanks in advance

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Ok, which part of that system are you running?

        pfSense would not normally have any part in an SSL certificate exchange unless you are running Squid or HA proxy, are you?

        What I expect to see is SSL between the application and the server dircetly or at least between Android and the server. That would only not happen if you are running through proxies in between.

        Steve

        1 Reply Last reply Reply Quote 0
        • M
          menethoran
          last edited by

          @stephenw10 the only proxy i am running is traefik. i think ill head over to them and ask. Thanks for the info.

          1 Reply Last reply Reply Quote 1
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Yeah, if all the app traffic is being proxied through that it's the first place to check.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.