Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    webConfigurator certificate expiring

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 28.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pulsartiger
      last edited by

      I just noticed a bunch of 'Notices' on my dashboard stating "The following CA/Certificate entries are expiring:
      Certificate: webConfigurator default". Expires in 22 days. When I view System -> Certificate Manager -> Certificates, I see an option to 'Renew'. It gives me some warnings and I want to make sure I am doing the right thing.

      1.) Is this normal for any pfsense install? I only access the web GUI in my LAN (no remote access)
      2.) Do I simply renew the license and accept the warnings?
      3.) How often does this happen? Ive been using pfsense since Dec 2020 and I don't recall ever seeing this message before (or having to renew a certificate).

      S jimpJ 2 Replies Last reply Reply Quote 1
      • S
        SteveITS Galactic Empire @pulsartiger
        last edited by

        @pulsartiger In the past certs could be valid for 10 years but a few years ago the powers that be decided to only allow 398 days. You can just renew it. Itโ€™s a self signed cert anyway. The cert will have from/to dates listed.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        1 Reply Last reply Reply Quote 2
        • jimpJ
          jimp Rebel Alliance Developer Netgate @pulsartiger
          last edited by

          @pulsartiger said in webConfigurator certificate expiring:

          1.) Is this normal for any pfsense install? I only access the web GUI in my LAN (no remote access)

          Yes, it's normal.

          2.) Do I simply renew the license and accept the warnings?

          It's not a license, just the GUI SSL certificate. In most cases just click the renew button and then confirm the renewal. Some older certificates or certificates with weak properties may need to have their properties updated to be secure, but the renewal screen gives an easy checkbox choice for this.

          If any of the values in the "Would Change" column at the bottom say Yes then you should probably check the Strict Security box before updating. Some rare cases may need intentionally weaker security but most people are better off with more secure options and the old ones may have been old defaults or chosen out of habit.

          3.) How often does this happen? Ive been using pfsense since Dec 2020 and I don't recall ever seeing this message before (or having to renew a certificate).

          Current standards require server certificates to have a life of no longer than 398 days, so about once per year they will need renewed. This does not apply to CA or user certificates, only server certificates.

          @steveits said in webConfigurator certificate expiring:

          @pulsartiger In the past certs could be valid for 10 years but a few years ago the powers that be decided to only allow 398 days.

          Rather than the ambiguous "the powers that be", you can point the finger at Apple specifically. It was up for a standards vote and failed but they decided to do it anyhow. If we didn't follow suit then people would not be able to hit the GUI securely from OS X/iOS, and eventually others followed.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          S 1 Reply Last reply Reply Quote 5
          • S
            SteveITS Galactic Empire @jimp
            last edited by

            @jimp said in webConfigurator certificate expiring:

            you can point the finger at Apple specifically.

            Yeah I know, I was generalizing because all browsers do it now, or at least the major ones. I'm about to start our annual ticket for renewing our wildcard cert and installing it on 2 routers and some 30 servers so I'm well aware it's a pain. :)

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            jimpJ 1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate @SteveITS
              last edited by

              @steveits said in webConfigurator certificate expiring:

              @jimp said in webConfigurator certificate expiring:

              you can point the finger at Apple specifically.

              Yeah I know, I was generalizing because all browsers do it now, or at least the major ones. I'm about to start our annual ticket for renewing our wildcard cert and installing it on 2 routers and some 30 servers so I'm well aware it's a pain. :)

              I setup ACME on mine so they handle it themselves automatically, with the bonus that it's a valid cert I don't have to override controls to accept.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 1
              • P
                pulsartiger
                last edited by

                Thanks everyone for the replies. Certificate has been renewed ๐Ÿ‘

                1 Reply Last reply Reply Quote 1
                • GertjanG Gertjan referenced this topic on
                • T Tom8 referenced this topic on
                • GertjanG Gertjan referenced this topic on
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.