webConfigurator certificate expiring
-
I just noticed a bunch of 'Notices' on my dashboard stating "The following CA/Certificate entries are expiring:
Certificate: webConfigurator default". Expires in 22 days. When I view System -> Certificate Manager -> Certificates, I see an option to 'Renew'. It gives me some warnings and I want to make sure I am doing the right thing.1.) Is this normal for any pfsense install? I only access the web GUI in my LAN (no remote access)
2.) Do I simply renew the license and accept the warnings?
3.) How often does this happen? Ive been using pfsense since Dec 2020 and I don't recall ever seeing this message before (or having to renew a certificate). -
@pulsartiger In the past certs could be valid for 10 years but a few years ago the powers that be decided to only allow 398 days. You can just renew it. Itโs a self signed cert anyway. The cert will have from/to dates listed.
-
@pulsartiger said in webConfigurator certificate expiring:
1.) Is this normal for any pfsense install? I only access the web GUI in my LAN (no remote access)
Yes, it's normal.
2.) Do I simply renew the license and accept the warnings?
It's not a license, just the GUI SSL certificate. In most cases just click the renew button and then confirm the renewal. Some older certificates or certificates with weak properties may need to have their properties updated to be secure, but the renewal screen gives an easy checkbox choice for this.
If any of the values in the "Would Change" column at the bottom say Yes then you should probably check the Strict Security box before updating. Some rare cases may need intentionally weaker security but most people are better off with more secure options and the old ones may have been old defaults or chosen out of habit.
3.) How often does this happen? Ive been using pfsense since Dec 2020 and I don't recall ever seeing this message before (or having to renew a certificate).
Current standards require server certificates to have a life of no longer than 398 days, so about once per year they will need renewed. This does not apply to CA or user certificates, only server certificates.
@steveits said in webConfigurator certificate expiring:
@pulsartiger In the past certs could be valid for 10 years but a few years ago the powers that be decided to only allow 398 days.
Rather than the ambiguous "the powers that be", you can point the finger at Apple specifically. It was up for a standards vote and failed but they decided to do it anyhow. If we didn't follow suit then people would not be able to hit the GUI securely from OS X/iOS, and eventually others followed.
-
@jimp said in webConfigurator certificate expiring:
you can point the finger at Apple specifically.
Yeah I know, I was generalizing because all browsers do it now, or at least the major ones. I'm about to start our annual ticket for renewing our wildcard cert and installing it on 2 routers and some 30 servers so I'm well aware it's a pain. :)
-
@steveits said in webConfigurator certificate expiring:
@jimp said in webConfigurator certificate expiring:
you can point the finger at Apple specifically.
Yeah I know, I was generalizing because all browsers do it now, or at least the major ones. I'm about to start our annual ticket for renewing our wildcard cert and installing it on 2 routers and some 30 servers so I'm well aware it's a pain. :)
I setup ACME on mine so they handle it themselves automatically, with the bonus that it's a valid cert I don't have to override controls to accept.
-
Thanks everyone for the replies. Certificate has been renewed
-
-
-