Changed HTTPS to HTTP, now can't log in to Web UI

LarryM04 · May 11, 2022, 7:56 PM

On one of the tabs I noticed that HTTPS was selected, but my browser always complains that the login page isn't secure. So I selected HTTP instead. Now Chrome no longer complains... but I can't login to the GUI - I enter admin and password, but the screen just goes right back to login/password. I can ssh as admin, so I'm sure I know the password.

What can I have messed up and how can I fix it from the SSH connection?

viragomann · May 11, 2022, 7:44 PM

@larrym04
So login via SSH. There is an option to revert to former config settings. 15 in the menu, as far as I can remember.

Next time when making changes be a bit more careful.

AndyRH · May 11, 2022, 7:46 PM

Please describe can't login. You see the login screen and it says "no" or you do not see the login screen?

If it is the first one try Edge, safari... I have had Chrome not work when I had 2 pfSense firewalls up, could login to one, the other said no. Edge had no issue, ended up resetting chrome.

LarryM04 · May 11, 2022, 7:53 PM

@viragomann I saw that, but the choices were only for previous VPN config changes

LarryM04 · May 11, 2022, 8:00 PM

@andyrh THAT's IT! I tried Brave browser and no problem. So now I'm confused... Chrome worked, but complained that HTTPS wasn't secure, now with HTTP it won't go passed the login page, it just keeps presenting that page (see edit in original post)

So do I need to delete data in Chrome?

Thanks!!

AndyRH · May 11, 2022, 8:05 PM

@larrym04 I ended up clearing all browser data in Chrome.

LarryM04 · May 11, 2022, 8:12 PM

@andyrh Well now I broke it even worse. Set it back to HTTPS and now the login page presents a pop-up saying that cookies must be enabled... I have cookies enabled. Can't login from either Chrome or Brave. Same pop up on both

LarryM04 · May 11, 2022, 8:23 PM

@andyrh Whew! I logged in ssh and this time there was a recent change to go back to and both Chrome and Brave can log in. ... but what's up with the complaint about cookies are required? Neither browser is blocking any cookies

AndyRH · May 11, 2022, 8:53 PM

@larrym04 I am not a browser fixer. I like the factory reset option when they go bad and I keep 3 on my PC so when 1 breaks I can move the the next one.

LarryM04 · May 11, 2022, 9:07 PM

@andyrh I hear you. Chrome, Firefox, and Brave are on my box. Right now Firefox is down because it has and issue with the driver for my video card.

I got it back to HTTP. Chrome and Brave can log in and don't complain about not being secure, so all is good again.

Thank you

jimp · May 12, 2022, 1:07 PM

If you visited the GUI when it was HTTPS, then it likely saw the HSTS config and then (rightly) decided downgrading to HTTP was a security regression.

Different browsers handle HSTS differently, might be you need to clear the cookies for the firewall, or the cache.

Though honestly there is unlikely to be a legitimate reason not to use HTTPS these days. It's just asking for trouble to make it HTTP.

LarryM04 · May 12, 2022, 1:07 PM

@jimp I'm not sure I understand why I'd want the interface to be HTTPS, when it doesn't. The whole reason I changed to HTTP was because the hassle that Chrome made complaining that it wasn't a secure connection.

This in my house, I use the system just to force a VPN connection.

jimp · May 12, 2022, 1:10 PM

The warnings about HTTPS out of the box are only that the certificate is self-signed. You still get all the benefits of HTTPS just not the trust chain. Though even that can be solved in various ways.

You still need/want HTTPS on a local network. Especially if you access the firewall over wireless. The debate about all that is long over. Plenty of resources out there with the reasoning.

luckman212 · May 15, 2022, 4:25 PM

@larrym04 To avoid all of this, IMO the best (and most secure) option is to download the Acme package and get yourself a free LetsEncrypt cert so you can have that tasty green padlock. It's not too difficult, and you won't need to keep hitting that Advanced button.