NET::ERR_CERT_AUTHORITY_INVALID PFsense web gui error
-
I always get this error message in google chrome browser when I access web gui - why? and how do I fix it?
NET::ERR_CERT_AUTHORITY_INVALID
Subject: pfSense-635d45bd74c81Issuer: pfSense-635d45bd74c81
Expires on: Dec 1, 2023
Current date: Oct 30, 2022
PEM encoded chain:
-
That's because it's self-signed and Chrome is sometimes really particular. Restarting Chrome may resolve, sometimes you have to use a different browser.
-
@rcoleman-netgate Thanks for the tip . Yes this message does not appear in Edge. But netgate must test this in chrome the most popular browser and fix this issue.
-
@netboy The solution to Chrome being super particular is to remove HTTPS or put in a CA-signed (non-self) certificate. There are likely security settings in Chrome you can set up, use it in Incognito, to get around that specific message.
-
It's not something we can fix or indeed something that should be fixed. That reported error is correct, it's a self signed cert and Chrome is correctly warning you of that.
If you need to you can add a cert for the webgui to use that is signed by a known CA. You can use letsencrypt via the ACME pkg for that:
https://docs.netgate.com/pfsense/en/latest/packages/acme/general.htmlSteve
-
This post is deleted! -
@stephenw10 said in NET::ERR_CERT_AUTHORITY_INVALID PFsense web gui error:
letsencrypt via the ACME pkg
IMHO netgate WEB GUI must work in most popular browsers without any issue.
Please wear your "sales hat" and tell me "why a customer be annoyed by such an issue"?. Don't you think the user experience is important?
So far my experience with netgate is superb and you guys helped me in setup as well but I beg to differ on this issue. Netgate must fix this.
-
I assume you're referring to the warning you get when you try to access the webgui and the CA is unknown? Like this?:
-
@netboy Please explain how you wish that would be resolved? Out of the box it does work. Your browser is being VERY particular.
There's a free solution, too, as @stephenw10 pointed out in ACME, that you can use if you need to.Chrome is finicky, at best. I have issues with it at random. I changed all of my installations to use a WC certificate I have and that was the end of it.
But security that Chrome approves of is either not cheap or comes with the caveat of needing to be renewed every 90 days or so.
But that's up to you. Out of the box pfSense is secure.
-
Sometimes that link above doesn't exist because Chrome is being very dumb, and a reboot of the program, or going into incognito, is the only way around it
-
@rcoleman-netgate
I think You are missing my point.
The onus for the WEB GUI to work "out of the box" is netgate responsibility not the customer.
Well I have made my point and it is up to netgate to decide. -
@netboy With all due respect I see your point but it is moot.
Self-signed or not the data between your computer and your firewall is encrypted. If you don't like that certificate you can make your own -- but it is generated on first boot after installation.
If you want to use a third-party-signed certificate you are welcome to make that change -- as I noted above I have on many of mine already -- but they will still show this error when you connect to it via an IP because signed certificates rarely have the IP address in their SAN, and it's not a good practice to do that anyway.
Ryan
Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
Requesting firmware for your Netgate device? https://go.netgate.com
Switching: Mikrotik, Netgear, Extreme
Wireless: Aruba, Ubiquiti -
@rcoleman-netgate said in NET::ERR_CERT_AUTHORITY_INVALID PFsense web gui error:
via an IP because signed certificates rarely have the IP address in their SAN
That is why you can just create you own CA, and then your cert and trust the cert. With that you can use any fqdn you want, and any rfc1918 address as san..
https://forum.netgate.com/post/831783
I have posted how to do this multiple times over the years, here is one from 2019 above.
before the browsers started getting picky about how long the certs were valid, you could do it for long time ;)
