NET::ERR_CERT_AUTHORITY_INVALID PFsense web gui error

rcoleman-netgate · Oct 30, 2022, 11:56 PM

@netboy The solution to Chrome being super particular is to remove HTTPS or put in a CA-signed (non-self) certificate. There are likely security settings in Chrome you can set up, use it in Incognito, to get around that specific message.

stephenw10 · Oct 31, 2022, 12:00 AM

It's not something we can fix or indeed something that should be fixed. That reported error is correct, it's a self signed cert and Chrome is correctly warning you of that.

If you need to you can add a cert for the webgui to use that is signed by a known CA. You can use letsencrypt via the ACME pkg for that:
https://docs.netgate.com/pfsense/en/latest/packages/acme/general.html

Steve

netboy · Oct 31, 2022, 12:11 AM

This post is deleted!

netboy · Oct 31, 2022, 12:46 AM

@stephenw10 said in NET::ERR_CERT_AUTHORITY_INVALID PFsense web gui error:

letsencrypt via the ACME pkg

IMHO netgate WEB GUI must work in most popular browsers without any issue.

Please wear your "sales hat" and tell me "why a customer be annoyed by such an issue"?. Don't you think the user experience is important?

So far my experience with netgate is superb and you guys helped me in setup as well but I beg to differ on this issue. Netgate must fix this.

stephenw10 · Oct 31, 2022, 12:51 AM

I assume you're referring to the warning you get when you try to access the webgui and the CA is unknown? Like this?:

rcoleman-netgate · Oct 31, 2022, 12:52 AM

@netboy Please explain how you wish that would be resolved? Out of the box it does work. Your browser is being VERY particular.
There's a free solution, too, as @stephenw10 pointed out in ACME, that you can use if you need to.

Chrome is finicky, at best. I have issues with it at random. I changed all of my installations to use a WC certificate I have and that was the end of it.

But security that Chrome approves of is either not cheap or comes with the caveat of needing to be renewed every 90 days or so.

But that's up to you. Out of the box pfSense is secure.

rcoleman-netgate · Oct 31, 2022, 12:54 AM

@stephenw10

Sometimes that link above doesn't exist because Chrome is being very dumb, and a reboot of the program, or going into incognito, is the only way around it

netboy · Oct 31, 2022, 12:54 AM

@rcoleman-netgate
I think You are missing my point.
The onus for the WEB GUI to work "out of the box" is netgate responsibility not the customer.
Well I have made my point and it is up to netgate to decide.

rcoleman-netgate · Oct 31, 2022, 2:51 AM

@netboy With all due respect I see your point but it is moot.

Self-signed or not the data between your computer and your firewall is encrypted. If you don't like that certificate you can make your own -- but it is generated on first boot after installation.

If you want to use a third-party-signed certificate you are welcome to make that change -- as I noted above I have on many of mine already -- but they will still show this error when you connect to it via an IP because signed certificates rarely have the IP address in their SAN, and it's not a good practice to do that anyway.

johnpoz · Oct 31, 2022, 2:53 AM

@rcoleman-netgate said in NET::ERR_CERT_AUTHORITY_INVALID PFsense web gui error:

via an IP because signed certificates rarely have the IP address in their SAN

That is why you can just create you own CA, and then your cert and trust the cert. With that you can use any fqdn you want, and any rfc1918 address as san..

https://forum.netgate.com/post/831783

I have posted how to do this multiple times over the years, here is one from 2019 above.

before the browsers started getting picky about how long the certs were valid, you could do it for long time ;)