SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE after successful cert renewal

SvengalH

I renewed the ACME certificate on pfSense yesterday. It is listed in the UI, under Services/ Acme / Certificates as

Valid From: Sat, 25 Feb 2023 19:14:36 -0800
Valid Until: Fri, 26 May 2023 20:14:35 -0700

But when I access the FQDN or IP via firefox, I get

Error code: SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE

Viewing the certificate shows

Validity
Not Before Mon, 18 May 2020 23:19:44 GMT
Not After Sun, 16 Aug 2020 23:19:44 GMT

The name on the certificate according to the browser is the same as in the UI's SAN list.

In the certificate options page, the actions list consists of

/etc/rc.restart_webgui

I have tried

• Issuing /etc/rc.restart_webgui via the UI Execute Shell Command facility
• Restarting PfSense
• Halting and booting PfSense

Also, on the computer running my browser I tried

sudo apt-get purge firefox
rm -r ~/.mozilla/* ; rmdir .mozilla
rm -r /etc/firefox/* ; rmdir /etc/firefox
rm /usr/lib/firefox-addons/* ; rmdir /usr/lib/firefox-addons

I am running PfSense 2.6.0-RELEASE (amd64) and acme package version 0.7.3.

It is a bit embarrassing but in case it is relevant, yesterday I upgraded from PfSense 2.4.5 to PfSense 2.6.0, following the Netgate Upgrade Guide. I removed the ACME package prior to the upgrade and installed afterward. Everything seemed to go smoothly.

Perhaps obviously I only dabble in this stuff, so please forgive me if I have missed something obvious. Also, it's Sunday here and the family needs some time, so I may not get back to this post until tomorrow. I'm not sure of the etiquette, perhaps I should have held off on my post?

viragomann

@svengalh
The error message says that the issuer certificate (CA / intermediate CA) has expired.

Display the certificate in the browser and check if it's even this one you've recently renewed.

Gertjan

@svengalh

Renewing a certicate is one thing.
Telling the software that it should take in account the new cert is another.

Did you :

as this will restart the pfSense GUI upon successful renewal.

SvengalH

This post is deleted!

SvengalH

This post is deleted!

SvengalH

Just to tie this off for other dabblers (read: bunglers in my case) who have the same issue...

As per the documentation, the certificate used can be set in System / Advanced / Admin Access:

Changing to the recently renewed certificate fixes the issue discussed in my previous posts.

Gertjan

@svengalh said in SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE after successful cert renewal:

Changing to the recently renewed certificate

You only set this ones, the day you start using the certificate :

from then on, the acme pfsense package will renew this cert. There is nothing more to do.

If you change the certificate's name/ID, then, yeah, you have to change to that new cert.
But why would you you do that ?