• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Using a imported Lets Encrypt cert giving "certificate not from a trusted source" on login page

Scheduled Pinned Locked Moved Captive Portal
3 Posts 2 Posters 336 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    ronv42
    last edited by Jun 2, 2023, 6:58 PM

    I have my captive portal working with non-ssl and today I have been trying to get the SSL certificate process working. My SSL certs come from Let's Encrypt and NGINX proxy manages the certs for me. I exported the cert for the url to the login portal with a CN of:

    cplogin.vargofamily.com

    Imported the cert1.pem and privkey1.pem from the download key from NGINX proxy manger and imported into the certificate manager in pfSense:

    8441d2b3-87d5-4702-b229-e34bcc81e898-image.png

    When attempting to login with Android I get the following message:

    26e52f7b-6193-4759-9572-493a94f16727-image.png

    And when I look at the cert this is what baffles me:

    1b30605e-70cb-4bb0-86e2-eea86bba7598-image.png

    This cert isn't from a trusted authority. But yet it's signed by Let's Encrypt.

    Am I missing something here? I also tried with my wildcard cert which I use internally just fine with my lab and have the same messages about the cert and it also is a Let's Encrypt generated cert.

    J 1 Reply Last reply Jun 3, 2023, 11:21 AM Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator @ronv42
      last edited by johnpoz Jun 3, 2023, 11:23 AM Jun 3, 2023, 11:21 AM

      @ronv42 That warning would be from your browser.. if your browser doesn't trust lets encrypt CA. Maybe it was removed from your trusted CAs. Or the trust altered?

      You need to look at your trusted Authorities in your browser or your overall system, depending if you browser keeps it own trust store, or uses the system store.

      If you look at your certificate you can see the trust chain.

      So for example here is a lets encrypt cert I use for one of my sites - see signed by R3, R3 was signed by X1.. Browser (firefox) trusts X1, so in turn it trusts R3 (the intermediary CA).. So in turn it trusts the cert signed by R3..

      chain.jpg

      You need to look to why your browser doesn't have the CA from ISRG listed, or doesn't trust it.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.7.2, 24.11

      R 1 Reply Last reply Jun 3, 2023, 1:05 PM Reply Quote 1
      • R
        ronv42 @johnpoz
        last edited by ronv42 Jun 3, 2023, 2:02 PM Jun 3, 2023, 1:05 PM

        @johnpoz Thanks, I will do some more exploration today. I know that in the downloaded zip of the certs there is the:

        cert1.pem
        chain1.pem
        fullchain1.pem
        privkey1.pem

        The import into I pfSense only asked for the cert and private key. When I import into other applications like Synolgoy they ask for private key, certificate, and intermediate key chain.

        More fun on a Saturday...

        Solved it. Needed to use "fullchain1.pem" for the certificate field. Problem went away. It was your detailed walk though example that lead me to think to this.

        Thanks again @johnpoz

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received