• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

WEB GUI login using https with public IP address Certificate "Let's Encrypt" not working

Scheduled Pinned Locked Moved ACME
12 Posts 3 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    Gertjan @Unoptanio
    last edited by Sep 8, 2023, 8:23 AM

    @Unoptanio

    Don't point at it 😊

    f49b789c-1220-4662-b72b-199992e05d50-image.png

    Click on it !!

    Dig downwards, and look at the certificate :
    You'll find :

    3ef511be-a339-4972-9526-13210673ede5-image.png

    Yours will show the domain name with "it" as a tld.

    These are the "names" that can be used to make this certificate valid and your browser happy.
    You forgot to include
    a71537e1-2d2f-48e1-9d1d-2cab6245fce3-image.png

    and before you try to do that : Letsencrypt won't let you include IP addresses. .... so the question is wrong ^^

    And every time your IPv4 or IPv6 changes, you have to redo your certificate.

    The correct way of doing things :
    Never ever connect to SSH and or https from the outside.
    First : activate a VPN connection to the pfSEnse OpenVPN server.
    Now use
    https://pfsense.your-pfsense-network-domain.it which normally point to your pfSense LAN : you are connected to the GUI.
    because :

    1daf1787-23eb-4f62-ad24-9df604c866a6-image.png

    SSH : doesn't use these certificates. It use sits own certificates, valid for 10 years or so.

    You can see one here, under the admin User Manager :

    89243486-2c8d-4c1d-a868-5d409aebddf0-image.png

    Don't forget to disable user.password login.
    Only accept :

    788a3c5a-dd9f-4428-ba70-e7e9458cf463-image.png

    Before using SSH, activate the OpenVPN first. Don't (IMHO) expose SSH to the outside.

    No "help me" PM's please. Use the forum, the community will thank you.
    Edit : and where are the logs ??

    U 1 Reply Last reply Sep 8, 2023, 8:41 AM Reply Quote 0
    • U
      Unoptanio @Gertjan
      last edited by Unoptanio Sep 8, 2023, 8:55 AM Sep 8, 2023, 8:41 AM

      @Gertjan

      In the LAN using the pfsense fqn not work;
      2db0bd3a-7d59-469a-b5dd-1de38ecf40ce-image.png

      In the LAN using local IP of the gateway:
      38e06852-7383-4f18-aaaf-cd0a72203570-image.png

      I have a 16 static public IP. Virtual IP Address
      Pfsense answer on the first

      For security, how do I disable access to the firewall from the public static IP? My IP address never changes and is static 80.xxxxxxx
      5085102b-ac93-4b87-95ba-ad6a71ede242-image.png

      pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
      CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5ā€ SSD 1TB (ZFS) Raid1
      n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

      B 1 Reply Last reply Sep 8, 2023, 8:42 AM Reply Quote 0
      • B
        Bob.Dig LAYER 8 @Unoptanio
        last edited by Sep 8, 2023, 8:42 AM

        @Unoptanio said in WEB GUI login using https with public IP address Certificate "Let's Encrypt" not working:

        For security, how do I disable access to the firewall from the public static IP?

        In your WAN-rules...

        U B 2 Replies Last reply Sep 8, 2023, 8:44 AM Reply Quote 0
        • U
          Unoptanio @Bob.Dig
          last edited by Sep 8, 2023, 8:44 AM

          @Bob-Dig can you help me make the rule?

          pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
          CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5ā€ SSD 1TB (ZFS) Raid1
          n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

          B 1 Reply Last reply Sep 8, 2023, 8:45 AM Reply Quote 0
          • B
            Bob.Dig LAYER 8 @Unoptanio
            last edited by Bob.Dig Sep 8, 2023, 8:47 AM Sep 8, 2023, 8:45 AM

            @Unoptanio Show your WAN-rules and if you have (you shouldn't) your floating-rules. And you are missing the basics for using certificates so don't use LE for now.

            U 1 Reply Last reply Sep 8, 2023, 8:51 AM Reply Quote 0
            • U
              Unoptanio @Bob.Dig
              last edited by Sep 8, 2023, 8:51 AM

              @Bob-Dig b2325b71-7246-4fa8-b31b-d8c87962af19-image.png

              pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
              CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5ā€ SSD 1TB (ZFS) Raid1
              n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

              1 Reply Last reply Reply Quote 0
              • B
                Bob.Dig LAYER 8 @Bob.Dig
                last edited by Bob.Dig Sep 8, 2023, 8:56 AM Sep 8, 2023, 8:55 AM

                @Unoptanio said in WEB GUI login using https with public IP address Certificate "Let's Encrypt" not working:

                For security, how do I disable access to the firewall from the public static IP?

                Why do you want to disable access from your static public IP at home?

                U 1 Reply Last reply Sep 8, 2023, 9:11 AM Reply Quote 0
                • U
                  Unoptanio @Bob.Dig
                  last edited by Unoptanio Sep 8, 2023, 9:15 AM Sep 8, 2023, 9:11 AM

                  @Bob-Dig

                  @gertian says the correct safe way to do things is to access from outside via openvpn and acces to the firewal using local IP address of pfsense https://192.168.1.253:47000/

                  the idea is to not allow external access to the static public IP address pointing to the pfsense firewall. For web gui access only

                  pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
                  CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5ā€ SSD 1TB (ZFS) Raid1
                  n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

                  G 1 Reply Last reply Sep 8, 2023, 9:23 AM Reply Quote 0
                  • G
                    Gertjan @Unoptanio
                    last edited by Sep 8, 2023, 9:23 AM

                    @Unoptanio said in WEB GUI login using https with public IP address Certificate "Let's Encrypt" not working:

                    For web gui access only

                    In a perfect world, the pfSense GUI is only accessible from your LAN - nothings else.
                    Your LAN should only have devices that you trust.
                    The rest : on other 'LANs' ( OPTx interfaces).

                    This is not a golden rule of course. It's just mine.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    U 1 Reply Last reply Sep 10, 2023, 6:08 AM Reply Quote 1
                    • U
                      Unoptanio @Gertjan
                      last edited by Unoptanio Sep 10, 2023, 6:12 AM Sep 10, 2023, 6:08 AM

                      @Gertjan

                      OK

                      using the GUI, I deactivated the admin user.

                      I created a new user "test2023"and gave him administrator privileges.
                      b62aa1c0-7415-4880-a485-28c28e4bbcce-image.png

                      Problem:
                      by connecting with the putty the pfsense shell no longer offers the classic menu that appeared when logging in as Admin.
                      Only a prompt appears

                      Login with user Test2023:
                      639caeaf-477e-47a8-8219-699922dc5448-image.png

                      Login with user Admin:
                      696d90a9-d8f9-477b-957c-f330923c9ab6-image.png

                      How do I view this menu, logging in with the Test2023 user?

                      pfSensePlus24.03 2U BareMetal Asrock Industrial IMB-X1314MicroATX
                      CPU: i7-13700@5.2GHz, RAM:32GB ECC, n°2 Samsung 870EVO SATA 2.5ā€ SSD 1TB (ZFS) Raid1
                      n°3 Intel i225-LM 2500/1000/100Mbps, n°1 NIC Intel i350-T4V2 10/100/1000 Mbps 4*GLAN, n°1 Intel X520-DA2

                      G 1 Reply Last reply Sep 11, 2023, 6:30 AM Reply Quote 0
                      • G
                        Gertjan @Unoptanio
                        last edited by Gertjan Sep 11, 2023, 6:31 AM Sep 11, 2023, 6:30 AM

                        @Unoptanio said in WEB GUI login using https with public IP address Certificate "Let's Encrypt" not working:

                        using the GUI, I deactivated the admin user.

                        I created a new user "test2023"and gave him administrator privileges.

                        Oho.
                        Seems like a very bad idea to me.
                        Non of the official Netgate docs gives such an advise.

                        pfSEnse is a firewall, not some sort of NAS, or media serving thing with "multiple" users.
                        Ones in a while, the big chief comes in (the admin) does it things, and then he leaves.

                        True : others "users" can be created for OpenVPN purposes, but these do not interact with pfSense GUI, or SSH etc, it's just a means to identify and authorize the (OpenVPN) connection.
                        Another example : captive portal users

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 1
                        12 out of 12
                        • First post
                          12/12
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received