WEB GUI login using https with public IP address Certificate "Let's Encrypt" not working

Unoptanio · Sep 8, 2023, 8:08 AM

Greetings,

Pfsense: 2.7.0.
ACME: 0.7.5

I did the whole procedure to log in via certificate using a domain from the browser. Everything works.
If I try to log in using the public IP address it doesn't load the certificate. says invalid certificate.

Is there a way to connect via ssh using the certificate?

Gertjan · Sep 8, 2023, 8:23 AM

@Unoptanio

Don't point at it

Click on it !!

Dig downwards, and look at the certificate :
You'll find :

Yours will show the domain name with "it" as a tld.

These are the "names" that can be used to make this certificate valid and your browser happy.
You forgot to include

and before you try to do that : Letsencrypt won't let you include IP addresses. .... so the question is wrong ^^

And every time your IPv4 or IPv6 changes, you have to redo your certificate.

The correct way of doing things :
Never ever connect to SSH and or https from the outside.
First : activate a VPN connection to the pfSEnse OpenVPN server.
Now use
https://pfsense.your-pfsense-network-domain.it which normally point to your pfSense LAN : you are connected to the GUI.
because :

SSH : doesn't use these certificates. It use sits own certificates, valid for 10 years or so.

You can see one here, under the admin User Manager :

Don't forget to disable user.password login.
Only accept :

Before using SSH, activate the OpenVPN first. Don't (IMHO) expose SSH to the outside.

Unoptanio · Sep 8, 2023, 8:55 AM

@Gertjan

In the LAN using the pfsense fqn not work;

In the LAN using local IP of the gateway:

I have a 16 static public IP. Virtual IP Address
Pfsense answer on the first

For security, how do I disable access to the firewall from the public static IP? My IP address never changes and is static 80.xxxxxxx

Bob.Dig · Sep 8, 2023, 8:42 AM

@Unoptanio said in WEB GUI login using https with public IP address Certificate "Let's Encrypt" not working:

For security, how do I disable access to the firewall from the public static IP?

In your WAN-rules...

Unoptanio · Sep 8, 2023, 8:44 AM

@Bob-Dig can you help me make the rule?

Bob.Dig · Sep 8, 2023, 8:47 AM

@Unoptanio Show your WAN-rules and if you have (you shouldn't) your floating-rules. And you are missing the basics for using certificates so don't use LE for now.

Unoptanio · Sep 8, 2023, 8:51 AM

@Bob-Dig

Bob.Dig · Sep 8, 2023, 8:56 AM

@Unoptanio said in WEB GUI login using https with public IP address Certificate "Let's Encrypt" not working:

For security, how do I disable access to the firewall from the public static IP?

Why do you want to disable access from your static public IP at home?

Unoptanio · Sep 8, 2023, 9:15 AM

@Bob-Dig

@gertian says the correct safe way to do things is to access from outside via openvpn and acces to the firewal using local IP address of pfsense https://192.168.1.253:47000/

the idea is to not allow external access to the static public IP address pointing to the pfsense firewall. For web gui access only

Gertjan · Sep 8, 2023, 9:23 AM

@Unoptanio said in WEB GUI login using https with public IP address Certificate "Let's Encrypt" not working:

For web gui access only

In a perfect world, the pfSense GUI is only accessible from your LAN - nothings else.
Your LAN should only have devices that you trust.
The rest : on other 'LANs' ( OPTx interfaces).

This is not a golden rule of course. It's just mine.

Unoptanio · Sep 10, 2023, 6:12 AM

@Gertjan

OK

using the GUI, I deactivated the admin user.

I created a new user "test2023"and gave him administrator privileges.

Problem:
by connecting with the putty the pfsense shell no longer offers the classic menu that appeared when logging in as Admin.
Only a prompt appears

Login with user Test2023:

Login with user Admin:

How do I view this menu, logging in with the Test2023 user?

Gertjan · Sep 11, 2023, 6:31 AM

@Unoptanio said in WEB GUI login using https with public IP address Certificate "Let's Encrypt" not working:

using the GUI, I deactivated the admin user.

I created a new user "test2023"and gave him administrator privileges.

Oho.
Seems like a very bad idea to me.
Non of the official Netgate docs gives such an advise.

pfSEnse is a firewall, not some sort of NAS, or media serving thing with "multiple" users.
Ones in a while, the big chief comes in (the admin) does it things, and then he leaves.

True : others "users" can be created for OpenVPN purposes, but these do not interact with pfSense GUI, or SSH etc, it's just a means to identify and authorize the (OpenVPN) connection.
Another example : captive portal users