Add Upstream SSL Intercepting Proxy Certificate

mt_onsemi

Problem Statement:
pfSense unable to do package updates because an upstream https proxy is providing a certificate that pfSense is not accepting. This pfSense is running on a VM, under ESXi. Internet access is provided by organization's upstream transparent proxy, which does MITM packet inspections for http/https. As such all https requests receive the organization's certificate, and this appears to be where pfSense is failing.

I've looked over various historic posts on the same topic and everyone seems to claim it was resolved but when I copy their approach I get nowhere. Older pfSense version that feels like it no longer applies to more recent versions of pfSense. more recent pfSense version appears to suggest upgrading to latest pfSense.

What Has Been Tried:
Obtained organization's SSL certificate by going to an internet site on another computer, in the same subnet as the pfSense host. Within Chrome you can inspect the SSL certificates used, and I just exported the certificate from there. Then went to pfSense System->Certificate->Authorities->Add, Method: Import Existing Certificate, and Trust Store: Yes. Certificates were correctly imported and certificate details can be looked at in pfSense. They appear to match what Chrome indicates, so assume everything correctly imported.

However when I run 'pkg install open-vm-tools-nox11' (attempting to install vmware tools on VM), I get:
Updating pfSense-core repository catalogue...
Certificate verification failed for /O=ABC Semicon/CN=ABC Semicon RSA Root CA
35077394432:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:/var/jenkins/workspace/pfSense-CE-snapshots-2_7_0-main/sources/FreeBSD-src-RELENG_2_7_0/crypto/openssl/ssl/statem/statem_clnt.c:1921:

This approach of using Chrome to get upstream MITM proxy's certificate seems to have worked on other Linux boxes, so naively thought it would work here too.

mt_onsemi

Additional information. It appears I can succeed with:
curl https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-core/meta.txz --output meta.txz
OR WITH
curl https://pkg01-atx.netgate.com/pfSense_v2_7_0_amd64-pfSense_v2_7_0/packagesite.txz --output packagesite.txz.
File successfully downloads, so perhaps this is a pkg specific problem?

mt_onsemi

Responding to my own post in case others come across this. I am not considering this a total solution, but rather a workaround until someone can point me towards a more robust solution.

pfSense's pkg management tool does not appear to use the system's certificates, so manual intervention is needed.

I was able to update packages, and install new ones by:

1. going to command line
2. setenv SSL_CA_CERT_PATH /etc/ssl/certs
3. then pkg update or pkg install xxx

stephenw10

There is a checkbox to add the CA to the system when you import it if required:

However in this situation I would add the proxy IP to pfSense specifically so it doesn't need to have that CA.
https://docs.netgate.com/pfsense/en/latest/config/advanced-misc.html#proxy-support

Steve