pfSense won't stop creating lots of self-signed certs despite a trusted cert being installed already
-
pfSense creates tons of spammy self-signed certs for the web UI, like below, and continually replaces my real, prod cert:
What causes this? The device is in a HA pair and this is incredibly annoying as the firewall is set up with a DNS record and the parent domain is registered for HSTS meaning only navigation by IP is possible (plus the red warning in Chrome).
My guess is the HA sync option for
Certificate Authorities, Certificates, and Certificate Revocation Lists, in which case this is a bug. -
When you have HA and XMLRPC config sync setup the certificates from the primary overwrite the secondary -- that is normal/expected, and not a bug.
What you do in this case is add all certificates on the primary node, allow them to sync, and then choose the appropriate certificate on the secondary node after that sync finishes.
This typically means using the same cert on both nodes and having its properties allow both hostnames/addresses to work, but you can use separate certs as well so long as the certificates are managed on the primary only.
