Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Let's Encrypt Certificate, through ACME, is not being recognized as a valid by Firefox and Edge

    Scheduled Pinned Locked Moved ACME
    4 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pslinn
      last edited by

      I have successfully generated Let's Encrypt certificate through ACME using Cloudflare. I have imported these certificates into Firefox and Edge.

      I am using these certificates, at the moment, for pfSense web gui security.

      The error message I am getting from Firefox is:
      "Connection not secure"
      "This website does not supply ownership information."

      Any suggestions on how to fix this?

      Regards.

      johnpozJ GertjanG 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @pslinn
        last edited by johnpoz

        @pslinn you wouldn't install the cert itself, your browser needs to trust the CA the certs came from.

        If your browser is not trusting a ACME cert, then you need to look why your browser is not trusting lets encrypt. But what exactly is your browser saying about the cert?

        For example not supply ownership doesn't mean the cert is not trusted.

        thaterror.jpg

        That specific error just means it not a extended validation cert, ie EV.. Googles ssl says the same thing ;)

        google.jpg

        You would have to find a site that is using an EV cert to see ownership info.. example here is one

        EV.jpg

        I find it highly unlikely that lets encrypt would supply such certs.. When you get such a cert, you have to jump through a bunch of hoops with the CA that issues the cert that you are company that you say you are, etc. And those certs are not cheap compared to just normal cert.

        https://www.globalsign.com/en-in/ssl-information-center/what-is-an-extended-validation-certificate

        Extended Validation Certificate Verification

        During verification of an EV SSL Certificate, the owner of the website passes a thorough and globally standardized identity verification process (a set of vetting principles and policies ratified by the CA/Browser forum) to prove exclusive rights to use a domain, confirm its legal, operational and physical existence, and prove the entity has authorized the issuance of the certificate. This verified identity information is included within the certificate.

        edit: here is an example of non trusted site, because I accessed it via ip/name that is not part of the CN or SAN listing for that cert

        notsecure.jpg

        If I look at the cert itself - I can see what CN and SANs attributed to that site that would allow for it to be trusted when accessed via one of those.

        san.jpg

        My browsers trust anything issued by my CA (home).. But since I was accessing it via something not listed in the cert, then the browser complains its not trusted.

        The local.lan domain part of the FQDN is listed in this cert because I was in the middle of moving over to the home.arpa domain when I created this cert, and was not fully migrated at the time, so I also included alternative fqdn and IPs that I have accessed the pfsense gui with at the time... When I redo this cert I will leave off the local.lan SANs, because I have fully migrated to home.arpa domain now. And I don't have all of pfsenses IPs listed because I never access the gui via any of its other IPs.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @pslinn
          last edited by

          @pslinn said in Let's Encrypt Certificate, through ACME, is not being recognized as a valid by Firefox and Edge:

          "Connection not secure"

          If you are visiting the pfSEnse interface using http://192.168.1.1 - that is, your browser and the web pfSense server are not using any TLS (https) then the connection is not secure.

          Don't use https://192.168.1.1, as this will use port 443 on the web server, so a TLS connection is initiated, but you will still have a screen full of nasly look warnings.

          If the pfSense web server is using the certificate that you obtained from LE - that is, you have to tell pfSense to use that certificate :

          ac092924-207e-4298-aef9-ac6d40168691-image.png

          and :

          066e946f-aece-44ed-b4d2-f93888558175-image.png

          Also, don't rush the manual / very detailed video that says that you have to :

          e3627a6c-4bff-4ef9-b880-98cbf615af15-image.png

          Also : use "staging" version is for testing - make sure you use the "production-2" :

          ed10d6ab-0386-4793-968d-6b3e5f8e3572-image.png

          And the best for the last :

          You see the black barred domain name here :

          39dba1c5-d32c-44ae-a6be-17aee150afc2-image.png

          (btw : I'm asking for a wild card certificate )

          That block barred domain must match :

          93b8442c-fa08-47c0-9864-a6f8501a8044-image.png

          An now you can use :

          fbbb8266-40ef-43e5-ba81-dc263ed5db87-image.png

          and because the certificate's "Alt Domain Names" matches (again a wild card cert) the URL I use :

          92468301-a482-4909-a522-767058d4e6e6-image.png

          my browser is happy. "Connection secured" and all that.

          @pslinn said in Let's Encrypt Certificate, through ACME, is not being recognized as a valid by Firefox and Edge:

          "This website does not supply ownership information."

          You can get certificates that 'proof' who you are.
          All you have to do is find one that is willing to make one for you ;) But don't count on LE to do this for you, they can't.
          As @johnpoz said : go visit one of the big CA signers, and you'll see what is needed to get one. Pre-heat your credit card, and be sure to get the pile off needed papers ready. They won't stop with your passport ^^

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • P
            pslinn
            last edited by

            Thank you very much for this valuable information. Following these suggestions worked out well for me.

            Regards.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.