Let's Encrypt Certificate, through ACME, is not being recognized as a valid by Firefox and Edge

pslinn · Apr 19, 2024, 9:44 AM

I have successfully generated Let's Encrypt certificate through ACME using Cloudflare. I have imported these certificates into Firefox and Edge.

I am using these certificates, at the moment, for pfSense web gui security.

The error message I am getting from Firefox is:
"Connection not secure"
"This website does not supply ownership information."

Any suggestions on how to fix this?

Regards.

johnpoz · Apr 19, 2024, 9:44 AM

@pslinn you wouldn't install the cert itself, your browser needs to trust the CA the certs came from.

If your browser is not trusting a ACME cert, then you need to look why your browser is not trusting lets encrypt. But what exactly is your browser saying about the cert?

For example not supply ownership doesn't mean the cert is not trusted.

🔒 Log in to view

That specific error just means it not a extended validation cert, ie EV.. Googles ssl says the same thing ;)

🔒 Log in to view

You would have to find a site that is using an EV cert to see ownership info.. example here is one

🔒 Log in to view

I find it highly unlikely that lets encrypt would supply such certs.. When you get such a cert, you have to jump through a bunch of hoops with the CA that issues the cert that you are company that you say you are, etc. And those certs are not cheap compared to just normal cert.

https://www.globalsign.com/en-in/ssl-information-center/what-is-an-extended-validation-certificate

Extended Validation Certificate Verification

During verification of an EV SSL Certificate, the owner of the website passes a thorough and globally standardized identity verification process (a set of vetting principles and policies ratified by the CA/Browser forum) to prove exclusive rights to use a domain, confirm its legal, operational and physical existence, and prove the entity has authorized the issuance of the certificate. This verified identity information is included within the certificate.

edit: here is an example of non trusted site, because I accessed it via ip/name that is not part of the CN or SAN listing for that cert

🔒 Log in to view

If I look at the cert itself - I can see what CN and SANs attributed to that site that would allow for it to be trusted when accessed via one of those.

🔒 Log in to view

My browsers trust anything issued by my CA (home).. But since I was accessing it via something not listed in the cert, then the browser complains its not trusted.

The local.lan domain part of the FQDN is listed in this cert because I was in the middle of moving over to the home.arpa domain when I created this cert, and was not fully migrated at the time, so I also included alternative fqdn and IPs that I have accessed the pfsense gui with at the time... When I redo this cert I will leave off the local.lan SANs, because I have fully migrated to home.arpa domain now. And I don't have all of pfsenses IPs listed because I never access the gui via any of its other IPs.

Gertjan · Apr 19, 2024, 10:14 AM

@pslinn said in Let's Encrypt Certificate, through ACME, is not being recognized as a valid by Firefox and Edge:

"Connection not secure"

If you are visiting the pfSEnse interface using http://192.168.1.1 - that is, your browser and the web pfSense server are not using any TLS (https) then the connection is not secure.

Don't use https://192.168.1.1, as this will use port 443 on the web server, so a TLS connection is initiated, but you will still have a screen full of nasly look warnings.

If the pfSense web server is using the certificate that you obtained from LE - that is, you have to tell pfSense to use that certificate :

🔒 Log in to view

and :

🔒 Log in to view

Also, don't rush the manual / very detailed video that says that you have to :

🔒 Log in to view

Also : use "staging" version is for testing - make sure you use the "production-2" :

🔒 Log in to view

And the best for the last :

You see the black barred domain name here :

🔒 Log in to view

(btw : I'm asking for a wild card certificate )

That block barred domain must match :

🔒 Log in to view

An now you can use :

🔒 Log in to view

and because the certificate's "Alt Domain Names" matches (again a wild card cert) the URL I use :

🔒 Log in to view

my browser is happy. "Connection secured" and all that.

@pslinn said in Let's Encrypt Certificate, through ACME, is not being recognized as a valid by Firefox and Edge:

"This website does not supply ownership information."

You can get certificates that 'proof' who you are.
All you have to do is find one that is willing to make one for you ;) But don't count on LE to do this for you, they can't.
As @johnpoz said : go visit one of the big CA signers, and you'll see what is needed to get one. Pre-heat your credit card, and be sure to get the pile off needed papers ready. They won't stop with your passport ^^

pslinn · Apr 21, 2024, 10:36 PM

Thank you very much for this valuable information. Following these suggestions worked out well for me.

Regards.