25.11 Webconfiguator doesn't start with https after upgrade

Liam

Webconfiguator gives a failed message after upgrade to 25.11

If I change protocol to http via viconfig then it starts and I get the gui back

This is the working stanza from webconfig:

<webgui>
                        <protocol>http</protocol>
                        <ssl-certref>54686b27c47e0</ssl-certref>
                        <port></port>
                        <max_procs>2</max_procs>
                        <dashboardcolumns>2</dashboardcolumns>
                        <webguicss>pfSense.css</webguicss>
                        <logincss>1e3f75;</logincss>
                        <roaming>enabled</roaming>
                        <dashboardavailablewidgetspanel></dashboardavailablewidgetspanel>
                        <systemlogsfilterpanel></systemlogsfilterpanel>
                        <systemlogsmanagelogpanel></systemlogsmanagelogpanel>
                        <statusmonitoringsettingspanel></statusmonitoringsettingspanel>
                </webgui>

The only change I made to the stanza was to remove the 's' from the 'https"

Cheers, Liam

Liam

Host is a Netgate XG-1541

SteveITS

@Liam This is just a guess but is the certificate valid? Maybe regenerate that.

Liam

@SteveITS

Thanks Steve. I regenerated the cert, and it still won't start the webconfigurator with https configured.

I don't know if I need to do any other steps other than hit the regenertate button for the cert though - so I might be missing something.

SteveITS

@Liam The certificate renewal page should show if anything is old/needs changing in the cert.

Does the web server (GUI Service) log show anything useful when it won't start?

Liam

@SteveITS

Nothing under GUI Service, but there is this under General:

rc.restart_webgui: The command '/usr/local/sbin/nginx -c /var/etc/nginx-webConfigurator.conf' returned exit code '1', the output was 'nginx: [emerg] SSL_CTX_use_certificate("/var/etc/cert.crt") failed (SSL: error:0A00018F:SSL routines::ee key too small)'

SteveITS

@Liam Sounds similar to the OpenVPN DH key issue:

https://docs.netgate.com/pfsense/en/latest/releases/25-11.html#openvpn
-> https://redmine.pfsense.org/issues/16421

Is your cert key 2048+ bits?

Liam

@SteveITS

You nailed it. The cert I renewed had a 1024 key. Once I worked out how to update that setting on a key renewal turning on HTTPS from the gui worked. Going to check on reboot now, but I presume it will work.

...and that's confirmed.

Thank you very much for your assistance, very much appreciated.

Cheers, Liam