Certificate



  • When I login to pfSense, I get the following warning:

    You attempted to reach 192.xxx.xxx.xxx, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications.

    I have exported the Firewall cert from pfSense, Windows and Chrome tell me they have successfully imported the certificate, yet I continue to get the message above.

    Any help with this would be greatly appreciated.



  • This sounds like a problem with your Chrome installation specifically. Can you test with another browser like Firefox or MSIE?



  • labratt104 - Did you ever fix your problem?  I'm running into the same issue with my pfsense box.


  • Banned

    You need to import the CA certificate to Trusted Root CAs store. Not the WebGUI one…



  • @doktornotor:

    You need to import the CA certificate to Trusted Root CAs store. Not the WebGUI one…

    Thanks.  I think I screwed up by accepting wherever Windows decided to automatically import the CA cert to.  It wasn't imported as a Trusted Root CA certificate.

    When I created the new server certificate Chrome originally still rejected it, saying the name didn't match.  After remembering something about the move away from CNs to subject alt names I regenerated the cert to include the domain name in the subject alt name field.  After that change Chrome and IE happily accept and trust the cert.



  • @reggie14:

    When I created the new server certificate Chrome originally still rejected it, saying the name didn't match.  After remembering something about the move away from CNs to subject alt names I regenerated the cert to include the domain name in the subject alt name field.  After that change Chrome and IE happily accept and trust the cert.

    Hello, I was wondering if you could go into more detail on this.  I am getting the "name didn't match" error.

    Here is what I have tried:
    In Pfsense -  certificates>Cert Manger, click on CAs, click add or import CA, create an internal certificate authority

    Then go to certificates>Cert Manger, click on certificates, create an internal certificate and then choose Certificate Authority from the drop down.
    I left all default values.
    For CN I left blank
    For Alternative Names - I put
    Type: DNS Value: Hostname of my PC
    Type: IP Value: IP address of my PC

    I do not know what to put in for the CN. I am not on a domain (Would I put in workgroup? or my hostname of the PC I am accessing from)?

    Also do you access the firewall by IP address in the web browser?  I have several IP addresses that I can access the firewall from, if I ping the firewall it replies back a different IP address network that what my host PC is on (Example: router is 192.168.1.1, wired PC is on 192.168.2.1, if I ping the router I get 192.168.3.1, which is my wireless network).

    I have HTTPS configured with a port number as well when logging into the router (Example https://192.168.2.1:9001/)

    Thanks,
    bskater



  • @blacklabelskater2:

    Also do you access the firewall by IP address in the web browser?  I have several IP addresses that I can access the firewall from, if I ping the firewall it replies back a different IP address network that what my host PC is on (Example: router is 192.168.1.1, wired PC is on 192.168.2.1, if I ping the router I get 192.168.3.1, which is my wireless network).

    That's messy.

    Your AP has contains a "router" setup  … ?
    Normally: pfSense [LAN]= 192.168.1.1
    AP on LAN (example) IP : 192.168.1.2 (NAT Off, DHCP Off, gateway and DNS on AP is 192.168.1.1)
    Your PC : any IP pfSense gave it (192.168.2.2 - .254)


  • Rebel Alliance Global Moderator

    Yeah this sounds like a mess

    "router is 192.168.1.1, wired PC is on 192.168.2.1, if I ping the router I get 192.168.3.1, which is my wireless network)."

    So you have multiple interfaces/vlan on pfsense.. ping the router I get 192.168.3.1 is your router?  Are you talking about pfsense interface on your wireless vlan or are you natting your wireless with a wifi router that is not in AP mode?

    Why don't you access pfsense with name?  You can setup your rules to be able to hit the lan interface lets call it 192.168.1.1 of pfsenes for its web gui from any of your segments.  You could setup different names for your different segments and hit that interface via that name with cert for that name, etc.  for example pfsense.local.lan is 192.168.9.253 on my setup, and pfsense.wlan.local.lan is 192.168.2.253 this is the pfsense interface in my wireless segment, then a few more dmz, ps3, etc.

    Personally I never access pfsense gui from anything other than the wired network.. Wifi shouldn't really be open to your firewall admin gui if you ask me ;)