Webconfigurator Server Cert (IP and DN with alternative names) does not work
-
i create a CA and a certificate (with domainname and ip with alternative names)
activate in system->advanced the ssl certificate
import the CA on my clientnow the dns works and gets the correct green sign in my browser, but the ip gets an error.
isnt alternative names the correct way to get a certificate for domainname and ip?
thx
mike -
Could be due to this:
https://redmine.pfsense.org/issues/3347 -
i create a CA and a certificate (with domainname and ip with alternative names)
activate in system->advanced the ssl certificate
import the CA on my clientnow the dns works and gets the correct green sign in my browser, but the ip gets an error.
isnt alternative names the correct way to get a certificate for domainname and ip?
thx
mikeI know this isn't particularly helpful, but it works fine for me. I had to restart Chrome after loading the CA certificate, though. And make sure you import it as a Trusted Root CA certificate- it doesn't work if you accept the defaults in the certificate import wizard in Windows.
-
Could be due to this:
https://redmine.pfsense.org/issues/3347looks, that it still doesnt work in 2.2
thx -
Could be due to this:
https://redmine.pfsense.org/issues/3347looks, that it still doesnt work in 2.2
thxPerhaps, but as I said in my post, SANs are working fine for me. I've tried IE and Chrome under Windows 7, and Chrome under Android. I've also verified that it works fine both for DNS names and IP addresses.
Edit: Actually, I just noticed IP doesn't work on IE, although it does work on Chrome. The certificate looks fine, though. Has MS started rejecting SANs containing private IPs? Here's an old, random blog post that seems to confirm that Microsoft doesn't like the IP address. What browser are you using? Here's a more official statement from MS confirming the limitation. They suggest adding the IP address as a DNS name to the SAN list, rather than identifying it as an IP. That's a weird work-around. I'd keep the IP address in also as an IP entry also- other browsers might need that.
Can you post a screenshot of the certificate warning message, and of the certificate details- particularly what's under SAN?
-
i created the cert with pfsense and imported it in apache2 on my other server. this was my test. when i create one for pfsense server with dns and ip it works. so there is a problem in my other apache2 config and not in the cert.
thx for the help
mike -
Looks like that bug was fixed but not marked as such. The certs are indeed made properly, at least on 2.2.
