Web Configurator SSL
-
Why is the web configurator not changeable ?
-
Eeeeeh? Do not overwhelm us with so many details!
-
Sorry, I think I got too sleepy. ::) I mean, the web configurator certificate can't be changed. Whenever I choose the certificate I created it creates another instance of the existing pfsense certificate and use that instead. So the list continues and not changeable.
-
I have never seen "Signature pending" is it just a CSR? That won't work, bro.
Yeah, you have to create a server certificate, not a certificate signing request(CSR). Unless you want to create a CSR to be signed by another Authority. Then you have to send it to them, they send you back a signed cert, and you have to import it.
-
Hello
I've got a similar problem, but this is With a signed certificate from an official certificate provider.
I've requested a certificate for my Public domain, and I've gotten the certificate, and imported it via the Cert Manager in the webGUI.
The problem occurs when I try to Access the webGUI after I change the SSL certificate used to Access the webGUI. After the change I'm not able to even get the login-screen.
A revert of a backup and resetting the webConfigurator gets me back to before the SSL certificate change, but thats not a solution.
Any ideas?
-
Don't know. Works for me every time. You'll have to provide more details as to what you're doing.
-
I've requested a web-server certificate from StartSSL, and imported the private and Public key data during the Certificate-wizard in the webGUI.
The certificate is added successfully and I can choose it from the Advanced menu for the webconfigurator certificate.
Once I've done this it tries to redirect me to the webGUI once again, but then I won't get Access the GUI.
Pic of the certificate in the Cert Manager:
-
Once I've done this it tries to redirect me to the webGUI once again, but then I won't get Access the GUI.
What do you get?
Also import the StartCOM Class 1 Server certificate as a CA so the webConfigurator can serve both the host and intermediate certificates. It should show the intermediate CA instead of external when you look at server certs.
-
I have already added StartCom as a CA, by importing their CA Certificate.
When changing the SSL certificate I get a timeout response from the firewall.
It's even trying to redirect to the same address I already was on. https://domain.com:myport/etc..
-
If you added the startcom root, Delete it.
You need to add the startcom class 1 server intermediate CA.
-----BEGIN CERTIFICATE----- MIIF2TCCA8GgAwIBAgIHFxU9nqs/vzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NDE3WhcNMjIxMDE0MjA1 NDE3WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj 0PREGBiEgFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo /OenJOJApgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn6 6+6CPAVvkvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+v WjhwRRI/ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxD KslIDlc5xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21T Lwb0pwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E BAMCAQYwHQYDVR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaA FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQCBnsOw7dxamNbdJb/ydkh4Qb6E qgEU+G9hCCIGXwhWRZMYczNJMrpVvyLq5mNOmrFPC7bJrqYV+vEOYHNXrzthLyOG FFOVQe2cxbmQecFOvbkWVlYAIaTG42sHKVi+RFsG2jRNZcFhHnsFnLPMyE6148lZ wVdZGsxZvpeHReNUpW0jh7uq90sShFzHs4f7wJ5XmiHOL7fZbnFV6uE/OoFnBWif CRnd9+RE3uCospESPCRPdbG+Q4GQ+MBS1moXDTRB6DcNoHvqC6eU3r8/Fn/DeA9w 9JHPXUfrAhZYKyOQUIqcfE5bvssaY+oODVxji6BMk8VSVHsJ4FSC1/7Pkt/UPoQp FVh38wIJnvEUeNVmVl3HHFYTd50irdKYPBC63qi2V/YYI6bJKmbrjfP9Vhyt9uNr y3Kh4W22ktDuCCvWC7n/gqerdq+VlTRfNt7D/mB0irnaKjEVNCXBXm9V/978J+Ez 8aplGZccQ9jnc9kiPtUp5dj45E3V8vKqzp9srSSI5Xapdg+ZcPY+6HNuVB+MadRp ZW2One/Qnzg9B4GnVX7MOETImdoP4kXpostFuxoY/5LxCU1LJAIENV4txvT50lX2 GBXCkxllRLWOgdyll11ift/4IO1aCOGDijGIfh498YisM1LGxytmGcxvbJERVri+ gGpWAZ5J6dvtf0s+bA== -----END CERTIFICATE-----
-
Done and done. Waiting for a New certificate from StartSSL just to make sure that the private key isn't botched.
Will post back here when I try the New cert.
-
That should be fail on import. How old is this webConfig certificate you're replacing? What are you testing from? Shot in the dark but if it's older (like XP pre-SP3 I think) you might be seeing an incompatibility with SHA256-signed certs.
-
The certificate i'm replacing is a self-signed cert from an internal CA created on the pfsense.
I thought I'd get a cert from a known issuer to not have cert errors while accessing the firewall.
The cert is issued this year, so rather New.
-
After adding Your CA info, I saw that I'd added the Client CA info -.-
When I added Your info the cert was recognized as a StartCom cert, but I still get the same error when trying to Access the https://mydomain.com:myport to Access my firewall..
I cant Access the webGUI at any Level.. not FQDN, external IP, internal IP or anything..
-
No idea. Works for me every time. Have you tried another client host? Another browser?
-
Tried different browsers, but not another computer. Will try a phone or something, accessing it from the outside
EDIT: Same problem, even from outside. This is starting to be mildly annoying
-
pm your hostname:port. I'd be happy to see what I see from here.
-
PM'd you now
-
I solved the problem.
The Cert from StartSSL was botched, and since I didnt want to spend 25 bucks revoking it, I bought another from SSLs.com for 8 bucks.
