Web Configurator SSL

  • Why is the web configurator not changeable ?

  • Banned

    Eeeeeh? Do not overwhelm us with so many details!

  • Sorry, I think I got too sleepy.  ::)  I mean, the web configurator certificate can't be changed.  Whenever I choose the certificate I created it creates another instance of the existing pfsense certificate and use that instead.  So the list continues and not changeable.

  • LAYER 8 Netgate

    I have never seen "Signature pending" is it just a CSR?  That won't work, bro.

    Yeah, you have to create a server certificate, not a certificate signing request(CSR).  Unless you want to create a CSR to be signed by another Authority.  Then you have to send it to them, they send you back a signed cert, and you have to import it.

  • Hello

    I've got a similar problem, but this is With a signed certificate from an official certificate provider.

    I've requested a certificate for my Public domain, and I've gotten the certificate, and imported it via the Cert Manager in the webGUI.

    The problem occurs when I try to Access the webGUI after I change the SSL certificate used to Access the webGUI. After the change I'm not able to even get the login-screen.

    A revert of a backup and resetting the webConfigurator gets me back to before the SSL certificate change, but thats not a solution.

    Any ideas?

  • LAYER 8 Netgate

    Don't know.  Works for me every time.  You'll have to provide more details as to what you're doing.

  • I've requested a web-server certificate from StartSSL, and imported the private and Public key data during the Certificate-wizard in the webGUI.

    The certificate is added successfully and I can choose it from the Advanced menu for the webconfigurator certificate.

    Once I've done this it tries to redirect me to the webGUI once again, but then I won't get Access the GUI.

    Pic of the certificate in the Cert Manager:

  • LAYER 8 Netgate

    Once I've done this it tries to redirect me to the webGUI once again, but then I won't get Access the GUI.

    What do you get?

    Also import the StartCOM Class 1 Server certificate as a CA so the webConfigurator can serve both the host and intermediate certificates.  It should show the intermediate CA instead of external when you look at server certs.

  • I have already added StartCom as a CA, by importing their CA Certificate.

    When changing the SSL certificate I get a timeout response from the firewall.

    It's even trying to redirect to the same address I already was on. https://domain.com:myport/etc..

  • LAYER 8 Netgate

    If you added the startcom root, Delete it.

    You need to add the startcom class 1 server intermediate CA.

    -----END CERTIFICATE-----

  • Done and done. Waiting for a New certificate from StartSSL just to make sure that the private key isn't botched.

    Will post back here when I try the New cert.

  • LAYER 8 Netgate

    That should be fail on import.  How old is this webConfig certificate you're replacing?  What are you testing from?  Shot in the dark but if it's older (like XP pre-SP3 I think) you might be seeing an incompatibility with SHA256-signed certs.

  • The certificate i'm replacing is a self-signed cert from an internal CA created on the pfsense.

    I thought I'd get a cert from a known issuer to not have cert errors while accessing the firewall.

    The cert is issued this year, so rather New.

  • After adding Your CA info, I saw that I'd added the Client CA info -.-

    When I added Your info the cert was recognized as a StartCom cert, but I still get the same error when trying to Access the https://mydomain.com:myport to Access my firewall..

    I cant Access the webGUI at any Level.. not FQDN, external IP, internal IP or anything..

  • LAYER 8 Netgate

    No idea.  Works for me every time.  Have you tried another client host?  Another browser?

  • Tried different browsers, but not another computer. Will try a phone or something, accessing it from the outside

    EDIT: Same problem, even from outside. This is starting to be mildly annoying

  • LAYER 8 Netgate

    pm your hostname:port.  I'd be happy to see what I see from here.

  • PM'd you now

  • I solved the problem.

    The Cert from StartSSL was botched, and since I didnt want to spend 25 bucks revoking it, I bought another from SSLs.com for 8 bucks.

Log in to reply