Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Web Configurator SSL

    Scheduled Pinned Locked Moved webGUI
    19 Posts 4 Posters 7.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tux
      last edited by

      Why is the web configurator not changeable ?

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Eeeeeh? Do not overwhelm us with so many details!

        1 Reply Last reply Reply Quote 0
        • T
          tux
          last edited by

          Sorry, I think I got too sleepy.  ::)  I mean, the web configurator certificate can't be changed.  Whenever I choose the certificate I created it creates another instance of the existing pfsense certificate and use that instead.  So the list continues and not changeable.

          System__Certificate_Manager_-_goldmine_chillispot.jpg
          System__Certificate_Manager_-_goldmine_chillispot.jpg_thumb

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            I have never seen "Signature pending" is it just a CSR?  That won't work, bro.

            Yeah, you have to create a server certificate, not a certificate signing request(CSR).  Unless you want to create a CSR to be signed by another Authority.  Then you have to send it to them, they send you back a signed cert, and you have to import it.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • S
              Slasky
              last edited by

              Hello

              I've got a similar problem, but this is With a signed certificate from an official certificate provider.

              I've requested a certificate for my Public domain, and I've gotten the certificate, and imported it via the Cert Manager in the webGUI.

              The problem occurs when I try to Access the webGUI after I change the SSL certificate used to Access the webGUI. After the change I'm not able to even get the login-screen.

              A revert of a backup and resetting the webConfigurator gets me back to before the SSL certificate change, but thats not a solution.

              Any ideas?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Don't know.  Works for me every time.  You'll have to provide more details as to what you're doing.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • S
                  Slasky
                  last edited by

                  I've requested a web-server certificate from StartSSL, and imported the private and Public key data during the Certificate-wizard in the webGUI.

                  The certificate is added successfully and I can choose it from the Advanced menu for the webconfigurator certificate.

                  Once I've done this it tries to redirect me to the webGUI once again, but then I won't get Access the GUI.

                  Pic of the certificate in the Cert Manager:

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Once I've done this it tries to redirect me to the webGUI once again, but then I won't get Access the GUI.

                    What do you get?

                    Also import the StartCOM Class 1 Server certificate as a CA so the webConfigurator can serve both the host and intermediate certificates.  It should show the intermediate CA instead of external when you look at server certs.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • S
                      Slasky
                      last edited by

                      I have already added StartCom as a CA, by importing their CA Certificate.

                      When changing the SSL certificate I get a timeout response from the firewall.

                      It's even trying to redirect to the same address I already was on. https://domain.com:myport/etc..

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        If you added the startcom root, Delete it.

                        You need to add the startcom class 1 server intermediate CA.

                        
                        -----BEGIN CERTIFICATE-----
                        MIIF2TCCA8GgAwIBAgIHFxU9nqs/vzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG
                        EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
                        Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
                        dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NDE3WhcNMjIxMDE0MjA1
                        NDE3WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
                        BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
                        BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy
                        IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj
                        0PREGBiEgFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo
                        /OenJOJApgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn6
                        6+6CPAVvkvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+v
                        WjhwRRI/ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxD
                        KslIDlc5xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21T
                        Lwb0pwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
                        BAMCAQYwHQYDVR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaA
                        FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw
                        AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw
                        Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg
                        I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow
                        OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w
                        b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQCBnsOw7dxamNbdJb/ydkh4Qb6E
                        qgEU+G9hCCIGXwhWRZMYczNJMrpVvyLq5mNOmrFPC7bJrqYV+vEOYHNXrzthLyOG
                        FFOVQe2cxbmQecFOvbkWVlYAIaTG42sHKVi+RFsG2jRNZcFhHnsFnLPMyE6148lZ
                        wVdZGsxZvpeHReNUpW0jh7uq90sShFzHs4f7wJ5XmiHOL7fZbnFV6uE/OoFnBWif
                        CRnd9+RE3uCospESPCRPdbG+Q4GQ+MBS1moXDTRB6DcNoHvqC6eU3r8/Fn/DeA9w
                        9JHPXUfrAhZYKyOQUIqcfE5bvssaY+oODVxji6BMk8VSVHsJ4FSC1/7Pkt/UPoQp
                        FVh38wIJnvEUeNVmVl3HHFYTd50irdKYPBC63qi2V/YYI6bJKmbrjfP9Vhyt9uNr
                        y3Kh4W22ktDuCCvWC7n/gqerdq+VlTRfNt7D/mB0irnaKjEVNCXBXm9V/978J+Ez
                        8aplGZccQ9jnc9kiPtUp5dj45E3V8vKqzp9srSSI5Xapdg+ZcPY+6HNuVB+MadRp
                        ZW2One/Qnzg9B4GnVX7MOETImdoP4kXpostFuxoY/5LxCU1LJAIENV4txvT50lX2
                        GBXCkxllRLWOgdyll11ift/4IO1aCOGDijGIfh498YisM1LGxytmGcxvbJERVri+
                        gGpWAZ5J6dvtf0s+bA==
                        -----END CERTIFICATE-----
                        
                        

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • S
                          Slasky
                          last edited by

                          Done and done. Waiting for a New certificate from StartSSL just to make sure that the private key isn't botched.

                          Will post back here when I try the New cert.

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            That should be fail on import.  How old is this webConfig certificate you're replacing?  What are you testing from?  Shot in the dark but if it's older (like XP pre-SP3 I think) you might be seeing an incompatibility with SHA256-signed certs.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • S
                              Slasky
                              last edited by

                              The certificate i'm replacing is a self-signed cert from an internal CA created on the pfsense.

                              I thought I'd get a cert from a known issuer to not have cert errors while accessing the firewall.

                              The cert is issued this year, so rather New.

                              1 Reply Last reply Reply Quote 0
                              • S
                                Slasky
                                last edited by

                                After adding Your CA info, I saw that I'd added the Client CA info -.-

                                When I added Your info the cert was recognized as a StartCom cert, but I still get the same error when trying to Access the https://mydomain.com:myport to Access my firewall..

                                I cant Access the webGUI at any Level.. not FQDN, external IP, internal IP or anything..

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  No idea.  Works for me every time.  Have you tried another client host?  Another browser?

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    Slasky
                                    last edited by

                                    Tried different browsers, but not another computer. Will try a phone or something, accessing it from the outside

                                    EDIT: Same problem, even from outside. This is starting to be mildly annoying

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      pm your hostname:port.  I'd be happy to see what I see from here.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Slasky
                                        last edited by

                                        PM'd you now

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          Slasky
                                          last edited by

                                          I solved the problem.

                                          The Cert from StartSSL was botched, and since I didnt want to spend 25 bucks revoking it, I bought another from SSLs.com for 8 bucks.

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.