Web Configurator SSL



  • Why is the web configurator not changeable ?


  • Banned

    Eeeeeh? Do not overwhelm us with so many details!



  • Sorry, I think I got too sleepy.  ::)  I mean, the web configurator certificate can't be changed.  Whenever I choose the certificate I created it creates another instance of the existing pfsense certificate and use that instead.  So the list continues and not changeable.



  • LAYER 8 Netgate

    I have never seen "Signature pending" is it just a CSR?  That won't work, bro.

    Yeah, you have to create a server certificate, not a certificate signing request(CSR).  Unless you want to create a CSR to be signed by another Authority.  Then you have to send it to them, they send you back a signed cert, and you have to import it.



  • Hello

    I've got a similar problem, but this is With a signed certificate from an official certificate provider.

    I've requested a certificate for my Public domain, and I've gotten the certificate, and imported it via the Cert Manager in the webGUI.

    The problem occurs when I try to Access the webGUI after I change the SSL certificate used to Access the webGUI. After the change I'm not able to even get the login-screen.

    A revert of a backup and resetting the webConfigurator gets me back to before the SSL certificate change, but thats not a solution.

    Any ideas?


  • LAYER 8 Netgate

    Don't know.  Works for me every time.  You'll have to provide more details as to what you're doing.



  • I've requested a web-server certificate from StartSSL, and imported the private and Public key data during the Certificate-wizard in the webGUI.

    The certificate is added successfully and I can choose it from the Advanced menu for the webconfigurator certificate.

    Once I've done this it tries to redirect me to the webGUI once again, but then I won't get Access the GUI.

    Pic of the certificate in the Cert Manager:


  • LAYER 8 Netgate

    Once I've done this it tries to redirect me to the webGUI once again, but then I won't get Access the GUI.

    What do you get?

    Also import the StartCOM Class 1 Server certificate as a CA so the webConfigurator can serve both the host and intermediate certificates.  It should show the intermediate CA instead of external when you look at server certs.



  • I have already added StartCom as a CA, by importing their CA Certificate.

    When changing the SSL certificate I get a timeout response from the firewall.

    It's even trying to redirect to the same address I already was on. https://domain.com:myport/etc..


  • LAYER 8 Netgate

    If you added the startcom root, Delete it.

    You need to add the startcom class 1 server intermediate CA.

    
    -----BEGIN CERTIFICATE-----
    MIIF2TCCA8GgAwIBAgIHFxU9nqs/vzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG
    EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
    Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
    dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NDE3WhcNMjIxMDE0MjA1
    NDE3WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
    BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
    BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy
    IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj
    0PREGBiEgFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo
    /OenJOJApgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn6
    6+6CPAVvkvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+v
    WjhwRRI/ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxD
    KslIDlc5xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21T
    Lwb0pwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
    BAMCAQYwHQYDVR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaA
    FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw
    AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw
    Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg
    I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow
    OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w
    b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQCBnsOw7dxamNbdJb/ydkh4Qb6E
    qgEU+G9hCCIGXwhWRZMYczNJMrpVvyLq5mNOmrFPC7bJrqYV+vEOYHNXrzthLyOG
    FFOVQe2cxbmQecFOvbkWVlYAIaTG42sHKVi+RFsG2jRNZcFhHnsFnLPMyE6148lZ
    wVdZGsxZvpeHReNUpW0jh7uq90sShFzHs4f7wJ5XmiHOL7fZbnFV6uE/OoFnBWif
    CRnd9+RE3uCospESPCRPdbG+Q4GQ+MBS1moXDTRB6DcNoHvqC6eU3r8/Fn/DeA9w
    9JHPXUfrAhZYKyOQUIqcfE5bvssaY+oODVxji6BMk8VSVHsJ4FSC1/7Pkt/UPoQp
    FVh38wIJnvEUeNVmVl3HHFYTd50irdKYPBC63qi2V/YYI6bJKmbrjfP9Vhyt9uNr
    y3Kh4W22ktDuCCvWC7n/gqerdq+VlTRfNt7D/mB0irnaKjEVNCXBXm9V/978J+Ez
    8aplGZccQ9jnc9kiPtUp5dj45E3V8vKqzp9srSSI5Xapdg+ZcPY+6HNuVB+MadRp
    ZW2One/Qnzg9B4GnVX7MOETImdoP4kXpostFuxoY/5LxCU1LJAIENV4txvT50lX2
    GBXCkxllRLWOgdyll11ift/4IO1aCOGDijGIfh498YisM1LGxytmGcxvbJERVri+
    gGpWAZ5J6dvtf0s+bA==
    -----END CERTIFICATE-----
    
    


  • Done and done. Waiting for a New certificate from StartSSL just to make sure that the private key isn't botched.

    Will post back here when I try the New cert.


  • LAYER 8 Netgate

    That should be fail on import.  How old is this webConfig certificate you're replacing?  What are you testing from?  Shot in the dark but if it's older (like XP pre-SP3 I think) you might be seeing an incompatibility with SHA256-signed certs.



  • The certificate i'm replacing is a self-signed cert from an internal CA created on the pfsense.

    I thought I'd get a cert from a known issuer to not have cert errors while accessing the firewall.

    The cert is issued this year, so rather New.



  • After adding Your CA info, I saw that I'd added the Client CA info -.-

    When I added Your info the cert was recognized as a StartCom cert, but I still get the same error when trying to Access the https://mydomain.com:myport to Access my firewall..

    I cant Access the webGUI at any Level.. not FQDN, external IP, internal IP or anything..


  • LAYER 8 Netgate

    No idea.  Works for me every time.  Have you tried another client host?  Another browser?



  • Tried different browsers, but not another computer. Will try a phone or something, accessing it from the outside

    EDIT: Same problem, even from outside. This is starting to be mildly annoying


  • LAYER 8 Netgate

    pm your hostname:port.  I'd be happy to see what I see from here.



  • PM'd you now



  • I solved the problem.

    The Cert from StartSSL was botched, and since I didnt want to spend 25 bucks revoking it, I bought another from SSLs.com for 8 bucks.


Log in to reply