Web GUI Cert Issues



  • Hello,

    When the pfSense webconfigurator is set to https access, trying to access it in a web browser (in Windows) causes invalid certificate error messages. I understand that this is typical because the certificate does not come from a trusted/known authority.

    However, adding that certificate to Windows cert manager seems to have no effect as the errors continue to appear. If I create a new certificate and add that to the Windows cert manager, also no effect. I've also tried creating a CA and then generating a new cert from that and then adding both the CA and the cert to Windows but again this has no effect. At this point it seems that adding certificates created by pfsense to the windows cert manager seems to have absolutely no effect on getting rid of these cert error messages every time I access the webConfigurator. My understanding has always been that if you add a cert. to Windows, then the web page(s) would display correctly without interruption.

    My question is: does anyone here know what I may be doing wrong? Is there a way to fix this so that the cert error messages go away?


  • LAYER 8 Netgate

    Install a certificate signed by a trusted root or tell your browser to trust the certificate.



  • @Derelict:

    Install a certificate signed by a trusted root or tell your browser to trust the certificate.

    Thank you for your input.
    I had done that already. I think the issue must be from my test environment, more specifically the browser I'm using (IE). I tried using Firefox and there are no issues.



  • Assuming you are starting from a celan install, the "simple and quick" way to do this would be to create a Certificate Authority (CA) on the pfsense box, create a new server certificate signed by the new CA, change the web configurator to use the new server cert, then install the public key of the CA's cert into your Windows (and for that matter firefox) certificate store.  the FQDN and/or IP address of the firewall managment interface you are accesing  should match the Common Name or one of the Alternate Names in the server certificate you create, if you want to avoid all browser errors.

    The reason it works with Firefox is because firefox does not use the Windows certificate store, and allows you to permenantly "trust" a certificate without trusting the whole chain.

    General info here:
    https://doc.pfsense.org/index.php/Certificate_Management

    Someone has written more specific instruction here:
    https://www.sxl.net/guides/cloud-vps/pfsense/5482/
    Be warned, if you have already configured OpenVPN or LDAP, you might well have already created a local CA, and possibly a server certificate.



  • The best solution is this:
    @Derelict:

    Install a certificate signed by a trusted root or tell your browser to trust the certificate.

    Big problem  ;) : it's won't be 'free'.
    I bought a domain name, like 'my-domain.tld' (give or take a few $ a year). Then, visit startssl.com to obtain a free valid signed certificate for 'my-domain.tld' and "portal.my-domain.tld" (I did not take the included 'www.my-domaine.tld').
    You get all the files needed to install into pfSense.
    Switch portal authentication to https - no errors for all browsers. Works for me for years now.


Log in to reply