SSL certificate signed



  • @JohnnyBeGood:

    ….. now I stuck and cannot login into pfsense interface. In chrome I get:

    Been there - seen that.

    My 'solution' : SSH intp pfSense. Option 8: shell.

    Type
    viconfig

    Find
    <protocol>https</protocol>
    Change it for
    <protocol>http</protocol>
    Save.
    Reboot.

    Warning : editing the config.xml is "not done" (thats why it works ;)).
    You are using editor vi - its somewhat special.



  • @Gertjan:

    @JohnnyBeGood:

    ….. now I stuck and cannot login into pfsense interface. In chrome I get:

    Been there - seen that.

    My 'solution' : SSH intp pfSense. Option 8: shell.

    Type
    viconfig

    Find
    <protocol>https</protocol>
    Change it for
    <protocol>http</protocol>
    Save.
    Reboot.

    Warning : editing the config.xml is "not done" (thats why it works ;)).
    You are using editor vi - its somewhat special.

    I'm glad I'm not the only one with this issue  ;)

    So using Putty SSH I tried to connect to 192.168.1.1 but it keeps timing out. I'm assuming that SSH deamon is not enabled.
    My next step would be to physically connect keyboard and monitor and try to connect that way. Are above steps the same?



  • @Derelict:

    Tried w/ pfsense ip https://192.168.1.1 as well as domain that matched certificate https://linux.mydomain.net:81

    Connect to http://192.168.1.1/ and see what happens.

    Did you change the listening port?  You're trying https:// and https://host:81 there.

    I did try connecting to http://192.168.1.1/ but it does not connect.
    Neither port 80 or 81 worked.



  • @JohnnyBeGood:

    I'm assuming that SSH deamon is not enabled.

    Possible.
    But not for me.
    A remote system without remote SSH enabled: unthinkable.
    SSH is not some kind of 'emergency back door' : its the main maintenance port of any system. (GUI is just the next best thing)
    For me, that is.  I guess its quiet usual for people born before 1970  ;)

    @JohnnyBeGood:

    My next step would be to physically connect keyboard and monitor and try to connect that way. Are above steps the same?

    Of course.



  • @Gertjan:

    @JohnnyBeGood:

    ….. now I stuck and cannot login into pfsense interface. In chrome I get:

    Been there - seen that.

    My 'solution' : SSH intp pfSense. Option 8: shell.

    Type
    viconfig

    Find
    <protocol>https</protocol>
    Change it for
    <protocol>http</protocol>
    Save.
    Reboot.

    Warning : editing the config.xml is "not done" (thats why it works ;)).
    You are using editor vi - its somewhat special.

    Thanks for this, you're a life saver! I thought I need to re-install it  :'(



  • @Derelict:

    Did you install the Intermediate as a CA?

    Did you install the StartSSL certificate?

    Does pfSense recognize that the Cert is signed by the CA?

    Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??

    Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?

    Lets try this again since I got locked out  :(

    Did you install the Intermediate as a CA?
    I thought I did, please see attached screenshot.

    Does pfSense recognize that the Cert is signed by the CA?
    I think it does, please see attached.

    Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??
    Everything was fine until I selected new certificate. After that that I was locked out until I tried Gertjan's solution.

    Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?
    When I created cert. it matched my pfSense hostname.

    Why did I got locked out once I selected new cert?







  • LAYER 8 Netgate

    No.  You installed your certificate as a CA.  You need to install the StartSSL Class 1 Intermediate Server certificate as a CA.  Delete the Web gui linux from CAs and install this.

    http://www.startssl.com/certs/sub.class1.server.ca.pem

    –---BEGIN CERTIFICATE-----
    MIIF2TCCA8GgAwIBAgIHFxU9nqs/vzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG
    EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
    Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
    dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NDE3WhcNMjIxMDE0MjA1
    NDE3WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
    BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
    BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy
    IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj
    0PREGBiEgFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo
    /OenJOJApgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn6
    6+6CPAVvkvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+v
    WjhwRRI/ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxD
    KslIDlc5xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21T
    Lwb0pwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
    BAMCAQYwHQYDVR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaA
    FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw
    AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw
    Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg
    I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow
    OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w
    b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQCBnsOw7dxamNbdJb/ydkh4Qb6E
    qgEU+G9hCCIGXwhWRZMYczNJMrpVvyLq5mNOmrFPC7bJrqYV+vEOYHNXrzthLyOG
    FFOVQe2cxbmQecFOvbkWVlYAIaTG42sHKVi+RFsG2jRNZcFhHnsFnLPMyE6148lZ
    wVdZGsxZvpeHReNUpW0jh7uq90sShFzHs4f7wJ5XmiHOL7fZbnFV6uE/OoFnBWif
    CRnd9+RE3uCospESPCRPdbG+Q4GQ+MBS1moXDTRB6DcNoHvqC6eU3r8/Fn/DeA9w
    9JHPXUfrAhZYKyOQUIqcfE5bvssaY+oODVxji6BMk8VSVHsJ4FSC1/7Pkt/UPoQp
    FVh38wIJnvEUeNVmVl3HHFYTd50irdKYPBC63qi2V/YYI6bJKmbrjfP9Vhyt9uNr
    y3Kh4W22ktDuCCvWC7n/gqerdq+VlTRfNt7D/mB0irnaKjEVNCXBXm9V/978J+Ez
    8aplGZccQ9jnc9kiPtUp5dj45E3V8vKqzp9srSSI5Xapdg+ZcPY+6HNuVB+MadRp
    ZW2One/Qnzg9B4GnVX7MOETImdoP4kXpostFuxoY/5LxCU1LJAIENV4txvT50lX2
    GBXCkxllRLWOgdyll11ift/4IO1aCOGDijGIfh498YisM1LGxytmGcxvbJERVri+
    gGpWAZ5J6dvtf0s+bA==
    -----END CERTIFICATE-----

    After that, when you look at your certificate, it should show as being issued by that cert (Issuer)…

    ![Screen Shot 2015-09-17 at 10.19.58 PM.png](/public/imported_attachments/1/Screen Shot 2015-09-17 at 10.19.58 PM.png)
    ![Screen Shot 2015-09-17 at 10.19.58 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-09-17 at 10.19.58 PM.png_thumb)


  • LAYER 8 Global Moderator

    You know you could of just used pfsense self signed cert.. All you have to do is install the pfsense CA into your machine so that certs signed by that CA are trusted.  There is no reason to get a cert from startssl or anyplace be it free or not.

    The only time you would need a cert from a public trusted CA would be for say our portal when clients that have not trusted pfsense CA would hit the page via https


  • LAYER 8 Netgate

    That's your opinion. I get certs because I think it's inexcusable to have a user have to click through a certificate error. Trains them badly. With all the devices running around here and the amount of messing around I do, it's worth it to me to go through the yearly hassle of updating the certs with ones that won't throw errors at others.


  • LAYER 8 Global Moderator

    Who said anything about users clicking through bad certs?  I completely agree with you.. Its my machine on a server I admin, I can trust whatever CA I want, now I don't get errors.. Don't have to add an exception, etc.

    Notice I did state if using for say a captive portal you would use a public trusted CA for that cert..

    Once you trust the CA none of the certs that CA would create would throw errors, etc..




  • I also had what most had.
    Added the Class 1 & 3 root certificate from  https://www.cacert.org/index.php?id=3 as CA's.
    Then I added the Certificate I generated :

    • Method is : Import an Existing Certificate

    • Descriptive name : SSL Firewall certificate

    • Certificate data :```
      -----BEGIN CERTIFICATE REQUEST-----
      MIIEYzCCAksCAQAwHjEcMBoGA1UEAxMTcnV0aGVyLmEzLXN5c3RlbS5ldTCCAiIw
      DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL22lqy5GkaYOudPFljPax00GRUN
      BRZxINqUbu2QZekW0YW6I+I08RAAr5Ihq7bV5Hp31HCWV62oNVc+bk3wlHPpan8B
      HqiSXw3sFTw9007qlBtB/WdUJCMSg36WTj4iRBQE2kQnPN4FyBWVqQ68aclC8/5N
      WLwG5SIALaJ3QkTm89Jmce3JbH0fUsw7HlfkvGY3twtvoD4c9m7dzvIgXtqoKe0y
      XRKbd3Tnl9cF0ZKDtRI9WCwPsynhxnjX8GghES13exajutw12WwDp5cL82J2usdC
      SEWG5LTBbNTvJrdEr/PduZ4brVnOx0U+04zeGNfvBIvNfEB4APz+lkDuVczht2De
      YlL4DOjYHS7oqCcVuAUa25O5NUNKT/qThNFQfAaBnpc6FRV8I65SqnzkwTn+tbPW
      HQ6OvGYBBoWGRttI7chatCw+4VHmBqRf3vTRl6+bBcRfI5PxrB67UW4AfNaDXlu1
      5KGPHkO8l0kXJjRzjwB36Ho0MH9IXKUvYQbxdoJ9wntyV7NjvN8CJg0C6rORAcxN
      7Xp28MGwxEW6xEghCozj99KgNKwnlEn5ynDdLf/LfkIkpaheJ3p26MPMWeAtfICD
      XuJBVmwjn8mpHgq7d3AZIVF5vkLF9JvXqREA0UAiutuV/eFBVlBgUWHVvy2nMcDZ
      LOaIWk5rboaSvtwnAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAgEADV5FG87uRAbS
      8XowLqudKRIqNkftoUO/U7nhHSWj1XNKXdp6Y5e3U7BiJxYuKiZ3AuttyCMdBZ17
      28w6Vc/qsIRIvB//Xglj4ZRFLL+CKQ9PGX/w9lgtN9pEUSzl7LpKF2luvmySzDcD
      rULmUqB2Q6qyYgzMALK7eFLqnEYxeAXM6bw/64mvOoqviVFgtvMG3mx5QHBj98RS
      tOidaqwowKwfk112FXjikn/EKD2P5JI5zWkhHXNjha7YGCcxy/LwaubH3VnCz6bg
      HNoB6r1rGPwxz4YnspVOkCSPHdSHJiGCpwurF9zm4zNMk3SwbWtDW14dVoIXInIU
      tzdXfiS2UVPsgNtX3OQzt3LqwS+WiSFShjLKB3EgFHKibml99Bj+Ep55ptuhOkQt
      PRLo68VZV7tq03xvB2/pzCovQp06Fme8sZJyS6xVY7ir+YAyLsm+nwsRNktkiHWu
      NigfJhf6irRxwHf3lLXYgzEBRV7rzuxO2UxFeuluePZoXMZ7V3+zSQU3iKrpt8gp
      2P6tZbgJ/E/aQUPqokGgLXuRbpK3ywwebDSrWcc1LQCkQbBQylhWdcmHKylzhPzt
      k+yW2KNP69rQ1oobsTYyz9mHBHs5iT5vCz24K5TiIsToTqotVJGqFqsmujnEqD9w
      KgmjwdBTCEdpOcSLMwOxBiVvQ1LQ3fc=
      -----END CERTIFICATE REQUEST-----

    *   Private key data :```
    -----BEGIN RSA PRIVATE KEY-----
    MIIJK ....
    ...
    ...MP5nAc/8IcadB9YQ7U91stzaDblm04iBr
    -----END RSA PRIVATE KEY-----
    

    but when I select that certificate to be used the webConsole becomes inaccessible  :'(

    System log contains :

    Sep 22 22:10:39	php-fpm[77403]: /rc.restart_webgui: Creating rrd update script
    Sep 22 22:10:39	php-fpm[77403]: /rc.restart_webgui: The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '255', the output was '2015-09-22 22:10:39: (network.c.549) SSL: couldn't read X509 certificate from '/var/etc/cert.pem''
    Sep 22 22:10:37	check_reload_status: webConfigurator restart in progress
    Sep 22 22:10:37	php-fpm[14674]: /system_advanced_admin.php: webConfigurator configuration has changed. Restarting webConfigurator.
    Sep 22 22:10:33	check_reload_status: Reloading filter
    

    Any idea what could be wrong … ?

    \T,



  • Maybe this?

    Sep 22 22:10:39 php-fpm[77403]: /rc.restart_webgui: The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '255', the output was '2015-09-22 22:10:39: (network.c.549) SSL: couldn't read X509 certificate from '/var/etc/cert.pem''

    If it has a problem reading the file or the file is corrupt, that may trigger your issue.


  • LAYER 8 Netgate

    You are trying to install a CSR (Certificate signing request) as a certificate.  You need to get the certificate issued to you and install that.

    –---BEGIN CERTIFICATE REQUEST-----



  • @Derelict:

    No.  You installed your certificate as a CA.  You need to install the StartSSL Class 1 Intermediate Server certificate as a CA.  Delete the Web gui linux from CAs and install this.

    http://www.startssl.com/certs/sub.class1.server.ca.pem

    –---BEGIN CERTIFICATE-----
    MIIF2TCCA8GgAwIBAgIHFxU9nqs/vzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG
    EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
    Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
    dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NDE3WhcNMjIxMDE0MjA1
    NDE3WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
    BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
    BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy
    IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj
    0PREGBiEgFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo
    /OenJOJApgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn6
    6+6CPAVvkvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+v
    WjhwRRI/ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxD
    KslIDlc5xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21T
    Lwb0pwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
    BAMCAQYwHQYDVR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaA
    FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw
    AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw
    Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg
    I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow
    OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w
    b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQCBnsOw7dxamNbdJb/ydkh4Qb6E
    qgEU+G9hCCIGXwhWRZMYczNJMrpVvyLq5mNOmrFPC7bJrqYV+vEOYHNXrzthLyOG
    FFOVQe2cxbmQecFOvbkWVlYAIaTG42sHKVi+RFsG2jRNZcFhHnsFnLPMyE6148lZ
    wVdZGsxZvpeHReNUpW0jh7uq90sShFzHs4f7wJ5XmiHOL7fZbnFV6uE/OoFnBWif
    CRnd9+RE3uCospESPCRPdbG+Q4GQ+MBS1moXDTRB6DcNoHvqC6eU3r8/Fn/DeA9w
    9JHPXUfrAhZYKyOQUIqcfE5bvssaY+oODVxji6BMk8VSVHsJ4FSC1/7Pkt/UPoQp
    FVh38wIJnvEUeNVmVl3HHFYTd50irdKYPBC63qi2V/YYI6bJKmbrjfP9Vhyt9uNr
    y3Kh4W22ktDuCCvWC7n/gqerdq+VlTRfNt7D/mB0irnaKjEVNCXBXm9V/978J+Ez
    8aplGZccQ9jnc9kiPtUp5dj45E3V8vKqzp9srSSI5Xapdg+ZcPY+6HNuVB+MadRp
    ZW2One/Qnzg9B4GnVX7MOETImdoP4kXpostFuxoY/5LxCU1LJAIENV4txvT50lX2
    GBXCkxllRLWOgdyll11ift/4IO1aCOGDijGIfh498YisM1LGxytmGcxvbJERVri+
    gGpWAZ5J6dvtf0s+bA==
    -----END CERTIFICATE-----

    After that, when you look at your certificate, it should show as being issued by that cert (Issuer)…

    DISCLAMER: I'm not trying to be an asshole or anything like that!

    I really appreciate your response but yet again using your instructions I got locked out. Can you or someone else explain (screenshot if possible) steps taken to get this working. I've tried so many explanations online and they all worked but this simple one seems such a road block! Call me dumb but I do not get where the problem is.

    I promise once I get it to work I will create a video tutorial so anyone can get it to work without any lock outs.



  • Here https://forum.pfsense.org/index.php?topic=63791.0 - last message, you will find a PDF with a lot of images.

    The PDF talks about adding a certificate for captive Portal access, but, I used it to add a certificate for WebGUI access.



  • @johnpoz:

    You know you could of just used pfsense self signed cert.. All you have to do is install the pfsense CA into your machine so that certs signed by that CA are trusted.  There is no reason to get a cert from startssl or anyplace be it free or not.

    The only time you would need a cert from a public trusted CA would be for say our portal when clients that have not trusted pfsense CA would hit the page via https

    I'm giving up on StartSSL and was wondering if you explain more this method "All you have to do is install the pfsense CA into your machine so that certs signed by that CA are trusted." ?


  • LAYER 8 Netgate

    I'm giving up on StartSSL

    That's too bad.

    No certificate authority is going to work for you when you do things like upload CSRs as certificates, upload your certificate as both the certificate and intermediate CA cert.


  • Banned

    Perhaps this could eventually be automated with https://letsencrypt.org/ - someone's apparently already working on the port.


  • LAYER 8 Global Moderator

    There is not much to go over - create a CA in the CA manager.  Create a Certificate and use as your web gui cert..

    Download that CA cert and put it in your trusted CAs on your machine.

    This is fine for your use, or even employee use that you would roll out this CA as trusted, but this is not really good for user of machines that you do not control - like captive portal with guests, etc.  For those such certs you need one by a public Trusted CA like verisign or startssl, etc.






  • hi;
    ok i had to do this for https filtering in pfsense i generated the key in pfsense and downloaded it then sudo to ca certs folder made new folder renamed key to .crt file and a etc /cert area then did sudo update-ca-certificates (ubuntu 18.04 based distro) to import and it worked with the message no perm key found or the like,
    because before doing this you can go nowhere in the net with out that key /crt in or the perm . so I killed https filter and went back to stock squid but still maybe having av scanner issue on fresh install pf 2.4.4 .
    A lot has changes for me with squid and the setup so still getting pass the new stuff. swore I read https filtering has to be on now as fixed clamav scanning issue I may be wrong but it is a good thing


Log in to reply