SSL certificate signed

JohnnyBeGood

@Derelict:

Did you install the Intermediate as a CA?

Did you install the StartSSL certificate?

Does pfSense recognize that the Cert is signed by the CA?

Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??

Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?

Lets try this again since I got locked out  :(

Did you install the Intermediate as a CA?
I thought I did, please see attached screenshot.

Does pfSense recognize that the Cert is signed by the CA?
I think it does, please see attached.

Did you tell the webgui to use the new certificate in System > Advanced > Admin Access??
Everything was fine until I selected new certificate. After that that I was locked out until I tried Gertjan's solution.

Does the hostname you're browsing to exactly match either the CN or a SAN in the certificate?
When I created cert. it matched my pfSense hostname.

Why did I got locked out once I selected new cert?

Derelict

No.  You installed your certificate as a CA.  You need to install the StartSSL Class 1 Intermediate Server certificate as a CA.  Delete the Web gui linux from CAs and install this.

http://www.startssl.com/certs/sub.class1.server.ca.pem

–---BEGIN CERTIFICATE-----
MIIF2TCCA8GgAwIBAgIHFxU9nqs/vzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG
EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NDE3WhcNMjIxMDE0MjA1
NDE3WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj
0PREGBiEgFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo
/OenJOJApgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn6
6+6CPAVvkvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+v
WjhwRRI/ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxD
KslIDlc5xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21T
Lwb0pwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAQYwHQYDVR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaA
FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw
AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw
Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg
I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow
OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w
b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQCBnsOw7dxamNbdJb/ydkh4Qb6E
qgEU+G9hCCIGXwhWRZMYczNJMrpVvyLq5mNOmrFPC7bJrqYV+vEOYHNXrzthLyOG
FFOVQe2cxbmQecFOvbkWVlYAIaTG42sHKVi+RFsG2jRNZcFhHnsFnLPMyE6148lZ
wVdZGsxZvpeHReNUpW0jh7uq90sShFzHs4f7wJ5XmiHOL7fZbnFV6uE/OoFnBWif
CRnd9+RE3uCospESPCRPdbG+Q4GQ+MBS1moXDTRB6DcNoHvqC6eU3r8/Fn/DeA9w
9JHPXUfrAhZYKyOQUIqcfE5bvssaY+oODVxji6BMk8VSVHsJ4FSC1/7Pkt/UPoQp
FVh38wIJnvEUeNVmVl3HHFYTd50irdKYPBC63qi2V/YYI6bJKmbrjfP9Vhyt9uNr
y3Kh4W22ktDuCCvWC7n/gqerdq+VlTRfNt7D/mB0irnaKjEVNCXBXm9V/978J+Ez
8aplGZccQ9jnc9kiPtUp5dj45E3V8vKqzp9srSSI5Xapdg+ZcPY+6HNuVB+MadRp
ZW2One/Qnzg9B4GnVX7MOETImdoP4kXpostFuxoY/5LxCU1LJAIENV4txvT50lX2
GBXCkxllRLWOgdyll11ift/4IO1aCOGDijGIfh498YisM1LGxytmGcxvbJERVri+
gGpWAZ5J6dvtf0s+bA==
-----END CERTIFICATE-----

After that, when you look at your certificate, it should show as being issued by that cert (Issuer)…


johnpoz

You know you could of just used pfsense self signed cert.. All you have to do is install the pfsense CA into your machine so that certs signed by that CA are trusted.  There is no reason to get a cert from startssl or anyplace be it free or not.

The only time you would need a cert from a public trusted CA would be for say our portal when clients that have not trusted pfsense CA would hit the page via https

Derelict

That's your opinion. I get certs because I think it's inexcusable to have a user have to click through a certificate error. Trains them badly. With all the devices running around here and the amount of messing around I do, it's worth it to me to go through the yearly hassle of updating the certs with ones that won't throw errors at others.

johnpoz

Who said anything about users clicking through bad certs?  I completely agree with you.. Its my machine on a server I admin, I can trust whatever CA I want, now I don't get errors.. Don't have to add an exception, etc.

Notice I did state if using for say a captive portal you would use a public trusted CA for that cert..

Once you trust the CA none of the certs that CA would create would throw errors, etc..

tsmets

I also had what most had.
Added the Class 1 & 3 root certificate from  https://www.cacert.org/index.php?id=3 as CA's.
Then I added the Certificate I generated :

• Method is : Import an Existing Certificate

• Descriptive name : SSL Firewall certificate

• Certificate data :```
  -----BEGIN CERTIFICATE REQUEST-----
  MIIEYzCCAksCAQAwHjEcMBoGA1UEAxMTcnV0aGVyLmEzLXN5c3RlbS5ldTCCAiIw
  DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAL22lqy5GkaYOudPFljPax00GRUN
  BRZxINqUbu2QZekW0YW6I+I08RAAr5Ihq7bV5Hp31HCWV62oNVc+bk3wlHPpan8B
  HqiSXw3sFTw9007qlBtB/WdUJCMSg36WTj4iRBQE2kQnPN4FyBWVqQ68aclC8/5N
  WLwG5SIALaJ3QkTm89Jmce3JbH0fUsw7HlfkvGY3twtvoD4c9m7dzvIgXtqoKe0y
  XRKbd3Tnl9cF0ZKDtRI9WCwPsynhxnjX8GghES13exajutw12WwDp5cL82J2usdC
  SEWG5LTBbNTvJrdEr/PduZ4brVnOx0U+04zeGNfvBIvNfEB4APz+lkDuVczht2De
  YlL4DOjYHS7oqCcVuAUa25O5NUNKT/qThNFQfAaBnpc6FRV8I65SqnzkwTn+tbPW
  HQ6OvGYBBoWGRttI7chatCw+4VHmBqRf3vTRl6+bBcRfI5PxrB67UW4AfNaDXlu1
  5KGPHkO8l0kXJjRzjwB36Ho0MH9IXKUvYQbxdoJ9wntyV7NjvN8CJg0C6rORAcxN
  7Xp28MGwxEW6xEghCozj99KgNKwnlEn5ynDdLf/LfkIkpaheJ3p26MPMWeAtfICD
  XuJBVmwjn8mpHgq7d3AZIVF5vkLF9JvXqREA0UAiutuV/eFBVlBgUWHVvy2nMcDZ
  LOaIWk5rboaSvtwnAgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAgEADV5FG87uRAbS
  8XowLqudKRIqNkftoUO/U7nhHSWj1XNKXdp6Y5e3U7BiJxYuKiZ3AuttyCMdBZ17
  28w6Vc/qsIRIvB//Xglj4ZRFLL+CKQ9PGX/w9lgtN9pEUSzl7LpKF2luvmySzDcD
  rULmUqB2Q6qyYgzMALK7eFLqnEYxeAXM6bw/64mvOoqviVFgtvMG3mx5QHBj98RS
  tOidaqwowKwfk112FXjikn/EKD2P5JI5zWkhHXNjha7YGCcxy/LwaubH3VnCz6bg
  HNoB6r1rGPwxz4YnspVOkCSPHdSHJiGCpwurF9zm4zNMk3SwbWtDW14dVoIXInIU
  tzdXfiS2UVPsgNtX3OQzt3LqwS+WiSFShjLKB3EgFHKibml99Bj+Ep55ptuhOkQt
  PRLo68VZV7tq03xvB2/pzCovQp06Fme8sZJyS6xVY7ir+YAyLsm+nwsRNktkiHWu
  NigfJhf6irRxwHf3lLXYgzEBRV7rzuxO2UxFeuluePZoXMZ7V3+zSQU3iKrpt8gp
  2P6tZbgJ/E/aQUPqokGgLXuRbpK3ywwebDSrWcc1LQCkQbBQylhWdcmHKylzhPzt
  k+yW2KNP69rQ1oobsTYyz9mHBHs5iT5vCz24K5TiIsToTqotVJGqFqsmujnEqD9w
  KgmjwdBTCEdpOcSLMwOxBiVvQ1LQ3fc=
  -----END CERTIFICATE REQUEST-----

*   Private key data :```
-----BEGIN RSA PRIVATE KEY-----
MIIJK ....
...
...MP5nAc/8IcadB9YQ7U91stzaDblm04iBr
-----END RSA PRIVATE KEY-----

but when I select that certificate to be used the webConsole becomes inaccessible  :'(

System log contains :

Sep 22 22:10:39	php-fpm[77403]: /rc.restart_webgui: Creating rrd update script
Sep 22 22:10:39	php-fpm[77403]: /rc.restart_webgui: The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '255', the output was '2015-09-22 22:10:39: (network.c.549) SSL: couldn't read X509 certificate from '/var/etc/cert.pem''
Sep 22 22:10:37	check_reload_status: webConfigurator restart in progress
Sep 22 22:10:37	php-fpm[14674]: /system_advanced_admin.php: webConfigurator configuration has changed. Restarting webConfigurator.
Sep 22 22:10:33	check_reload_status: Reloading filter

Any idea what could be wrong … ?

\T,

KOM

Maybe this?

Sep 22 22:10:39 php-fpm[77403]: /rc.restart_webgui: The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '255', the output was '2015-09-22 22:10:39: (network.c.549) SSL: couldn't read X509 certificate from '/var/etc/cert.pem''

If it has a problem reading the file or the file is corrupt, that may trigger your issue.

Derelict

You are trying to install a CSR (Certificate signing request) as a certificate.  You need to get the certificate issued to you and install that.

–---BEGIN CERTIFICATE REQUEST-----

JohnnyBeGood

@Derelict:

No.  You installed your certificate as a CA.  You need to install the StartSSL Class 1 Intermediate Server certificate as a CA.  Delete the Web gui linux from CAs and install this.

http://www.startssl.com/certs/sub.class1.server.ca.pem

–---BEGIN CERTIFICATE-----
MIIF2TCCA8GgAwIBAgIHFxU9nqs/vzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG
EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NDE3WhcNMjIxMDE0MjA1
NDE3WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
BAMTL1N0YXJ0Q29tIENsYXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtonGrO8JUngHrJJj
0PREGBiEgFYfka7hh/oyULTTRwbw5gdfcA4Q9x3AzhA2NIVaD5Ksg8asWFI/ujjo
/OenJOJApgh2wJJuniptTT9uYSAK21ne0n1jsz5G/vohURjXzTCm7QduO3CHtPn6
6+6CPAVvkvek3AowHpNz/gfK11+AnSJYUq4G2ouHI2mw5CrY6oPSvfNx23BaKA+v
WjhwRRI/ME3NO68X5Q/LoKldSKqxYVDLNM08XMML6BDAjJvwAwNi/rJsPnIO7hxD
KslIDlc5xDEhyBDBLIf+VJVSH1I8MRKbf+fAoKVZ1eKPPvDVqOHXcDGpxLPPr21T
Lwb0pwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
BAMCAQYwHQYDVR0OBBYEFOtCNNCYsKuf9BtrCPfMZC7vDixFMB8GA1UdIwQYMBaA
FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw
AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw
Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg
I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow
OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w
b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQCBnsOw7dxamNbdJb/ydkh4Qb6E
qgEU+G9hCCIGXwhWRZMYczNJMrpVvyLq5mNOmrFPC7bJrqYV+vEOYHNXrzthLyOG
FFOVQe2cxbmQecFOvbkWVlYAIaTG42sHKVi+RFsG2jRNZcFhHnsFnLPMyE6148lZ
wVdZGsxZvpeHReNUpW0jh7uq90sShFzHs4f7wJ5XmiHOL7fZbnFV6uE/OoFnBWif
CRnd9+RE3uCospESPCRPdbG+Q4GQ+MBS1moXDTRB6DcNoHvqC6eU3r8/Fn/DeA9w
9JHPXUfrAhZYKyOQUIqcfE5bvssaY+oODVxji6BMk8VSVHsJ4FSC1/7Pkt/UPoQp
FVh38wIJnvEUeNVmVl3HHFYTd50irdKYPBC63qi2V/YYI6bJKmbrjfP9Vhyt9uNr
y3Kh4W22ktDuCCvWC7n/gqerdq+VlTRfNt7D/mB0irnaKjEVNCXBXm9V/978J+Ez
8aplGZccQ9jnc9kiPtUp5dj45E3V8vKqzp9srSSI5Xapdg+ZcPY+6HNuVB+MadRp
ZW2One/Qnzg9B4GnVX7MOETImdoP4kXpostFuxoY/5LxCU1LJAIENV4txvT50lX2
GBXCkxllRLWOgdyll11ift/4IO1aCOGDijGIfh498YisM1LGxytmGcxvbJERVri+
gGpWAZ5J6dvtf0s+bA==
-----END CERTIFICATE-----

After that, when you look at your certificate, it should show as being issued by that cert (Issuer)…

DISCLAMER: I'm not trying to be an asshole or anything like that!

I really appreciate your response but yet again using your instructions I got locked out. Can you or someone else explain (screenshot if possible) steps taken to get this working. I've tried so many explanations online and they all worked but this simple one seems such a road block! Call me dumb but I do not get where the problem is.

I promise once I get it to work I will create a video tutorial so anyone can get it to work without any lock outs.

Gertjan

Here https://forum.pfsense.org/index.php?topic=63791.0 - last message, you will find a PDF with a lot of images.

The PDF talks about adding a certificate for captive Portal access, but, I used it to add a certificate for WebGUI access.

JohnnyBeGood

@johnpoz:

You know you could of just used pfsense self signed cert.. All you have to do is install the pfsense CA into your machine so that certs signed by that CA are trusted.  There is no reason to get a cert from startssl or anyplace be it free or not.

The only time you would need a cert from a public trusted CA would be for say our portal when clients that have not trusted pfsense CA would hit the page via https

I'm giving up on StartSSL and was wondering if you explain more this method "All you have to do is install the pfsense CA into your machine so that certs signed by that CA are trusted." ?

Derelict

I'm giving up on StartSSL

That's too bad.

No certificate authority is going to work for you when you do things like upload CSRs as certificates, upload your certificate as both the certificate and intermediate CA cert.

doktornotor

Perhaps this could eventually be automated with https://letsencrypt.org/ - someone's apparently already working on the port.

johnpoz

There is not much to go over - create a CA in the CA manager.  Create a Certificate and use as your web gui cert..

Download that CA cert and put it in your trusted CAs on your machine.

This is fine for your use, or even employee use that you would roll out this CA as trusted, but this is not really good for user of machines that you do not control - like captive portal with guests, etc.  For those such certs you need one by a public Trusted CA like verisign or startssl, etc.

mod

hi;
ok i had to do this for https filtering in pfsense i generated the key in pfsense and downloaded it then sudo to ca certs folder made new folder renamed key to .crt file and a etc /cert area then did sudo update-ca-certificates (ubuntu 18.04 based distro) to import and it worked with the message no perm key found or the like,
because before doing this you can go nowhere in the net with out that key /crt in or the perm . so I killed https filter and went back to stock squid but still maybe having av scanner issue on fresh install pf 2.4.4 .
A lot has changes for me with squid and the setup so still getting pass the new stuff. swore I read https filtering has to be on now as fixed clamav scanning issue I may be wrong but it is a good thing