SSL Certificate error after failover
-
I have two pfsense boxes in a carp configuration with haproxy using ssl offloading. When the master is disconnected, the secondary picks up right away but users get a certificate error (NET::ERR_CERT_AUTHORITY_INVALID). Certificates are synced, haproxy config is synced, and I have verified the certs are identical. I don't understand how the client can even notice a difference. What am I missing?
-
Can you check the proper certificates are written to /var/etc/haproxy/{frontendname}.pem or /var/etc/haproxy/{frontendname}/ and that haproxy is actually listening on the proper ip?
Have you configured the pfSense webgui to listen on a other nonstandard port? Otherwise it could be possible that if haproxy does not serve the connections they will end up on the webgui with the webgui cert..
Are they forwarded to the correct site after ignoring the error (if possible) ?
-
Thank you for the suggestions. It's definitely the webconfigurator cert I'm seeing. Is there no way to have the webconfigurator only bind to the lan interface? I dislike using non-standard ports.
edit - I can change the lighttpd config easily enough but is there no built in way to do this? Will my own changes be backed up with the config? (Probably not)
-
Nope, webgui always binds on 0.0.0.0 and there is no way to change that.. (not without hacking the .inc files of pfsense that generate the lighttpd config that is..).
As you are getting the webgui cert it could be that haproxy is not running? Does the stats page work? (if configured)
Yes having webgui on a nonstandard port is not nice, but outsiders visiting the webgui just because the firewall allows 443 and haproxy is possibly not running at that time is worse imho.
-
I appreciate your time. It's been very helpful.