Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Web GUI SSL cert change, now can't access Web GUI?

    Scheduled Pinned Locked Moved webGUI
    12 Posts 2 Posters 6.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      Lectrician
      last edited by

      I have had an SSL certificate on my GUI interface, as I access it from outside the organisation (I have reasons for this, and it's not used as a firewall as such).

      The SSL certificate expired.  I have uploaded the new certificates and private key, and then changed the Web GUI certificate on the drop down list to the new one.  It said changes had saved.  As soon as I shut my explorer window and tried to open again (expecting the green https and no warning), I get nothing.  It just times out.

      I can still SSH into putty, so rebooted.

      Still nothing?

      Umm?

      Any ideas?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • L
        Lectrician
        last edited by

        Restored the config file via SFTP, I'm back where I was. This happened to me a while ago, and I can't recall what I did to sort it.

        When it won't work, port 443 is closed when scanning externally.  It's just not there.

        The SSL cert is a wildcard one for my domain and is installed on my SBS server and works fine.  I pasted the CA cert in, then the wildcard cert.  I extracted the private key from the cert as pfsense has a box for the cert and private key?  I used OpenSSL to export it.

        1 Reply Last reply Reply Quote 0
        • L
          Lectrician
          last edited by

          OK.

          So, I am not too good with certificates.

          In the end I exported the certificate from the SBS2011 server using the certificate MMC plugin, in PFX format.
          I then used OpenSSL to split the PFX file into a separate Certificate file and a separate Private Key file.
          I checked the two files matched using the sslchecker.com site.
          I then uploaded to PFSense, copying and pasting to the correct boxes, including the Root CA cert from the supplier.

          Saved changes, closed browser, opened again.  All seems to be working OK now.

          This came in useful:

          1. https://wiki.cac.washington.edu/display/infra/Exporting+Certificates+from+the+Windows+Certificate+Store
          2. https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File
          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            So do you have lots of users accessing the web gui from the wan side?  Is there some reason you can not just use the internal CA in pfsense for the webgui cert?

            Be it you just add an exception to this cert that is presented or install the pfsense CA into your machine so it trusts the cert.  The only reason I could see for trusted public CA cert to be used if you have lots and lots of users that access it and don't want to install the pfsense CA as a trusted ca in all these machines.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            1 Reply Last reply Reply Quote 0
            • L
              Lectrician
              last edited by

              Yes.

              I don't use it as a firewall as such.  It is supplying WiFi to a huge pub, with its own internet connection, completely separate from anything in the pub, which has its own connection.

              My portal page takes users names and email addresses and logs them.  There are links in emails to confirm email addresses.  I need the cert for these links to work. They are urls to php scripts running on the server, not to the actual GUI.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                So your talking about the captive portal.. This uses a cert that you have in the Cert Manger if you enable https login.. So the cert manager can create a CSR, that you could get signed by a public trusted CA

                What does that have to do with you changing your webgui cert???  At a loss here why you were messing with that cert for the captive portal?

                At a loss really to why that even needs to be https if the user is just putting in a email address?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                1 Reply Last reply Reply Quote 0
                • L
                  Lectrician
                  last edited by

                  The portal is not SSL. It could be, but is not.

                  There is access to php scripts from the WAN, these scripts are for staff users, and I want it SSL. Difficult to explain the full use of these scripts, but it's to do with viewing the logs, banning users, amending staff pass through list etc.

                  Customers can confirm their email by clicking a link in an email, from outside the server, not an internal link.  This gives them  greater access without being logged off after a short time and having to go back through the CP.

                  I have my reasons, but it is difficult to fully explain.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    So we are again back to a limited user base "staff"  So why does that cert have to be a public signed cert.. Just create a cert in the cert manager in pfsense and have your staff trust it or install the ca cert on their machines..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    1 Reply Last reply Reply Quote 0
                    • L
                      Lectrician
                      last edited by

                      No.

                      There are staff that log in, but the customers email confirmation link also targets the external URL.

                      The idea is that staff can access the pages (not the GUI) from anywhere, inc phones and tablets etc.  Having to install certs on every device would not be ideal, and not sure even possible on tablets etc.  I have a wildcard cert for the main site server, so why not use it?  It makes things run smoothly, and is exactly what I want.

                      I am not trying to be difficult, but I have reasons for wanting a signed cert.

                      On a different note, for PCI compliance, you would be required to have a cert on any outward facing https connections.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Dude if you want to use a public cert on pfsense served by the default httpd for the webgui.. Then just create the CSR right in the cert manager…  Get it signed by whatever public trusted CA you want to use, verisign, thawte, etc.. and there you go..

                        csr.png
                        csr.png_thumb

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 0
                        • L
                          Lectrician
                          last edited by

                          I didn't want to pay twice. I had a wildcard cert on another server, so wanted to use that, but the cert downloaded / sent from the supplier (alpha) didn't have a separate key.  I got this as described above in the end.  Getting the key wrong the first time around is what rendered my GUI access foooked.

                          Cheers.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Well that comes down to what public ca you used and their licensing model..  If they don't mind you using a wild card cert on multiple physical machine without more money, or you don't have any moral qualms about it.. Then sure you can run a wildcard cert on 1000's of different machines if wanted too..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.