Web GUI SSL cert change, now can't access Web GUI?

Lectrician · Dec 13, 2015, 9:20 AM

I have had an SSL certificate on my GUI interface, as I access it from outside the organisation (I have reasons for this, and it's not used as a firewall as such).

The SSL certificate expired. I have uploaded the new certificates and private key, and then changed the Web GUI certificate on the drop down list to the new one. It said changes had saved. As soon as I shut my explorer window and tried to open again (expecting the green https and no warning), I get nothing. It just times out.

I can still SSH into putty, so rebooted.

Still nothing?

Umm?

Any ideas?

Thanks.

Lectrician · Dec 13, 2015, 2:14 PM

Restored the config file via SFTP, I'm back where I was. This happened to me a while ago, and I can't recall what I did to sort it.

When it won't work, port 443 is closed when scanning externally. It's just not there.

The SSL cert is a wildcard one for my domain and is installed on my SBS server and works fine. I pasted the CA cert in, then the wildcard cert. I extracted the private key from the cert as pfsense has a box for the cert and private key? I used OpenSSL to export it.

Lectrician · Dec 13, 2015, 5:35 PM

OK.

So, I am not too good with certificates.

In the end I exported the certificate from the SBS2011 server using the certificate MMC plugin, in PFX format.
I then used OpenSSL to split the PFX file into a separate Certificate file and a separate Private Key file.
I checked the two files matched using the sslchecker.com site.
I then uploaded to PFSense, copying and pasting to the correct boxes, including the Root CA cert from the supplier.

Saved changes, closed browser, opened again. All seems to be working OK now.

This came in useful:

https://wiki.cac.washington.edu/display/infra/Exporting+Certificates+from+the+Windows+Certificate+Store
https://wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File

johnpoz · Dec 14, 2015, 5:31 PM

So do you have lots of users accessing the web gui from the wan side? Is there some reason you can not just use the internal CA in pfsense for the webgui cert?

Be it you just add an exception to this cert that is presented or install the pfsense CA into your machine so it trusts the cert. The only reason I could see for trusted public CA cert to be used if you have lots and lots of users that access it and don't want to install the pfsense CA as a trusted ca in all these machines.

Lectrician · Dec 14, 2015, 7:48 PM

Yes.

I don't use it as a firewall as such. It is supplying WiFi to a huge pub, with its own internet connection, completely separate from anything in the pub, which has its own connection.

My portal page takes users names and email addresses and logs them. There are links in emails to confirm email addresses. I need the cert for these links to work. They are urls to php scripts running on the server, not to the actual GUI.

johnpoz · Dec 14, 2015, 9:03 PM

So your talking about the captive portal.. This uses a cert that you have in the Cert Manger if you enable https login.. So the cert manager can create a CSR, that you could get signed by a public trusted CA

What does that have to do with you changing your webgui cert??? At a loss here why you were messing with that cert for the captive portal?

At a loss really to why that even needs to be https if the user is just putting in a email address?

Lectrician · Dec 14, 2015, 9:14 PM

The portal is not SSL. It could be, but is not.

There is access to php scripts from the WAN, these scripts are for staff users, and I want it SSL. Difficult to explain the full use of these scripts, but it's to do with viewing the logs, banning users, amending staff pass through list etc.

Customers can confirm their email by clicking a link in an email, from outside the server, not an internal link. This gives them greater access without being logged off after a short time and having to go back through the CP.

I have my reasons, but it is difficult to fully explain.

johnpoz · Dec 14, 2015, 10:10 PM

So we are again back to a limited user base "staff" So why does that cert have to be a public signed cert.. Just create a cert in the cert manager in pfsense and have your staff trust it or install the ca cert on their machines..

Lectrician · Dec 15, 2015, 7:11 AM

No.

There are staff that log in, but the customers email confirmation link also targets the external URL.

The idea is that staff can access the pages (not the GUI) from anywhere, inc phones and tablets etc. Having to install certs on every device would not be ideal, and not sure even possible on tablets etc. I have a wildcard cert for the main site server, so why not use it? It makes things run smoothly, and is exactly what I want.

I am not trying to be difficult, but I have reasons for wanting a signed cert.

On a different note, for PCI compliance, you would be required to have a cert on any outward facing https connections.

johnpoz · Dec 19, 2015, 11:17 AM

Dude if you want to use a public cert on pfsense served by the default httpd for the webgui.. Then just create the CSR right in the cert manager… Get it signed by whatever public trusted CA you want to use, verisign, thawte, etc.. and there you go..

Lectrician · Dec 19, 2015, 11:35 AM

I didn't want to pay twice. I had a wildcard cert on another server, so wanted to use that, but the cert downloaded / sent from the supplier (alpha) didn't have a separate key. I got this as described above in the end. Getting the key wrong the first time around is what rendered my GUI access foooked.

Cheers.

johnpoz · Dec 20, 2015, 2:09 PM

Well that comes down to what public ca you used and their licensing model.. If they don't mind you using a wild card cert on multiple physical machine without more money, or you don't have any moral qualms about it.. Then sure you can run a wildcard cert on 1000's of different machines if wanted too..