Installing own ssl cert breaks webgui…



  • Hi,

    I have created a self signed SSL certificate with openssl and xca GUI which I have stored in the pfSense webgui in certificate manager. When I choose this certificate as the webgui https certificate it breaks the webgui: the webserver doesn't respond any longer to https requests. I have solved this by editing /conf/config.xml via serial console and set webgui settings back to "http" instead of "https". Now I can access the webgui again. When I switch back to the previous pfsense internal out of the box certificate, the webgui is accessible via https. When I switch to my own certificate, it breaks again…

    https://redmine.pfsense.org/issues/5840

    I have created a second certificate for the webgui of my Synology NAS in the same way, where it works well...

    Any idea how to fix it?

    Thanks a lot and best regards

    paulchen



  • Hard to tell what might be the problem.
    Post the certificate (without the private key) in base64  format, and we'll see.


  • Rebel Alliance Global Moderator

    curious why not just use the CA that is in pfsense to create your cert.. Makes everything much easier that way ;)  I could see if you were using a public signed cert, but if your using self signed why not use use the CA in pfsense?

    I have a CA created in pfsense other than the default one, that I use to create certs.  You just install this CA in your browsers you want to trust its certs and there you go

    I have used xca in the past, but for something like this why not just leverage what pfsense already has setup for you and so easy to use.




  • add to that : certificates (real signed, valid) generated by (for example) startssl.com do also work to access the GUI …
    Not realy needed, but I tryed it ones, it was free anyway, and it works.
    Can now access the (local 'LAN' intranet access) pfsense GUI interface with a 'green lock'.

    Ok: I know, local devices that I trust do not need these kind of certificates (pfsense generates them very well on board already).



  • Hi all,

    thanks for your time and your hints.

    In general: I have stored my CA on an USB stick that is stored in a safe and secure place. I don't want to use a security component (pfsense firewall) as a CA, so I am using openssl and xca on a different machine to generate my self signed ssl certificates. I have installed my CA cert on all internal machines and mobile devices.

    To my problem: I have created a new Test-CA and have generated a new SSL cert: this I can import and use without any problem in pfsens webgui. Then I have exported again my previous cert and private key and imported this again to pfsense and voila: now it works?!

    I don't know, what has been going on, but it works now.

    Thanks again for your help!!

    Best regards,

    paulchen


  • Rebel Alliance Global Moderator

    "I have stored my CA on an USB stick that is stored in a safe and secure place"

    Ok – overthink it much?  Who exactly would be after your CA.. Your using it to encrypt traffic to your own firewall and services for your own machines... Its self signed.. Someones tinfoil hat might be a bit tight ;) heheeheh



  • Yes, you can call me a little bit paranoid, but it's not more "costly" than storing it on the pfSense and I raise the bar a little bit more for any intruder 8)

    Storing the CA and the private key on a firewall is not a good idea for me, when I have the equal possibility to store it somewhere else.  ;)

    Have a nice weekend,

    paulchen


  • Rebel Alliance Global Moderator

    Raise the bar for an intruder to do what exactly??  You do understand the "CA" is not some service that is running listening on on a port, or some process they could exploit..  Its the running of openssl with some specific commands.

    If someone did compromise your pfsense, they would already have access to the cert and key for your cert running on pfsense.  Having your CA offline on some usb key doesn't really buy you any extra security.  Your not a public CA..  The only people trusting your CA are you!!  So do you think someone is going to compromise your firewall, and then just use that CA just so they can do mitm against you and other places they send you via how?  They are going to inject host over rides into pfsense to send you to their bank website that looks like yours and your machines trust because they got your CA and created certs.

    Like I said your way over thinking this..  And while it only cost you the cost of your usb drive, its the extra hassle that is the point.  For no added security what so ever..  On the possible chance pfsense is compromised?

    Would love to hear the scenario where you think someone that has already compromised your firewall, and now access to your CA has some use for it…  Might make a good novel or movie ;)



  • Yes, with this background I think you are right. When an intruder is on my firewall, the CA isn't very valuable any longer and the CA is only used for my own services.

    But who knows what exotic scenarios someone needs to do something. So for me it's ok not store it on my pfSense, regardless that it is not really more secure  ;)

    And with this one of my dozen unused USB sticks lying around is now in use again  :)