Webconfigurator certificate update broke webgui



  • The SSL cert I was using on my webgui expired, and after I updated it, the webConfigurator is no longer accessible.  Importing the new certificate (from StartSSL) worked fine.  All of the details of the cert looked fine.  After I configured webConfigurator to use it, I can no longer access the webgui.  There is no response from the server.  I've rebooted pfSense, but that did not make a difference.  Is there anyway I can remove the cert from the command line?

    Thanks for your help!


  • LAYER 8 Global Moderator

    https://doc.pfsense.org/index.php/Locked_out_of_the_WebGUI

    I would just use the info that says reset the lan IP from the console, put in the same IP and reset the web gui to 80..

    The GUI protocol may be reset from the console. Choose to reset the LAN IP, enter the same IP, and it will prompt to reset the WebGUI back to HTTP.

    I just walked through it - its at the end, see attached




  • Thank you so much!

    That got me back in, but I have no idea why the cert I imported didn't work.  I tried again, but the same thing happened.  The next time, I selected the webconfigurator default cert, and it worked fine.  I guess I must have imported the cert wrong.


  • LAYER 8 Global Moderator

    have no idea what your importing… Did you do a request from pfsense and sign it with your CA?  Do you have the private side?  What process are are you doing?

    I personally don't see any reason to use anything but a self signed on the web gui - who is going to access it you?  Maybe some other admins, it serves no purpose to have it served by a public CA..



  • I don't have a compelling reason to use an external cert.  The main reason is just because I like seeing the green cert status in the browser.  Also, I initially did it to help with my own understanding of certificate chains.  A year ago when I added it, I didn't have a problem.  Updating it this year is when the problem arose.  It's a free cert from StartSSL.  I just downloaded the updated cert and imported it.  All the details of the cert look good, and there were no complaints importing it.  But when I set the webgui to use it, it goes non responsive.  Now, my primary motivation is to discover what went wrong and to fix it, but I have not had any luck so far on my own.


  • LAYER 8 Global Moderator

    " I like seeing the green cert status in the browser."

    You mean like this one..  All that means is you trust the CA that signed that cert..  Since I trust the CA (mine) that signed the cert then I get the green lock.

    I can understand wanting to figure out what is wrong.. But the extra hoops to use an external cert is pretty pointless from the get go.  Even if it was free, or cheap, etc.  It also forces you to own and use a public domain, don't know of any trusted public CAs that will sign non public tld domain, etc.. notice mine is local.lan as the domain.

    Also my cert is good for 10 years.. Could of made it longer, what was the validity of yours 1 year..  So you have to go through hoop of changing that every year, and running into issues like your having ;)

    Good luck with figuring it out - but just pointless.. You sure do not have too use some pubic cert on your pfsense to learn about how Ca's work..

    Just saying ;)




  • I understand what you're saying, and I agree that using a self signed cert would be less trouble.  But to me, figuring out the trouble is !!FUN!!  Home networks typically only get so complicated, and at that point, I feel like I have to artificially add more complexity.  Most of my routing needs could be met with just a basic, off-the-self wireless router from walmart, but that's hardly fun, is it?



  • I have a wildcard cert from namecheap that I tried to install on my pfSense box and it would no longer respond. So then I created a cert through LE and added the hostname for my pfSense box as a SAN and that also failed. So then I made a separate cert with LE were my pfSense hostname was in the subject and the one worked. So it seems as if you can only use a cert if the subject matches your hostname. SANs and wildcards don't seem to work.

    BTW, my firewall is not exposed to the public so lets not derail this thread with "Oh this isn't secure. Why trust a 3rd party CA". I wanted a trusted CA so I don't have to acknowledge these stupid warnings all the time even though I am the only one managing it from within my own network or if I am remote, I connect via VPN.


Log in to reply