PFSense Self Signed Certs Problem - post upgrade to 6.10.3 from 6.9.2 (Solved)


Go to solution Solved by ljm42,

Recommended Posts

Having a real problem getting my pfsense self signed certs to work since the upgrade (they were working before upgrade). When I put the <name>_unraid_bundle.pem file into the certs folder, and either reboot or restart nginx the pem file gets immediately overwritten. I have tried re-issuing new certs, updating/changing the server name and issuing new certs, using wild card certs (which work in my docker nginx), and I am at a loss at to what I am doing wrong.

This is the cert :

image.png.dfc57f8cf60eb47aaa97c7092c9618b3.png

 

The server name matches :
image.png.a0a6dc8cc40d555d0748ec8b6b9ea1cf.png

 

I export the .key & .crt from pfsense and cat them together into the pem file on unraid, but it just gets overwritten immediately, with an internally signed cert.
I have installed my ca into windows so any certs issued are trusted:
image.png.f6490767b7217dac0345f831ec97ef39.png
 

but unraid its just:
image.png.93720da981d71d008811ead2f775e665.png
image.png.0a3bb2bde21ef90415dfebb11b784f4f.png

 

I'm obviously doing something wrong, or have misread something, can anyone shed any light please?

 

Update: Validating the Subject in the pem file:
image.png.7762a4a65850ef7087c66215fe833b09.png

Edited by Minty Trebor
more info
Link to comment

Unraid determines its url from the [servername].[localTLD] settings. If that url is not valid for the certificate you provide, it will get deleted and replaced with a self-signed certificate that is valid for those settings.

 

So if you want this to be the url to the server:
  homesvr3.rjbhome.localdomain

 

First you need to ensure DNS resolves homesvr3.rjbhome.localdomain to the server's IP address

(I'm guessing you've already done this)

 

Then on Settings -> Identification you need to set the "servername" to:
  homesvr3 
(you have already done this)

 

And on Settings -> Management Access you need to set the "Local TLD"  to:
  rjbhome.localdomain
(you need to do this)

 

And the certificate needs to be valid for either of these urls:
  homesvr3.rjbhome.localdomain

  *.rjbhome.localdomain
(you have already done this)

 

For more details see:
  https://wiki.unraid.net/Manual/Security#Securing_webGui_connections_.28SSL.29 

 

I have made some assumptions, so if you have further questions please upload your diagnostics.zip file (from Tools -> Diagnostics) to your next post in this thread.

Link to comment

Thanks for replying, the LocalTLD setting is not set to the correct value, there was a typo. I could of sworn i did not change this during the upgrade... And i didn't spot it until i took a screen shot to post in this reply. I transposed 2 letters...

Thanks !! :D

Edited by Minty Trebor
IDOCY
Link to comment
  • Minty Trebor changed the title to PFSense Self Signed Certs Problem - post upgrade to 6.10.3 from 6.9.2 (Solved)

Great! glad it is working now.

 

SSL support has been reworked in 6.10 to be more secure.  The LocalTLD setting had minimal impact in 6.9 so you might not have noticed the typo previously. In 6.10 the LocalTLD is used to generate the server's url, so it is much more important.

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.