Hello all,
So I have found an issue an not sure how to proceed.
Every year I update my SSL cert on my HA cluster and no issues until this time around.
I create the CSR on Windows IIS and then complete the process on namecheap, once I complete the CSR I then export the data with private key to a pfx file (using openssl I break them out to key and crt) and then import to Opnsense. ( I have other applications that use the pfx without issue)
The problem I am having is once I add the cert into opnsense and select that cert for the web interface it becomes unresponsive. I have tried to reboot the node and the only way I can revive it is to restore a backup.
I am able to ping the IP and VIP of the firewall that this cert is bound to but not able to see the webpage.
I see no errors pop up in the console, but beyond that I do not know where else to look.
and even if I restart all services from console it still does not load. and if there is an error while reloading the services I dont catch it since it scrolls so fast.
Any advise or process to figure this issue out?
OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023
I do this, and have done recently.
Make sure you use this:
openssl pkcs12 -in [yourfile.pfx] -out cert.pem -nodes
This ensures the private key is exported without the password.
Not sure if this is your problem, but using the above works perfectly for me with OPNSense.
Very likely. The pfx format is typically used in Microsoft products. OPN isn't so it is likely to need a conversion from pfx. In your case with your conversion, you are converting into a keys, intermediates and certificate in a single file.
If it is accepted by the UI, it's all good.
Try from ssh or console:
configctl webgui restart renew
This might get you back up with a self-sign. If your looking to use your local CA or other CA. I would create the CSR via System: Trust: Certificates then have that CSR signed by your CA.
Quote from: ProximusAl on February 20, 2023, 08:43:53 AM
I do this, and have done recently.
Make sure you use this:
openssl pkcs12 -in [yourfile.pfx] -out cert.pem -nodes
This ensures the private key is exported without the password.
Not sure if this is your problem, but using the above works perfectly for me with OPNSense.
Proximus,
thanks a million, I guess exporting to crt inst a good idea, however your steps solved the problem..
I also seen a new behavior that's kinda cool.
I imported the cert on gateway1 and did a ha-sync (re-sync all) and it even copied over the cert to gateway2 for me. That didnt used to work in the past, always had to import manually.
Glad I could help :)