[Solved] expired SSL Certs for web UI

[BISI Sysadmin]

I have several OPNsense firewalls deployed.  I have recently noticed (as a result of troubleshooting Firefox's inability to connect to the GUI -- stalling at the TLS handshake stage) that they all have expired certificates.  This is one I just updated to 19.1.8 last night.  The expiry date of the cert is 2 days previously.  Is there an explanation for this?  A way to rectify it?

This does not really matter for any practical purpose in my situation (it's only a small factor in the Firefox issue), except that the browser developers are constantly removing the ability for a user to exercise their judgment in situations like this, and at some point I fully expect to be barred from accessing these hosts, based on an expired (or self-signed) certificate.

I've attached a screen shot as a .png

[fabian]

That's a feature called HSTS - it prevents users from accepting invalid certificates. In your case, you have to renew the certificate to get it working again.

You can use a local intercept proxy and include the CA certificate of it into Firefox so it sees a trustworthy certificate. While the proxy has a insecure connection (In ZAP you can find that in the settings to disable the certificate check.). The alternative is updating the config.xml and restart the web interface with a new certificate / key.

[cguilford]

My internal cert expires in 2 days as well...  If it's the internal cert should it auto renew?

 Web GUI SSL certificate

CA: Yes, Server: No    self-signed     ST=Zuid-Holland, O=OPNsense, L=Middelharnis, C=NL, 
     Valid From:    Wed, 30 May 2018 18:20:48 -0400
     Valid Until:    Thu, 30 May 2019 18:20:48 -0400

[fabian]

My internal cert expires in 2 days as well...  If it's the internal cert should it auto renew?

I cannot decide if it should but it does not.

[BISI Sysadmin]

... The alternative is updating the config.xml and restart the web interface with a new certificate / key.

I think this is the path I would prefer to follow.  It will reduce complexity of troubleshooting, assuming I can make it happen.  Do you know of any pointers to documentation about creating a new certificate/CSR for this.  I 'm guessing there's only ne config.xml file, or that it will at least be easily distinguishable from other config.xml files...

Keep in mind this is the internal Web GUI certificate:

OPNsense.crt

Code: [Select]

Identity
Verified by
Expires: 2019-05-25

Subject Name
C (Country): NL
ST (State): Zuid-Holland
L (Locality): Middelharnis
O (Organization): OPNsense
Issuer Name
C (Country): NL
ST (State): Zuid-Holland
L (Locality): Middelharnis
O (Organization): OPNsense
Issued Certificate
Version: 3
Serial Number: 00 89 48 6C 66 7A 51 A7 61
Not Valid Before: 2018-05-25
Not Valid After: 2019-05-25
Certificate Fingerprints
SHA1: B6 57 25 D0 BA BF 56 D0 FE 7E AB 51 51 68 D3 3E DF 4A EF A8
MD5: 1E DD 06 62 A7 B5 9D 11 20 EF 2D 8B 60 38 3A 50
Public Key Info
Key Algorithm: RSA
Key Parameters: 05 00
Key Size: 4096
Key SHA1 Fingerprint: 62 11 F6 00 F3 A9 78 8C 5C AF D3 52 B6 1F BA 75 15 B4 96 1F
Public Key: <elided for readability>
Subject Key Identifier
Key Identifier: DF 29 3A 82 22 3E A9 43 3B F2 EB C8 89 45 DC C3 CE 5E 2F 49
Critical: No
Extension
Identifier: 2.5.29.35
Value: 30 16 80 14 DF 29 3A 82 22 3E A9 43 3B F2 EB C8 89 45 DC C3 CE 5E 2F 49
Critical: No
Basic Constraints
Certificate Authority: Yes
Max Path Length: Unlimited
Critical: No
Signature
Signature Algorithm: 1.2.840.113549.1.1.11
Signature Parameters: 05 00
Signature: <elided>


[cguilford]

I just created new Certs and reconfigured the server to point to new certs.

[BISI Sysadmin]

I just created new Certs and reconfigured the server to point to new certs.

Would you mind posting a brief recipe, or pointer to documentation about how you did this?  It would very much increase the chances I'd get to fixing the issue sooner.

thanks in advance!

[cguilford]

If I recall properly it's System/Trust/Certificate
Click Add across the top right
In the Method Drop down click Create Internal Cert
Fill in the blanks.

The next thing you have to do once you create the cert is goto System/Settings/Administration
Under the SSL Cert drop down you have to choose the new Cert you just created

[BISI Sysadmin]

And many thanks to cguilford!

For future me, the only additional detail is to set the Type in the Internal Certificate section to be Certificate Authority, to more closely match the original.

Cheers!