SSL/Webui Issue

Godfarva · February 20, 2023, 05:07:11 AM

Hello all,

So I have found an issue an not sure how to proceed.
Every year I update my SSL cert on my HA cluster and no issues until this time around.
I create the CSR on Windows IIS and then complete the process on namecheap, once I complete the CSR I then export the data with private key to a pfx file (using openssl I break them out to key and crt) and then import to Opnsense. ( I have other applications that use the pfx without issue)

The problem I am having is once I add the cert into opnsense and select that cert for the web interface it becomes unresponsive. I have tried to reboot the node and the only way I can revive it is to restore a backup.

I am able to ping the IP and VIP of the firewall that this cert is bound to but not able to see the webpage.
I see no errors pop up in the console, but beyond that I do not know where else to look.
and even if I restart all services from console it still does not load. and if there is an error while reloading the services I dont catch it since it scrolls so fast.

Any advise or process to figure this issue out?

OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023

ProximusAl · February 20, 2023, 08:43:53 AM

I do this, and have done recently.

Make sure you use this:

openssl pkcs12 -in [yourfile.pfx] -out cert.pem -nodes

This ensures the private key is exported without the password.

Not sure if this is your problem, but using the above works perfectly for me with OPNSense.

cookiemonster · February 20, 2023, 11:58:55 AM

Very likely. The pfx format is typically used in Microsoft products. OPN isn't so it is likely to need a conversion from pfx. In your case with your conversion, you are converting into a keys, intermediates and certificate in a single file.
If it is accepted by the UI, it's all good.

FLguy · February 21, 2023, 12:19:15 AM

Try from ssh or console:

Code Select

configctl webgui restart renew

This might get you back up with a self-sign. If your looking to use your local CA or other CA. I would create the CSR via System: Trust: Certificates then have that CSR signed by your CA.

Godfarva · February 21, 2023, 05:08:57 AM

Quote from: ProximusAl on February 20, 2023, 08:43:53 AM
I do this, and have done recently.

Make sure you use this:

openssl pkcs12 -in [yourfile.pfx] -out cert.pem -nodes

This ensures the private key is exported without the password.

Not sure if this is your problem, but using the above works perfectly for me with OPNSense.

Proximus,

thanks a million, I guess exporting to crt inst a good idea, however your steps solved the problem..
I also seen a new behavior that's kinda cool.
I imported the cert on gateway1 and did a ha-sync (re-sync all) and it even copied over the cert to gateway2 for me. That didnt used to work in the past, always had to import manually.

ProximusAl · February 21, 2023, 08:54:31 AM

Glad I could help :)

SSL/Webui Issue

Godfarva

February 20, 2023, 05:07:11 AM Last Edit: February 20, 2023, 05:09:53 AM by Godfarva

ProximusAl

February 20, 2023, 08:43:53 AM #1

cookiemonster

February 20, 2023, 11:58:55 AM #2

FLguy

February 21, 2023, 12:19:15 AM #3

Godfarva

February 21, 2023, 05:08:57 AM #4

ProximusAl

February 21, 2023, 08:54:31 AM #5