OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 19.1 Legacy Series »
  • [Solved] expired SSL Certs for web UI
« previous next »
  • Print
Pages: [1]

Author Topic: [Solved] expired SSL Certs for web UI  (Read 13388 times)

BISI Sysadmin

  • Newbie
  • *
  • Posts: 20
  • Karma: 0
    • View Profile
[Solved] expired SSL Certs for web UI
« on: May 28, 2019, 05:16:17 pm »
I have several OPNsense firewalls deployed.  I have recently noticed (as a result of troubleshooting Firefox's inability to connect to the GUI -- stalling at the TLS handshake stage) that they all have expired certificates.  This is one I just updated to 19.1.8 last night.  The expiry date of the cert is 2 days previously.  Is there an explanation for this?  A way to rectify it?

This does not really matter for any practical purpose in my situation (it's only a small factor in the Firefox issue), except that the browser developers are constantly removing the ability for a user to exercise their judgment in situations like this, and at some point I fully expect to be barred from accessing these hosts, based on an expired (or self-signed) certificate.

I've attached a screen shot as a .png

« Last Edit: December 11, 2019, 06:31:40 am by BISI Sysadmin »
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: expired SSL Certs for web UI
« Reply #1 on: May 28, 2019, 06:46:18 pm »
That's a feature called HSTS - it prevents users from accepting invalid certificates. In your case, you have to renew the certificate to get it working again.

You can use a local intercept proxy and include the CA certificate of it into Firefox so it sees a trustworthy certificate. While the proxy has a insecure connection (In ZAP you can find that in the settings to disable the certificate check.). The alternative is updating the config.xml and restart the web interface with a new certificate / key.
Logged

cguilford

  • Full Member
  • ***
  • Posts: 128
  • Karma: 14
    • View Profile
Re: expired SSL Certs for web UI
« Reply #2 on: May 28, 2019, 07:47:43 pm »
My internal cert expires in 2 days as well...  If it's the internal cert should it auto renew?

 Web GUI SSL certificate

CA: Yes, Server: No    self-signed     ST=Zuid-Holland, O=OPNsense, L=Middelharnis, C=NL, 
     Valid From:    Wed, 30 May 2018 18:20:48 -0400
     Valid Until:    Thu, 30 May 2019 18:20:48 -0400
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: expired SSL Certs for web UI
« Reply #3 on: May 28, 2019, 08:44:06 pm »
Quote from: cguilford on May 28, 2019, 07:47:43 pm
My internal cert expires in 2 days as well...  If it's the internal cert should it auto renew?

I cannot decide if it should but it does not.
Logged

BISI Sysadmin

  • Newbie
  • *
  • Posts: 20
  • Karma: 0
    • View Profile
Re: expired SSL Certs for web UI
« Reply #4 on: May 28, 2019, 09:15:43 pm »
Quote from: fabian on May 28, 2019, 06:46:18 pm
... The alternative is updating the config.xml and restart the web interface with a new certificate / key.

I think this is the path I would prefer to follow.  It will reduce complexity of troubleshooting, assuming I can make it happen.  Do you know of any pointers to documentation about creating a new certificate/CSR for this.  I 'm guessing there's only ne config.xml file, or that it will at least be easily distinguishable from other config.xml files... ;)

Keep in mind this is the internal Web GUI certificate:

OPNsense.crt
Code: [Select]
Identity
Verified by
Expires: 2019-05-25

Subject Name
C (Country): NL
ST (State): Zuid-Holland
L (Locality): Middelharnis
O (Organization): OPNsense
Issuer Name
C (Country): NL
ST (State): Zuid-Holland
L (Locality): Middelharnis
O (Organization): OPNsense
Issued Certificate
Version: 3
Serial Number: 00 89 48 6C 66 7A 51 A7 61
Not Valid Before: 2018-05-25
Not Valid After: 2019-05-25
Certificate Fingerprints
SHA1: B6 57 25 D0 BA BF 56 D0 FE 7E AB 51 51 68 D3 3E DF 4A EF A8
MD5: 1E DD 06 62 A7 B5 9D 11 20 EF 2D 8B 60 38 3A 50
Public Key Info
Key Algorithm: RSA
Key Parameters: 05 00
Key Size: 4096
Key SHA1 Fingerprint: 62 11 F6 00 F3 A9 78 8C 5C AF D3 52 B6 1F BA 75 15 B4 96 1F
Public Key: <elided for readability>
Subject Key Identifier
Key Identifier: DF 29 3A 82 22 3E A9 43 3B F2 EB C8 89 45 DC C3 CE 5E 2F 49
Critical: No
Extension
Identifier: 2.5.29.35
Value: 30 16 80 14 DF 29 3A 82 22 3E A9 43 3B F2 EB C8 89 45 DC C3 CE 5E 2F 49
Critical: No
Basic Constraints
Certificate Authority: Yes
Max Path Length: Unlimited
Critical: No
Signature
Signature Algorithm: 1.2.840.113549.1.1.11
Signature Parameters: 05 00
Signature: <elided>
Logged

cguilford

  • Full Member
  • ***
  • Posts: 128
  • Karma: 14
    • View Profile
Re: expired SSL Certs for web UI
« Reply #5 on: May 28, 2019, 09:57:18 pm »
I just created new Certs and reconfigured the server to point to new certs.
Logged

BISI Sysadmin

  • Newbie
  • *
  • Posts: 20
  • Karma: 0
    • View Profile
Re: expired SSL Certs for web UI
« Reply #6 on: December 09, 2019, 08:45:21 pm »
Quote from: cguilford on May 28, 2019, 09:57:18 pm
I just created new Certs and reconfigured the server to point to new certs.

Would you mind posting a brief recipe, or pointer to documentation about how you did this?  It would very much increase the chances I'd get to fixing the issue sooner.

thanks in advance!
Logged

cguilford

  • Full Member
  • ***
  • Posts: 128
  • Karma: 14
    • View Profile
Re: expired SSL Certs for web UI
« Reply #7 on: December 10, 2019, 01:46:51 pm »
If I recall properly it's System/Trust/Certificate
Click Add across the top right
In the Method Drop down click Create Internal Cert
Fill in the blanks.

The next thing you have to do once you create the cert is goto System/Settings/Administration
Under the SSL Cert drop down you have to choose the new Cert you just created


Logged

BISI Sysadmin

  • Newbie
  • *
  • Posts: 20
  • Karma: 0
    • View Profile
Re: expired SSL Certs for web UI
« Reply #8 on: December 11, 2019, 06:30:06 am »
And many thanks to cguilford!

For future me, the only additional detail is to set the Type in the Internal Certificate section to be Certificate Authority, to more closely match the original.

Cheers!
« Last Edit: December 11, 2019, 06:32:52 am by BISI Sysadmin »
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 19.1 Legacy Series »
  • [Solved] expired SSL Certs for web UI
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2