noob: gui HTTPS gives me err_cert_invalid

[mdirickx]

Hello everone,

I'm apparently a complete noob on this. How do I switch to HTTPS for the GUI?

When I try it in settings, I get a browser error that the certificate is gibberish. I understand the cert is not valid as it's self-signed, but usually you can just accept that and proceed...

The Error is:

x.x.x.x normally uses encryption to protect your information. When Google Chrome tried to connect to x.x.x.x this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be x.x.x.x, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit x.x.x.x right now because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

Further settings:
SSL Cert: Web GUI SSL certificate
SSL Ciphers: system defaults
HTTP strict: unchecked
HTTP redirect: unchecked
DNS Rebind: unchecked
listen Interfaces: All
HTTP_REFERER: checked

[Catoctin]

I'm having the same problem.  Any suggestions.  FFX lets me bypass the warning, but not Chrome which is my default browser.

[Catoctin]

I figured it out.  It has to do with Catalina OS on my Mac and Chrome.

https://support.google.com/chrome/thread/9253301?hl=en

The above link had some options.

- You can click anywhere on the warning page in whitespace somewhere and literally type in "thisisunsafe" and then you will go to the login page

- You can make OSX/Chrome trust the cert by doing this (from the above link).  Download user cert from System > Certificates

1. Download the Certificate to Desktop
2. Double click the certificate and enter the login credentials to install the certificate in the keychain
3. Once done. Open the Keycahin > Categories > Certificates
4. Double click the installed the certificate and click 'Trust' expander.
5. Select  When using this certificate to : 'Always Trust'
6. Restart the Chrome . Now you will see the 'Proceed to Unsafe Mode'.

[Maurice]

Why not just use the Let's Encrypt plugin to get a free, valid certificate?

[Catoctin]

I guess b/c I'm new to OPNsense and didn't know what to do and just wanted to log in to the GUI using my normal browser so I could start looking at configuration options.  Do you have step by step instructions for doing the Lets' Encrypt plugin and replacing web GUI cert?

[Maurice]

Does OPNsense now use HTTPS by default? Wasn't aware of this. Has been a while since I did a fresh install. So I assumed you enabled HTTPS without having a valid certificate. My bad.

There is a basic ACME / Let's Encrypt quick start guide on GitHub: https://github.com/opnsense/plugins/pull/66

Cheers

Maurice

[Catoctin]

Thx, will check it out.  Yes, it now uses HTTPS by default with a self signed cert which is fine, but under Catalina, that is now much harder when using Chrome than it used to be under Mojave.  Check out the link I posted for the Google support forum about this topic.  Interesting.

[franco]

The issue was fixed for the standard web GUI self-signed certificate generation in 19.7.7, but the issue persists for all previously set up installations. The reason for this is that the server extension was missing from the self-signed certificate.

https://github.com/opnsense/core/commit/296a7e3c39


Cheers,
Franco

[Catoctin]

FWIW, still had the issue under the new version for me.

[franco]

Yes, because the certificate was generated with the wrong version as mentioned previously. You can't get to 19.7.7 before a "unfitting" certificate is already generated.

But if you do a factory reset on 19.7.7 the issue will disappear (along with your config).

You could also delete the relevant /conf/config.xml <cert/> section and issue:

# configctl webgui restart

And that's it.


Cheers,
Franco

[Catoctin]

Gotcha.  That make sense. Thanks.