SSL/Webui Issue

[Godfarva]

Hello all,

So I have found an issue an not sure how to proceed.
Every year I update my SSL cert on my HA cluster and no issues until this time around.
I create the CSR on Windows IIS and then complete the process on namecheap, once I complete the CSR I then export the data with private key to a pfx file (using openssl I break them out to key and crt) and then import to Opnsense. ( I have other applications that use the pfx without issue)

The problem I am having is once I add the cert into opnsense and select that cert for the web interface it becomes unresponsive. I have tried to reboot the node and the only way I can revive it is to restore a backup.

I am able to ping the IP and VIP of the firewall that this cert is bound to but not able to see the webpage.
I see no errors pop up in the console, but beyond that I do not know where else to look.
and even if I restart all services from console it still does not load. and if there is an error while reloading the services I dont catch it since it scrolls so fast.

Any advise or process to figure this issue out?

OPNsense 23.1.1_2-amd64
FreeBSD 13.1-RELEASE-p6
OpenSSL 1.1.1t 7 Feb 2023

[ProximusAl]

I do this, and have done recently.

Make sure you use this:

openssl pkcs12 -in [yourfile.pfx] -out cert.pem -nodes

This ensures the private key is exported without the password.

Not sure if this is your problem, but using the above works perfectly for me with OPNSense.

[cookiemonster]

Very likely. The pfx format is typically used in Microsoft products. OPN isn't so it is likely to need a conversion from pfx. In your case with your conversion, you are converting into a keys, intermediates and certificate in a single file.
If it is accepted by the UI, it's all good.

[FLguy]

Try from ssh or console:

Code: [Select]

configctl webgui restart renew
This might get you back up with a self-sign.  If your looking to use your local CA or other CA.  I would create the CSR via System: Trust: Certificates then have that CSR signed by your CA. 

[Godfarva]

I do this, and have done recently.

Make sure you use this:

openssl pkcs12 -in [yourfile.pfx] -out cert.pem -nodes

This ensures the private key is exported without the password.

Not sure if this is your problem, but using the above works perfectly for me with OPNSense.

Proximus,

thanks a million, I guess exporting to crt inst a good idea, however your steps solved the problem..
I also seen a new behavior that's kinda cool.
I imported the cert on gateway1 and did a ha-sync (re-sync all) and it even copied over the cert to gateway2 for me. That didnt used to work in the past, always had to import manually.

[ProximusAl]

Glad I could help