[solved] SSL certificate changed after every upgrade

Started by kepi, February 14, 2025, 12:46:48 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 14, 2025, 12:46:48 PM Last Edit: February 18, 2025, 08:17:55 PM by kepi
I just upgraded from 24.7 to 25.1 and then to 25.1.1 and after every upgrade, SSL certificate in settings get replaced by newly generated self-signed "Web GUI TLS certificate".

I understand the need to generate new self-signed certificates, but I'm using our own authority and need to have it in place. Let's encrypt solution doesn't help me as we have routers on private domain.

Is there something which will prevent this behavior? It adds unnecessary steps after every update on all servers.

I tried to search for the solution, but found nothing relevant.

Thanks
February 14, 2025, 02:43:35 PM #1
Ok, now I'm really confused as I just upgraded primary server and same thing didn't happen.

I'm thinking, may it be that I didn't delete original web gui certificate on backup? On master, there has been and still is only my manually uploaded cert.
February 15, 2025, 04:47:10 PM #2
OPNsense doesn't renew certificates automatically. Check Cron or some other scripts you may have and make sure there's not a "renew" directive if you're doing "configctl webgui restart [renew]" somewhere.
February 18, 2025, 08:21:32 PM #3
Today it finally hit me... classic example of PEBKAC.

During upgrade, I found error in my HA settings and while fixing and reviewing the setup, I added "Web GUI" to synced services by mistake. So every time I synced configuration, it tried to use same certificate as on first node and not finding it, it generated new one.
Print
Go Up Pages1
User actions