Netgate SG-1000 microFirewall

Author Topic: webConfigurator default certificate expired yesterday  (Read 385 times)

0 Members and 1 Guest are viewing this topic.

Offline ipfftw

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +2/-5
    • View Profile
webConfigurator default certificate expired yesterday
« on: January 06, 2018, 12:50:05 am »
Hello all, can anyone tell me how to reset the webconfigurator certificate (default) so i can get in without the browser bitching. Yes i know i can just bypass it... I want to fix it. Is there a button to regenerate somewhere? maybe i did this back in 2012 but theres no way i remember doing it.

Searched around the forums and didnt see anything about webconfigurator certificate renewal.

pfsense version is 2.3.4-RELEASE-p1 (i386)


Offline ipfftw

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +2/-5
    • View Profile
Re: webConfigurator default certificate expired yesterday
« Reply #1 on: January 06, 2018, 01:00:17 am »
Oh nevermind. go to https://FIREWALL/system_advanced_admin.php and just pick a different cert. you can generate a new one from cert manager. well that was easy.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2425
  • Karma: +191/-9
    • View Profile
Re: webConfigurator default certificate expired yesterday
« Reply #2 on: January 06, 2018, 10:11:04 am »
Or, even better : update - don't stay on old versions.
And then ....  you have access to a package called 'acme' that can install a new, real  - your browser will be so happy - certificate. And it will not expire ;) (well, it does, but it will get renewed before, you doing nothing to make this happen)

Btw : but upgrade, otherwise you'll be having very soon a boatload of exceptions to remember.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: webConfigurator default certificate expired yesterday
« Reply #3 on: January 06, 2018, 10:20:44 am »
Or he can just have his browser just the CA of pfsense that created the cert.. Then his browser will be happy, and he can use any fqdn he want does not have to be public domain, and can use rfc1918 in his san on his cert as well.. And can set the cert to be good for 10 years..

His browser will be very happy then ;)
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2425
  • Karma: +191/-9
    • View Profile
Re: webConfigurator default certificate expired yesterday
« Reply #4 on: January 06, 2018, 10:27:55 am »
Or he can just have his browser just the CA of pfsense that created the cert.. Then his browser will be happy, and he can use any fqdn he want does not have to be public domain, and can use rfc1918 in his san on his cert as well.. And can set the cert to be good for 10 years..

His browser will be very happy then ;)
Ok, I agree, you win  :)

I have to add that a domaine name is needed, well spotted. The "acme solution" is like using a missile from a nuclear sub-marine to wipe out an ant.
But it works sooooo good.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: webConfigurator default certificate expired yesterday
« Reply #5 on: January 06, 2018, 11:07:46 am »
Not sure I would call it that drastic of a solution ;)  And for many it is a very valid solution..  But I don't use public domains locally.. I use local.lan for my local domain.  So that rules out acme, and I also like to be able to access devices via their rfc1918 address and still get happy green icon for the cert.. So again rules out acme..

This also allows you to easy create certs for other sort of device that uses https to access.. my unifi controller for example, or the web gui on my switches, etc. Just trust the CA and now you can use those certs you create pretty much anything you have locally that has a webgui and allows you to install certs.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4995
  • Karma: +199/-43
  • Debugging...
    • View Profile
Re: webConfigurator default certificate expired yesterday
« Reply #6 on: January 06, 2018, 11:09:11 am »
I'd use that for a public website, but thats about it.  Those silly warnings on my browser are no annoyance after the first time I use it on pfsense.

Offline ipfftw

  • Jr. Member
  • **
  • Posts: 70
  • Karma: +2/-5
    • View Profile
Re: webConfigurator default certificate expired yesterday
« Reply #7 on: January 07, 2018, 02:09:56 am »
an expired certificate in firefox seems to re-present the untrusted website alert. I had obviously whitelisted the self signed cert in the browser years ago. It just expired, thus creating another warning evidently.

Quote
Or, even better : update - don't stay on old versions.

There is no upgrade path for i386 smarty pants, so i have to create a brand new x64 install and then hope the config imports (read as takes time to do, time i dont have right now) (aint broke = dont fix, other fires burning IRL, a million better things to do, etc..). The new pfsense version was just released 2 months ago!, and it already has a few point releases so i know its not super duper stable for *everyone* yet. Who knows, some developer might have assumed that everyone unnecessarily turns off their serial ports... or like that time upgrading from 1.2.3 to 2.x required me to purchase all new hardware (fun times!).

So theres a boatload of not upgrading right now reasons, take your pick.

Offline Grimson

  • Sr. Member
  • ****
  • Posts: 305
  • Karma: +46/-3
    • View Profile
Re: webConfigurator default certificate expired yesterday
« Reply #8 on: January 07, 2018, 05:14:15 am »
There is no upgrade path for i386 smarty pants, so i have to create a brand new x64 install and then hope the config imports (read as takes time to do, time i dont have right now) (aint broke = dont fix, other fires burning IRL, a million better things to do, etc..).

Installing 2.4.2 with a config recovery takes less than 10 minutes, and even if you don't want to go to 2.4 the 2.3 branch is at 2.3.5p1 now so your 2.3.4p1 is outdated on all fronts.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: webConfigurator default certificate expired yesterday
« Reply #9 on: January 07, 2018, 05:34:39 am »
"aint broke = dont fix"

Keeping your firewall/security device current doesn't fall to that sort of thinking...

Big difference in hey the TV still gets a picture sort of no reason to upgrade it mentality... And hey my firewall is running old code..

I can understand dealing with change control - or yeah other things going on where you push it off..  But that old adage does not apply when it comes to keeping software updated and current.. Look at all the companies that got bit by wannacry because ah will get to that patch in a few months, next year - why fix what not broke ;)
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4995
  • Karma: +199/-43
  • Debugging...
    • View Profile
Re: webConfigurator default certificate expired yesterday
« Reply #10 on: January 07, 2018, 10:09:36 am »
I'd also update the TV (-:

I'd religiously update anything with a web connection. 

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: webConfigurator default certificate expired yesterday
« Reply #11 on: January 07, 2018, 10:57:29 am »
hehehe - TV doesn't have smart apps, no network connection... should of been more clear in my example ;)

Like when you were a kid and you had to use pair of pliers to change the channel on the old knob tv... Dad would say not broken, why fix it - yes we have a remote.. He would just tell you to change the channel so why get a new fancy tv ;) hehehe

I completely agree.. Anything that talks on the network should be patched..  There is something said about jumping the guy and rolling out a patch to 1,000 computers without any testing 1 hour after code is released... Then there is still running windows 7 non sp1 on your network and complaining that you got hit with wannacry ;)  2.3.5 came out over 2 months ago...   If your stuck on 32bit code..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9803
  • Karma: +1107/-311
    • View Profile
Re: webConfigurator default certificate expired yesterday
« Reply #12 on: January 07, 2018, 12:27:18 pm »
The new pfsense version was just released 2 months ago!, and it already has a few point releases so i know its not super duper stable for *everyone* yet.

That logic fails since everything that went into 2.3.5 and 2.3.5_1 was to correct defects in 2.3.4_1.

The easiest way to refresh the webgui certificate is to go to the menu, open option 12, then type playback generateguicert then type exit. That will generate the webgui certificate using current pest practices.


Enter an option: 12

Starting the pfSense developer shell....

Welcome to the pfSense developer shell

Type "help" to show common usage scenarios.

Available playback commands:
     changepassword disablecarp disablecarpmaint disabledhcpd disablereferercheck enableallowallwan enablecarp enablecarpmaint enablesshd externalconfiglocator gatewaystatus generateguicert gitsync installpkg listpkg pfanchordrill pftabledrill removepkgconfig removeshaper resetwebgui restartdhcpd restartipsec svc uninstallpkg

pfSense shell: playback generateguicert

Playback of file generateguicert started.

Generating a new self-signed SSL certificate for the GUI...Done.
Restarting webConfigurator...Done.
pfSense shell:
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline kejianshi

  • Hero Member
  • *****
  • Posts: 4995
  • Karma: +199/-43
  • Debugging...
    • View Profile
Re: webConfigurator default certificate expired yesterday
« Reply #13 on: January 07, 2018, 12:29:26 pm »
My 32 bit D2700 is immune to spectre by the way...  Funny.  So is my old AMD x2.

Saved by old junk!