Netgate SG-1000 microFirewall

Author Topic: Pfsense returns to default certificate after reboot.  (Read 103 times)

0 Members and 1 Guest are viewing this topic.

Offline pubg1

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Pfsense returns to default certificate after reboot.
« on: April 10, 2018, 05:23:14 am »
Hi there, My name is Gozzi
Everything is in the title.
My certificate is well installed on both pfsense of my cluster. It never happens on "primary" node, but it randomly happens on "backup" node.
HTTPS returns on default certificate, so because of HSTS, I'm no longer able to access with FQDN, I need to access to webUI with IP address, and revert back to my certificate...
...until next time...  แทงบอลฟรี

Thanks for any help

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21760
  • Karma: +1503/-26
    • View Profile
Re: Pfsense returns to default certificate after reboot.
« Reply #1 on: April 16, 2018, 12:48:34 pm »
A couple possibilities here, mostly due to XMLRPC sync.

It sounds to me like you did not import all of the certificates to the primary node. All certificates must be there, so that when you synchronize to the secondary, it also has all certificates. If you only import a cert to the secondary, it will be blown away when the primary synchronizes certificates. So at a minimum, you can solve it by importing the secondary's cert to the primary as well, and then picking it after it synchronizes over.

The easiest thing to do is have your certificate include names for your entire cluster, and use the same certificate on both. I like to have my HA certificates contain:

* A SAN for the primary hostname
* A SAN for the secondary hostname
* A SAN for the CARP VIP hostname(s)

After the primary has performed a configuration sync to the secondary, then go into the secondary's Admin options and pick the correct certificate. Otherwise it may have an incorrect cert reference.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!