pfSense, certificate hell

So I’m working on my pfsense lab, and due to it being, well, a lab, I have an upstream firewall that requires a root certificate to be installed.

I’m not very versed in freebsd when it comes to the underlying systems, so does anyone know how the hell I add a root certificate to free bsd?

Wait. the PFsense system in the lab needs the cert, or the upstream firewall?

is it also a PFSense machine?

The pfsense system in the lab needs the cert. The upstream firewall is a Fortigate. It uses this cert: https://github.com/NHSCS-ORG/Ubuntu-Kickstart/blob/master/Firewall_Certificate.cer

You can do it right inside of PFSense.

System --> Cert Manager

https://doc.pfsense.org/index.php/Certificate_Management

>>> Updating repositories metadata...
Updating pfSense-core repository catalogue...
pkg-static: Repository pfSense-core load error: access repo file(/var/db/pkg/repo-pfSense-core.sqlite) failed: No such file or directory
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/[email protected]
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/[email protected]
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-core/meta.txz: Authentication error
repository pfSense-core has no meta file, using default settings
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/[email protected]
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/[email protected]
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-core/packagesite.txz: Authentication error
Unable to update repository pfSense-core
Updating pfSense repository catalogue...
pkg-static: Repository pfSense load error: access repo file(/var/db/pkg/repo-pfSense.sqlite) failed: No such file or directory
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/[email protected]
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/[email protected]
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-pfSense_v2_4_2/meta.txz: Authentication error
repository pfSense has no meta file, using default settings
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/[email protected]
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
Certificate verification failed for /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=FGT37D4614800867/[email protected]
12462424:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/local/poudriere/jails/pfSense_v2_4_1_amd64/usr/src/crypto/openssl/ssl/s3_clnt.c:1264:
pkg-static: https://pkg.pfsense.org/pfSense_v2_4_2_amd64-pfSense_v2_4_2/packagesite.txz: Authentication error
Unable to update repository pfSense

Is this for a proxy or something?

MITM for https. Upstream firewall is provided by my school.

You could try adding it to /usr/local/share/certs. You can do it from the gui by going to diagnostics > edit file and creating a new cert file in that directory and pasting the cert in. Or you can do it in the shell, but it’s usually recommended to do it from the webui.

So, I can see how I would do that, but I don’t have all of this information:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            50:94:6c:ec:18:ea:d5:9c:4d:d5:97:ef:75:8f:a0:ad
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
        Validity
            Not Before: Nov  1 17:14:04 2004 GMT
            Not After : Jan  1 05:37:19 2035 GMT
        Subject: C=US, OU=www.xrampsecurity.com, O=XRamp Security Services Inc, CN=XRamp Global Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:98:24:1e:bd:15:b4:ba:df:c7:8c:a5:27:b6:38:
                    0b:69:f3:b6:4e:a8:2c:2e:21:1d:5c:44:df:21:5d:
                    7e:23:74:fe:5e:7e:b4:4a:b7:a6:ad:1f:ae:e0:06:
                    16:e2:9b:5b:d9:67:74:6b:5d:80:8f:29:9d:86:1b:
                    d9:9c:0d:98:6d:76:10:28:58:e4:65:b0:7f:4a:98:
                    79:9f:e0:c3:31:7e:80:2b:b5:8c:c0:40:3b:11:86:
                    d0:cb:a2:86:36:60:a4:d5:30:82:6d:d9:6e:d0:0f:
                    12:04:33:97:5f:4f:61:5a:f0:e4:f9:91:ab:e7:1d:
                    3b:bc:e8:cf:f4:6b:2d:34:7c:e2:48:61:1c:8e:f3:
                    61:44:cc:6f:a0:4a:a9:94:b0:4d:da:e7:a9:34:7a:
                    72:38:a8:41:cc:3c:94:11:7d:eb:c8:a6:8c:b7:86:
                    cb:ca:33:3b:d9:3d:37:8b:fb:7a:3e:86:2c:e7:73:
                    d7:0a:57:ac:64:9b:19:eb:f4:0f:04:08:8a:ac:03:
                    17:19:64:f4:5a:25:22:8d:34:2c:b2:f6:68:1d:12:
                    6d:d3:8a:1e:14:da:c4:8f:a6:e2:23:85:d5:7a:0d:
                    bd:6a:e0:e9:ec:ec:17:bb:42:1b:67:aa:25:ed:45:
                    83:21:fc:c1:c9:7c:d5:62:3e:fa:f2:c5:2d:d3:fd:
                    d4:65
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2: 
                ...C.A
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                C6:4F:A2:3D:06:63:84:09:9C:CE:62:E4:04:AC:8D:5C:B5:E9:B6:1B
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.xrampsecurity.com/XGCA.crl

            1.3.6.1.4.1.311.21.1: 
                ...
    Signature Algorithm: sha1WithRSAEncryption
         91:15:39:03:01:1b:67:fb:4a:1c:f9:0a:60:5b:a1:da:4d:97:
         62:f9:24:53:27:d7:82:64:4e:90:2e:c3:49:1b:2b:9a:dc:fc:
         a8:78:67:35:f1:1d:f0:11:bd:b7:48:e3:10:f6:0d:df:3f:d2:
         c9:b6:aa:55:a4:48:ba:02:db:de:59:2e:15:5b:3b:9d:16:7d:
         47:d7:37:ea:5f:4d:76:12:36:bb:1f:d7:a1:81:04:46:20:a3:
         2c:6d:a9:9e:01:7e:3f:29:ce:00:93:df:fd:c9:92:73:89:89:
         64:9e:e7:2b:e4:1c:91:2c:d2:b9:ce:7d:ce:6f:31:99:d3:e6:
         be:d2:1e:90:f0:09:14:79:5c:23:ab:4d:d2:da:21:1f:4d:99:
         79:9d:e1:cf:27:9f:10:9b:1c:88:0d:b0:8a:64:41:31:b8:0e:
         6c:90:24:a4:9b:5c:71:8f:ba:bb:7e:1c:1b:db:6a:80:0f:21:
         bc:e9:db:a6:b7:40:f4:b2:8b:a9:b1:e4:ef:9a:1a:d0:3d:69:
         99:ee:a8:28:a3:e1:3c:b3:f0:b2:11:9c:cf:7c:40:e6:dd:e7:
         43:7d:a2:d8:3a:b5:a9:8d:f2:34:99:c4:d4:10:e1:06:fd:09:
         84:10:3b:ee:c4:4c:f4:ec:27:7c:42:c2:74:7c:82:8a:09:c9:
         b4:03:25:bc
SHA1 Fingerprint=B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6

I Only have this: (or my equivalent of it)

-----BEGIN CERTIFICATE-----
MIIEMDCCAxigAwIBAgIQUJRs7Bjq1ZxN1ZfvdY+grTANBgkqhkiG9w0BAQUFADCB
gjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3dy54cmFtcHNlY3VyaXR5LmNvbTEk
MCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2VydmljZXMgSW5jMS0wKwYDVQQDEyRY
UmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDQxMTAxMTcx
NDA0WhcNMzUwMTAxMDUzNzE5WjCBgjELMAkGA1UEBhMCVVMxHjAcBgNVBAsTFXd3
dy54cmFtcHNlY3VyaXR5LmNvbTEkMCIGA1UEChMbWFJhbXAgU2VjdXJpdHkgU2Vy
dmljZXMgSW5jMS0wKwYDVQQDEyRYUmFtcCBHbG9iYWwgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCYJB69FbS6
38eMpSe2OAtp87ZOqCwuIR1cRN8hXX4jdP5efrRKt6atH67gBhbim1vZZ3RrXYCP
KZ2GG9mcDZhtdhAoWORlsH9KmHmf4MMxfoArtYzAQDsRhtDLooY2YKTVMIJt2W7Q
DxIEM5dfT2Fa8OT5kavnHTu86M/0ay00fOJIYRyO82FEzG+gSqmUsE3a56k0enI4
qEHMPJQRfevIpoy3hsvKMzvZPTeL+3o+hiznc9cKV6xkmxnr9A8ECIqsAxcZZPRa
JSKNNCyy9mgdEm3Tih4U2sSPpuIjhdV6Db1q4Ons7Be7QhtnqiXtRYMh/MHJfNVi
PvryxS3T/dRlAgMBAAGjgZ8wgZwwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0P
BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFMZPoj0GY4QJnM5i5ASs
jVy16bYbMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwueHJhbXBzZWN1cml0
eS5jb20vWEdDQS5jcmwwEAYJKwYBBAGCNxUBBAMCAQEwDQYJKoZIhvcNAQEFBQAD
ggEBAJEVOQMBG2f7Shz5CmBbodpNl2L5JFMn14JkTpAuw0kbK5rc/Kh4ZzXxHfAR
vbdI4xD2Dd8/0sm2qlWkSLoC295ZLhVbO50WfUfXN+pfTXYSNrsf16GBBEYgoyxt
qZ4Bfj8pzgCT3/3JknOJiWSe5yvkHJEs0rnOfc5vMZnT5r7SHpDwCRR5XCOrTdLa
IR9NmXmd4c8nnxCbHIgNsIpkQTG4DmyQJKSbXHGPurt+HBvbaoAPIbzp26a3QPSy
i6mx5O+aGtA9aZnuqCij4Tyz8LIRnM98QObd50N9otg6tamN8jSZxNQQ4Qb9CYQQ
O+7ETPTsJ3xCwnR8gooJybQDJbw=
-----END CERTIFICATE-----

That’s all you need, the rest of the info is encoded in there.

Right, so I added the info to the /usr/local/share/certs/ca-root-nss.crt, and it didn’t seem to help. Any ideas on that?

I meant to add it as a new file, not sure if it makes a difference though. If that doesn’t work I don’t know what else to try. I’ve had trouble before with packages ignoring the system root CAs in favour of their own (outdated) versions. So who knows how or if you can add your own CA to it.

https://forum.pfsense.org/index.php?topic=142557.msg777156#msg777156

So turns out there are two files, as well as the webconfigurator being dumb.

One thing to watch out for is that those files will likely be overwritten when they’re updated. But I doubt that happens very frequently.

I actually copied them to .bak files and set them to be backed up, that way in the event of an upgrade I can just restore them quickly. I may just add the restore to a boot script TBH.

JFYI - You can decode and display a “PEM format” certificate as text using like this:

openssl x509 -in <cert_file> -text -noout

1 Like