Project

General

Profile

Actions
Copy link

Regression #16688

open

Creating a CA certificate with Trust Store checked is not trusted

Added by Manuel Carrera 2 days ago. Updated 1 day ago.

Status:
Feedback
Priority:
Normal
Assignee:
Jim Pingle
Category:
Certificates
Target version:
2.9.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
26.03
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Hello,

I have created a CA certificate in pfSense with "Trust Store" checked, and used it to create a server certificate. Then I installed the CA certificate on some clients (an Android phone and a Windows PC), and installed the server certificate on a Web server running a REST API. The clients can connect without problem with HTTPS, so to me the certificates works and the server is correctly configured. However the Dynamic DNS service of pfSense fails to connect to the server with HTTPS, it can only connect with HTTP. The hardware affected is a Netgate 8200 running pfSense Plus 25.11.1.

I used the command "curl -v" on pfSense to check how the router connects to the server and got:
*   Trying 10.0.2.4:8081...
* ALPN: curl offers h2,http/1.1
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [1570 bytes data]
*  CAfile: none
*  CApath: /etc/ssl/certs
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [94 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1235 bytes data]
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* closing connection #0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the webpage mentioned above.

After that I did the following test:
  • Execute the command "ls /etc/ssl/certs" (which seems to be where CA certs are supposed to be stored, at least for "curl")
  • Create a second CA certificate with "Trust Store" checked
  • Execute the command "ls /etc/ssl/certs" again to compare what changed

But no file was added even after a reboot. However if I use "ls -l", I can see the date on all files does change every time I change the configuration of pfSense, so at least my changes seems to be processed.

I don't know the details on how pfSense is supposed to manage its CA certificates, but for me it seems either the "Trust Store" checkbox is broken, or its implementation don't do anything useful. What do you think? Did I misunderstood something?

Related issues

Related to Bug #16673: LDAPS TLS connections intermittently failing with 'Unknown CA (48)' errorClosed

Actions
Actions
Copy link

Also available in: Atom PDF