Bug #7496


Chrome 58 added cert requirements which make it fail to accept the default self-signed certificates

Added by Ivor Kreso over 4 years ago. Updated over 4 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Actions #1

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Jim Pingle over 4 years ago

This fix will be in 2.4 and 2.3.4 snapshots shortly. To apply the fix early, or to apply the fix to existing 2.3.3-p1 systems, follow these steps:

  • Install the System Patches package ( )
  • Add a new patch under System > Patches
  • Give it a Description such as "certsanfix"
  • Enter the appropriate URL/Commit ID for the firewall version:
    • 2.4 snapshots: a636256cf9a7e27cf5d26c7677d0b7961e0fb143
    • 2.3.4 snapshots: cad0d5bc8da8034c4fa7f41e5476a80b0c38b04f
    • 2.3.3-RELEASE-p1: c1a42e25a35b16821eaf88418c449741d1638c00
  • Set Path Strip Count to 2 (this should be set automatically on save, but do it anyhow just in case)
  • Click Save
  • Click Fetch on the patch entry in the list
  • Click Apply on the patch entry in the list
  • Open a console or shell prompt, enter option 8 for the shell
  • Run the following command::
    pfSsh.php playback generateguicert

The firewall will generate and activate a fresh GUI certificate.

Connect to the GUI with a browser to test.

Actions #3

Updated by Kill Bill over 4 years ago

Would be probably good to show the SANs in the Cert. Manager (in place/in addition to CN) -- somehow doesn't seem to be the case (at least looking at the certs produced by ACME package.)

Likely better handled with a separate ticket though.

Actions #4

Updated by Jim Pingle over 4 years ago

That's on my to-do list as well, I was thinking a "view certificate" icon/operation may be more useful, to print all of the properties in the certificate.

Actions #5

Updated by Konstantin K over 4 years ago

Certificates work fine for Chrome 58 if you add CN also in 'Alternative Names' -> 'FQDN or Hostname'.

Actions #6

Updated by Jim Pingle over 4 years ago

  • Status changed from Feedback to Resolved

Works OK in snapshots, reports of others showing it works as well. Seems to be solid. Closing.


Also available in: Atom PDF