Project

General

Profile

Actions

Bug #7496

closed

Chrome 58 added cert requirements which make it fail to accept the default self-signed certificates

Added by Ivor Kreso over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
04/25/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.3.3_1
Affected Architecture:

Actions #1

Updated by Jim Pingle over 7 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Jim Pingle over 7 years ago

This fix will be in 2.4 and 2.3.4 snapshots shortly. To apply the fix early, or to apply the fix to existing 2.3.3-p1 systems, follow these steps:

  • Install the System Patches package ( https://doc.pfsense.org/index.php/System_Patches )
  • Add a new patch under System > Patches
  • Give it a Description such as "certsanfix"
  • Enter the appropriate URL/Commit ID for the firewall version:
    • 2.4 snapshots: a636256cf9a7e27cf5d26c7677d0b7961e0fb143
    • 2.3.4 snapshots: cad0d5bc8da8034c4fa7f41e5476a80b0c38b04f
    • 2.3.3-RELEASE-p1: c1a42e25a35b16821eaf88418c449741d1638c00
  • Set Path Strip Count to 2 (this should be set automatically on save, but do it anyhow just in case)
  • Click Save
  • Click Fetch on the patch entry in the list
  • Click Apply on the patch entry in the list
  • Open a console or shell prompt, enter option 8 for the shell
  • Run the following command::
    pfSsh.php playback generateguicert

The firewall will generate and activate a fresh GUI certificate.

Connect to the GUI with a browser to test.

Actions #3

Updated by Kill Bill over 7 years ago

Would be probably good to show the SANs in the Cert. Manager (in place/in addition to CN) -- somehow doesn't seem to be the case (at least looking at the certs produced by ACME package.)

Likely better handled with a separate ticket though.

Actions #4

Updated by Jim Pingle over 7 years ago

That's on my to-do list as well, I was thinking a "view certificate" icon/operation may be more useful, to print all of the properties in the certificate.

Actions #5

Updated by Konstantin K over 7 years ago

Hello!
Certificates work fine for Chrome 58 if you add CN also in 'Alternative Names' -> 'FQDN or Hostname'.

Actions #6

Updated by Jim Pingle over 7 years ago

  • Status changed from Feedback to Resolved

Works OK in snapshots, reports of others showing it works as well. Seems to be solid. Closing.

Actions

Also available in: Atom PDF