https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162018-07-12T17:23:50ZpfSense bugtrackerpfSense - Feature #8641: Need way to disable HSTS and/or replace webConfigurator certificate from CLIhttps://redmine.pfsense.org/issues/8641?journal_id=369902018-07-12T17:23:50ZAdam Thompsonathompso@athompso.net
<ul></ul><p>Yes, I'm aware of both <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: Option needed to disable HSTS (Resolved)" href="https://redmine.pfsense.org/issues/6650">#6650</a> and <a class="external" href="https://github.com/pfsense/pfsense/pull/3856">https://github.com/pfsense/pfsense/pull/3856</a>, and I was able to find the Disable HSTS setting... once I was able to log back in! It's unfortunate, in many cases, although understandable, that HSTS is on by default.</p>
<p>Neither of those helps an admin who just made a mistake.</p> pfSense - Feature #8641: Need way to disable HSTS and/or replace webConfigurator certificate from CLIhttps://redmine.pfsense.org/issues/8641?journal_id=369912018-07-12T17:25:35ZAdam Thompsonathompso@athompso.net
<ul></ul><p>And yes, I'd be happy to <em>also</em> write up a KB-style or doc-style page showing admins how to un-f*** themselves in this scenario, if you want.</p> pfSense - Feature #8641: Need way to disable HSTS and/or replace webConfigurator certificate from CLIhttps://redmine.pfsense.org/issues/8641?journal_id=369922018-07-12T17:42:02ZJim Pingle
<ul></ul><pre>
pfSsh.php playback generateguicert
</pre> pfSense - Feature #8641: Need way to disable HSTS and/or replace webConfigurator certificate from CLIhttps://redmine.pfsense.org/issues/8641?journal_id=369992018-07-13T07:32:56ZAdam Thompsonathompso@athompso.net
<ul></ul><p>Thanks, Jim - that is <ins>much</ins> easier to type through a bad console connection! (Particularly since I just realized I've got several more systems in exactly the same situation. Oops.)</p>
<p>I'm still concerned that firewall administrators are likely to run into this problem at a time when they can't access documentation - specifically, the gateway device that has "just worked" for >1yr and suddenly needs attention because the connectivity is down... which means a limited ability to discover any way of fixing it that isn't baked in to what many might think of as the "emergency maintenance console".</p>
<p>The FR is to elevate one of these techniques to a discoverable menu item at the console (i.e. at 3am in the datacenter where you can't get a cell signal).</p>
<p>For the record, I'm very glad there exists <em><strong>a</strong></em> way to get oneself out of this corner with pfSense (unlike some other products).</p>
<p><ins>Note for future readers</ins> (including myself 366 days from now):<br />Neither technique fully solves the problem by itself - Firefox, at least, refuses to switch from a "real" cert to a self-signed cert on a site with memorized HSTS setting. You still have to clear FF's HSTS after regenerating the self-signed cert before it'll let you in. Make sure you know the password before telling FF to "Forget this site" or you'll create an entirely different problem.</p> pfSense - Feature #8641: Need way to disable HSTS and/or replace webConfigurator certificate from CLIhttps://redmine.pfsense.org/issues/8641?journal_id=370352018-07-16T08:38:29ZJim Pingle
<ul></ul><p>If you access the firewall by IP address instead of hostname, it should allow you to connect even with a bad cert IIRC. I don't have any that I can reproduce the issue against right now, but last time that happened accessing by name, accessing by IP address worked for me.</p> pfSense - Feature #8641: Need way to disable HSTS and/or replace webConfigurator certificate from CLIhttps://redmine.pfsense.org/issues/8641?journal_id=370422018-07-16T10:06:18ZAdam Thompsonathompso@athompso.net
<ul></ul><p>While I now feel like a complete idiot, thank you for reminding me of the same advice I give to my own developers. Somehow troubleshooting certificates sent my brain down a different path where that didn't occur to me.</p>
<p>I've fixed all my affected instances now, so cannot test either, but I agree - I'm also 99% certain that using IP addresses would have worked.</p>
<p>This FR still isn't entirely stupid, but I agree that using IP addresses is an entirely acceptable alternative, in the absence of a (discoverable) way to manage this from the console.</p>
<p>Sorry for the noise :-(</p> pfSense - Feature #8641: Need way to disable HSTS and/or replace webConfigurator certificate from CLIhttps://redmine.pfsense.org/issues/8641?journal_id=370432018-07-16T10:21:00ZJim Pingle
<ul></ul><p>It's definitely a legitimate feature request. It makes sense to have a console menu entry that takes the GUI reset code from the "Set interface(s) IP address" code path and enhances it a bit. Right now it's buried and doesn't let you reset everything.</p>
<p>It could, for example, offer to:</p>
<ul>
<li>Regenerate a new self-signed GUI certificate</li>
<li>Toggle HTTPS/HTTP</li>
<li>Toggle HSTS</li>
<li>Toggle OCSP Must Staple</li>
<li>Toggle HTTP_REFERER Check</li>
<li>Toggle DNS Rebinding Check</li>
<li>Toggle GUI Redirect (80->current port)</li>
<li>Toggle Anti-Lockout Rule</li>
</ul>