Questions about internal servers and Pfsense firewall - probably pretty basic as I am learning

Help
1

My domain is: jmftek.com

I ran this command: installed cert-bot on Ubuntu 18.04.3 LTS internal server

It produced this output: when accessing from the LAN or the Internet it loads a “Your connection is not private warning”

My web server is (include version): Apache/2 - 2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04.3 LTS

My hosting provider, if applicable, is: My home Linux PC

I can login to a root shell on my machine (yes or no, or I don’t know):

I used RDC but sure, I have root/sudo access directly from the terminal

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I am using my own server. Running linux/apache/php/mysql

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot-version certbot 0.31.0

As from the above. I installed necessities for word-press then word-press. Created a simple website. All works well over http - internal and external

Then I install certbot and run it on my domain, sub - domains (ftp/www/email) and I when ewer I load the page now I get the “Your connection is not private” message.

I would like to be able to revoke the certificate, remove it from the web server and then run acme plugin from Pfsense and re-register the cert. I do of course have a couple of questions because I am once again learning as I go.

Firstly and links to post and/or websites that deal with this and have good information would be appreciated.

Questions

1 - do I even need to revoke cert from the web server? <–this would be ideal

2 - could I just run acme plugin on PFsense and have each one ssl secured? Internal/external albeit with different certs.

3 - Would the above get rid of the “Your connection is not private” warning message?

4 - How do I get rid of the above warning message?

Thank you everyone for your time.

2

Hi @jontek

it's impossible to test your domain - because there is a wrong redirect to a private ip address ( https://check-your-website.server-daten.de/?q=jmftek.com ):

Domainname Http-Status redirect Sec. G
http://jmftek.com/
24.52.225.245 301 https://jmftek.com/
Html is minified: 100,00 % 0.270 A
http://www.jmftek.com/
24.52.225.245 301 https://www.jmftek.com/
Html is minified: 100,00 % 0.270 A
https://jmftek.com/
24.52.225.245 301 https://192.168.175.223/ 4.237 B
https://www.jmftek.com/
24.52.225.245 301 https://192.168.175.223/ 3.986 B
https://192.168.175.223/ -14 10.030 T

But your certificate is valid:

CN=jmftek.com
	09.09.2019
	08.12.2019
expires in 90 days	
492546email.jmftek.com, ftp.jmftek.com, jmftek.com, www.jmftek.com - 4 entries

Both connections are secure.

If you use such a redirect, your certificate is always wrong.

So remove that redirect, then recheck your domain, there is a mixed content check.

3

Wow that was fast. I wasn’t planning on looking until tomorrow but here we are:-)

If that is all it is, how do I move the redirect? I am not sure if I do that through my firewall, my domain name provider (NameCheap) or within linux/apache?

further info would be appreciated?

Thanks

4

I think I fixed it (by mistake) when I change the web-page URL inside word-press from the internal IP to the jmftek.com url. Is this what you meant by a redirect? Reached the page via URL but redirect to internal lan via internal lan IP?

I ws wong, rebooting the server and clearing my browser cache then rebooting my desktop brought the You connection is not private message back.

Thanks,

J

5

Hmmm - not sure whats going on - I DID get the connection is not private message once more, but I closed the browser reopened and did not get it. So, I used my phone to load the website (on my provider not my LAN wifi) and it loaded fine - connection lock green everything says OK. So, I assume this is resolved. I used your link to check my domain name once more and all green, even though one of the entries is my internal lan IP. Is there a way to mask the internal lan IP from tools such as these or is it a necessary evil?

IE - this still shows up under the Details section href/src/content column: http://192.168.175.223

Thank You

6

Your last check is ~~ good - created 10.09.2019 02:03:46 - https://check-your-website.server-daten.de/?q=jmftek.com

You have removed the wrong ip based redirects, you have a Grade B, that's good.

So your certificate works with your domain name. Letsencrypt certificates can't have ip addresses as domain names, so a Letsencrypt certificate can't work with an ip address -> that error is fixed. :+1:

One small error, that isn't shown as error. Your first link:

http://192.168.175.223

Change that link to your domain name. That's not marked as error because it's a link, not an included ressource.

It's an error of your site if such a public online tool sees an internal (192.168.*.*) ip address. The only place with ip addresses should be the DNS part #ip-addresses with A-, and AAAA-records.

Using a private ip address in your public page code is always wrong, only you can use that information correct.

7

Hey Jeurgen

Im not sure where to even look for that link. I checked wordpress and all my links show https://jmftek.com within wordpress.

I ran certbot from the web server which has internal IP 192.168.175.223, do I need to revoke that cert and run it again from the firewall (pfsense-I could install the acme plugin to do this from what I’ve read) nut am jot sure if this is even the problem?

Any hints or os tuyis one up to me to research?

J

8

You never need to revoke a certificate that's still accurate and whose private key hasn't been compromised. Valid certificates don't contradict or invalidate one another, and revocation doesn't affect Let's Encrypt rate limits.

1 Like
9

Thank You Seth. I won’t do that then.

10

Open your site. Search 192.168

<div class="menu-mainmenu-container"><ul id="menu-mainmenu" class="main-menu"><li id="menu-item-21" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-21">
<a href="http://192.168.175.223">Home</a></li>

and a second place.

And as @schoen wrote: Never rekove a certificate if the private key is safe. Your certificate works, it's a problem of your html code.

11

Thank you so much.

I will check all the code. This place is great. Best Support I’ve received in litterally 20 years.

J

1 Like
12

I think I have it solved even though I get a B grade on https://

I included a word press plugin that takes care of HSTS headers but apparently it does not take care of HSTS headers for https and that gives me a B Grade—not sure if this matters but I get this:

B https://jmftek.com/ 24.52.225.245 200 Missing HSTS-Header
B https://www.jmftek.com/ 24.52.225.245 301 Missing HSTS-Header

and the rest of the details are Green OK’s.

I’ll do further reading on the word press plugin to see if I have mis-configured or it this is just the way it is and no issues are left unresolved.

Thank you guys so much - I am not sure if there is a “thumbs up” link/function to this site, I didn’t see one - so how does one showed gratitude on this forum, other than selecting a resolution?

Cheers J

1 Like
13

Yep, Grade B is good.

If you use HSTS, users can't create an exception, if the certificate is invalid. So HSTS is an amazing feature, but requires an always working certificate.

An own plugin? HSTS is only a header.

Strict-Transport-Security: max-age=63072000; includeSubDomains;

First start with a low max-age (one minute), then increase it. And "includeSubDomains" = every subdomain requires a working certificate, so perhaps first remove that value.

14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.