Pfsense serves wrong certificate for server


This is my first post so be gentle :slight_smile: I’m having an issue with a pfsense firewall on my home network. I have an in-house CA with the root cert loaded to my browsers, the linux cli & pfsense (running as a KVM VM) PFsense is providing DHCP and local DNS. PfblockerNG is installed and active, HAProxy is installed but currently disabled.

In the same an as the firewall I have a synology NAS with it’s own certificate signed by my CA with the CN set to and SAN set to the same value as a DNS entry, the short name ‘server’ as a DNS entry and the servers IP address as an IP entry.

Everything appears to work fine on the lan interface but I’m trying to setup a VLAN (I have a couple of devices that keep dropping the connection through a dual band AP but seem to work fine with an old 2.4GHz AP) that runs on 2.4GHz only. The VLAN appears to be setup correclty (DHCP works & I can access internet) but when try to access the NAS I get a certificate error. the browser and openssl s_client -connect show that the certificate returned is the fire.wall webGUI certificate not the Server certificate. The server is reachable but just reports as insecure because of the wrong certificate.

i’ve completely lost track of my attempts to locate the cause and fried my brain in the process. Can anyone suggest what I might be missing?



DNS Issue? Sounds like the DNS that’s being handed out to those devices is resolving the domain to the firewall?

To continue this line of thought: I’ve had problems with the search domain in the past. I don’t remember exactly what was going on, but I think it was that I entered a fully qualified, local name and my Windows PC still appended the search domain to it again. That left me with an invalid name which pfSense for some reason resolved to its own address.

I don’t understand how the server can be reached and at the same time you get the certificate from pfSense. That would either mean that the pfSense certificate (and private key) somehow ended up on the NAS or that traffic is being proxied through pfSense.

Can you please run nslookup on the different domains that you use to connect to the NAS from within the network in question? Please verify that the machines actually use the firewall’s DNS server.

Thanks to both you and David for the help. Still not totally sure as to what the exact cause was but David was essentially correct. When I started digging around with nslookup I saw that the address being returned was that for the WAN interface (essentially my public IP address as the ADSL modem is in briged mode)

I have HAProxy configured to allow access to the NAS over the internet using LE certs with HAProxy providing TLS termination then handing off to the backend using my internal CA, HAProxy is currenty disabled so I wouldn’t expect it to be a factor.

The behavior is almost like the traffic was being reflected off of the firewall’s WAN port

As far as I can tell the root cause for the WAN address being returned was “register static leases” was not set. Toggling the setting switched nslookup between my internal NAS IP and the WAN I/F IP However the NAS is accessible via HTTPS in both states and is now returning the correct certificate regardless of the value returned by nslookup. I’ve rebooted the Firewall VM so it’s possible there was some caching effect involved.

Even though it’s not enabled I believe the HAProxy config is involved in some way, the proxy is only configured for https. Both ther nas and my browser (Brave) have redirect to HTTPS enabled so I tried connecting to the http port with netcat using.

printf "GET / HTTP/1.1\r\n\r\n"  | nc -N 

With the address resolving to the WAN I/F nc just hangs while with it resolving correctly I get back a HTTP 400 Bad request page.

I’m on PTO this week and need to have the FW fully working for Work on Monday so I don’t have time to dig deeper into this now.

Again thanks for the help.

1 Like