I know there are no stupid questions, but this feels like one. I run pfsense in my home along with unifi hardware/controller. The only port I listen for on WAN is 1194 for openvpn.
Is it possible to tell Chrome or other browsers to stop warning me about certificates from my internal lan subnet or specific /32 addresses? I thought lets encrypt would be a solution, but it seems like I need open 443 and expose pfsense for this to work. Seems like an extreme measure to just to avoid telling chrome its ok to open the encrypted url. I may be misunderstanding lets encrypt though too.
PFSense allows the option to access the WebConfigurator page with port 80. I do not see any such option for the Unifi Controller, and I chose not to allow remote access to the controller. Anything I need remotely goes through openvpn.
Are self-signed certificate warnings something we have to live with, or is there an option to acknowledge or bless the certificate on a case by case basis, keeping this warning for when it is truely meaningful to my network.
The simplest (and also most insecure) thing would be to just tell Chrome not to show any warnings for this specific domain. On the warning page, just click “Advanced” and then “Proceed”:
Chrome will still mark the site as unsafe, but it won’t show the warning any more. For me this persists across restarts, so I am a bit confused about the need for your question if all you want is to not show this warning page.
A more secure way would be to make the certificate legitimate (which does not require a third party CA like Let’s Encrypt, this can be done for self-signed certificates and self-signed CAs as well).
While certificates can be issued for IP addresses as well as for FQDNs, they are always checked against whatever you enter in the browser address bar. So it’s actually important to distinguish between two different kinds of errors:
The certificate common name or alternate subject names do not match the URL (Chrome will display NET::ERR_CERT_COMMON_NAME_INVALID). In this case Chrome will always issue a warning, so you need to change the certificate in order to get the error below.
The certificate matches the URL, but it is not trusted (Chrome will display NET::ERR_CERT_AUTHORITY_INVALID). This error will show with “self-signed” certs (i.e. not signed by any CA at all) or certs that are signed by a CA which is itself not trusted.
The latter warning can be prevented by explicitly trusting (=importing) either the certificate or the CA (if one exists). In Chrome, this can be done in Settings → Security and Privacy → Security → Manage certificates.
If you don’t want to deal with setting up your own CA, you can trust individual certificates, but as their number grows, that becomes more and more of a hassle.
There is nothing inherently special about certificates issued by Let’s Encrypt or any other certificate vendor from a technical point of view. Browsers handle all certificates the same way (simplified):
Check if the specific certificate is installed / explicitly trusted. If it is, proceed to the site.
Check if the certificate is signed by an authority. If it is not, display a warning.
Check if the signing CA’s certificate is installed / explicitly trusted. If it is, proceed to the site.
Repeat steps 2 and 3 for the certificate of the CA.
If the last certificate in the chain is reached and it is not installed / explicitly trusted, display a warning.
What makes LE issued certificates “special” is that LE is already explicitly trusted by browsers as a pre-installed CA.
So I am off base thinking I need to expose port 443 to the wan, exposing pfsense to the world? I do have a CA setup on pfSense and use certificates for OpenVPN. Thank you for helping me.
