Why does my pfsense gateway break SSL for some internal hosts?

tr flag

I have a proxmox cluster with pfsense acting as a firewall and gateway for the cluster nodes and VMs. VMs have no problem, but the cluster nodes can't browse any websites using SSL, which of course breaks package updates and things like that.

When I connect directly to the outbound gateway that pfsense uses then all works fine.

I'm not sure where to start with troubleshooting this issue.

for example running apt update:

Failed to fetch  Certificate verification failed: The certificate is NOT trusted. 

curl -v
*   Trying
* Connected to ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here:

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
br flag
From the Proxomox servers, you could try running `openssl s_client -connect`, with and without traffic going through pfSense and compare the Issuer of the certificates presented to you. My Proxmox machine got the following issuers: Let's Encrypt, Internet Security Research Group, Digital Signature Trust Co. If the result you get differ between the with and without pfSense, then you have some TLS inspection going on and the pfSense's root cert will need to be added to your Proxmox servers' trust-anchor store.
pzkpfw avatar
cn flag
It's also possible that you simply do not have the `ca-certificates` package installed, but to know for sure you need to figure out which CA the error is referring to when it says `unknown CA`.
barrymac avatar
tr flag
@garethTheRed ok, that's a good tip, exactly the kind of thing I was looking for and indeed it shows the inconsistency between the hosts. Hosts that are using dhcp show a letsencrypt certificate but hosts with static ip addresses present, it seems like it's doing TLS inspection as you say. However when I added the root cert to the host it didn't help. I"ll post back when I figure it out eventually. It's a bit mysterious to me
I sit in a Tesla and translated this thread with Ai:


Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.