Why does my pfsense gateway break SSL for some internal hosts?

barrymac

5/15/24, 3:28 AM

I have a proxmox cluster with pfsense acting as a firewall and gateway for the cluster nodes and VMs. VMs have no problem, but the cluster nodes can't browse any websites using SSL, which of course breaks package updates and things like that.

When I connect directly to the outbound gateway that pfsense uses then all works fine.

I'm not sure where to start with troubleshooting this issue.

for example running apt update:

Failed to fetch http://ftp.uk.debian.org/debian/dists/bullseye/InRelease  Certificate verification failed: The certificate is NOT trusted. 

curl -v https://ftp.uk.debian.org/debian/dists/bullseye/InRelease
*   Trying 78.129.164.123:443...
* Connected to ftp.uk.debian.org (78.129.164.123) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

207

0 + 3

ssl

debian

ssl-certificate

pfsense

garethTheRed

5/15/24, 6:15 AM

From the Proxomox servers, you could try running `openssl s_client -connect ftp.uk.debian.org:443`, with and without traffic going through pfSense and compare the Issuer of the certificates presented to you. My Proxmox machine got the following issuers: Let's Encrypt, Internet Security Research Group, Digital Signature Trust Co. If the result you get differ between the with and without pfSense, then you have some TLS inspection going on and the pfSense's root cert will need to be added to your Proxmox servers' trust-anchor store.

pzkpfw

5/15/24, 10:10 AM

It's also possible that you simply do not have the `ca-certificates` package installed, but to know for sure you need to figure out which CA the error is referring to when it says `unknown CA`.

barrymac

5/15/24, 6:22 PM

@garethTheRed ok, that's a good tip, exactly the kind of thing I was looking for and indeed it shows the inconsistency between the hosts. Hosts that are using dhcp show a letsencrypt certificate but hosts with static ip addresses present, it seems like it's doing TLS inspection as you say. However when I added the root cert to the host it didn't help. I"ll post back when I figure it out eventually. It's a bit mysterious to me

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why does my pfsense gateway break SSL for some internal hosts?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.