cPanel + pfSense = few weird problems

Flegy

• July 13, 2020 09:34

Hello, I have some weird problems in the web server who is using cPanel. Before several days we set up a webserver behind pfSense NAT 1:1 after than we have several problems, maybe they are related to each other. 1) curl no longer want to work on domains hosted on a web server but when curl google it work fine * When I setup ZeroSSL curl give the error curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate. * After I generate with cPanel SSL than give curl: (60) Issuer certificate is invalid. 2) cannot ping 90% public IPs on the local network /24 subnet but other public networks in subnet /22 work * example when I ping .3 to .9 what host on same server webs it working but when trying ping .63 - .75 who also host webs on the same server it does not work, also cannot ping same network subnet outside of server example .48 what is used on another dedicated server and not behind pfSense. * ping from office PC works fine on all IPs Any idea or hint about what can be a problem is welcome because I am trying to solve it several days without success. Thanks in advance

• 

  cPanelLauren

  • July 14, 2020 21:41

  1) curl no longer want to work on domains hosted on a web server but when curl google it work fine * When I setup ZeroSSL curl give the error curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate. * After I generate with cPanel SSL than give curl: (60) Issuer certificate is invalid.

  
  What is the curl query you're using and what is the exact output it provides. You can use the -v flag for more verbose output

  2) cannot ping 90% public IPs on the local network /24 subnet but other public networks in subnet /22 work * example when I ping .3 to .9 what host on same server webs it working but when trying ping .63 - .75 who also host webs on the same server it does not work, also cannot ping same network subnet outside of server example .48 what is used on another dedicated server and not behind pfSense. * ping from office PC works fine on all IPs

  
  Ping isn't always the best gauge of connectivity but this sounds more like an issue with the firewall than anything else, especially if you're not experiencing these issues without it. Ultimately all of this could be firewall related and may best be addressed by a qualified system administrator.

  0
• 

  Flegy

  • July 20, 2020 11:14

  Thank you for your reply. It worked before NAT 1:1 but the main question is why it can curl all webs what is not on the same machine where is curl run. * About to connect() to www.maxko-hosting.com port 443 (#0) * Trying 45.95.168.7... * Connected to www.maxko-hosting.com (45.95.168.7) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=server.maxko-hosting.com,E=ssl@server.maxko-hosting.com * start date: Jul 13 13:57:15 2020 GMT * expire date: Jul 13 13:57:15 2021 GMT * common name: server.maxko-hosting.com * issuer: CN=server.maxko-hosting.com,E=ssl@server.maxko-hosting.com * NSS error -8156 (SEC_ERROR_CA_CERT_INVALID) * Issuer certificate is invalid. * Closing connection 0 curl: (60) Issuer certificate is invalid. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
  

  0
• 

  cPanelLauren

  • July 20, 2020 18:22

  This error is a certificate validation error. Further to that the domain noted does not have an A record so it wouldn't resolve outside the server and it wouldn't have a valid SSL. In order to query it locally you'd need to do it insecurely. If you wanted to query the domain externally over https it'd need a valid A record.

  0

Please sign in to leave a comment.