cPanel + pfSense = few weird problems

[Flegy]

Hello,

I have some weird problems in the web server who is using cPanel. Before several days we set up a webserver behind pfSense NAT 1:1 after than we have several problems, maybe they are related to each other.

1) curl no longer want to work on domains hosted on a web server but when curl google it work fine
* When I setup ZeroSSL curl give the error
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* After I generate with cPanel SSL than give
curl: (60) Issuer certificate is invalid.

2) cannot ping 90% public IPs on the local network /24 subnet but other public networks in subnet /22 work
* example when I ping .3 to .9 what host on same server webs it working but when trying ping .63 - .75 who also host webs on the same server it does not work, also cannot ping same network subnet outside of server example .48 what is used on another dedicated server and not behind pfSense.
* ping from office PC works fine on all IPs

Any idea or hint about what can be a problem is welcome because I am trying to solve it several days without success.

Thanks in advance

 

[cPanelLauren]

1) curl no longer want to work on domains hosted on a web server but when curl google it work fine
* When I setup ZeroSSL curl give the error
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
* After I generate with cPanel SSL than give
curl: (60) Issuer certificate is invalid.

What is the curl query you're using and what is the exact output it provides. You can use the -v flag for more verbose output

2) cannot ping 90% public IPs on the local network /24 subnet but other public networks in subnet /22 work
* example when I ping .3 to .9 what host on same server webs it working but when trying ping .63 - .75 who also host webs on the same server it does not work, also cannot ping same network subnet outside of server example .48 what is used on another dedicated server and not behind pfSense.
* ping from office PC works fine on all IPs

Ping isn't always the best gauge of connectivity but this sounds more like an issue with the firewall than anything else, especially if you're not experiencing these issues without it. Ultimately all of this could be firewall related and may best be addressed by a qualified system administrator.

 

[Flegy]

Thank you for your reply.

It worked before NAT 1:1 but the main question is why it can curl all webs what is not on the same machine where is curl run.

* About to connect() to www.maxko-hosting.com port 443 (#0)
*   Trying 45.95.168.7...
* Connected to www.maxko-hosting.com (45.95.168.7) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=server.maxko-hosting.com,[email protected]
*       start date: Jul 13 13:57:15 2020 GMT
*       expire date: Jul 13 13:57:15 2021 GMT
*       common name: server.maxko-hosting.com
*       issuer: CN=server.maxko-hosting.com,[email protected]
* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
* Issuer certificate is invalid.
* Closing connection 0
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

 

[cPanelLauren]

This error is a certificate validation error. Further to that the domain noted does not have an A record so it wouldn't resolve outside the server and it wouldn't have a valid SSL. In order to query it locally you'd need to do it insecurely. If you wanted to query the domain externally over https it'd need a valid A record.