PFS003 - pfSense TLS/SSL Certificate Error

Agent error code #206003#PFS003 indicates that the agent could not verify the TLS certificate presented by pfSense. The TLS handshake failed before any API request could be sent.

This error is distinct from connection refused or timeout errors (#206000,#PFS000, #206004)#PFS004). Error #206003#PFS003 means the network path to pfSense is working but the certificate is not trusted by the agent.

Common causes include:

• pfSense is presenting its default self-signed certificate
• The certificate is signed by an internal CA that the agent host does not trust
• The certificate has expired
• The hostname configured in the Knocknoc backend does not match the certificate's Subject or SAN

Steps to Resolve

Install a Trusted Certificate on pfSense

1. In pfSense, navigate to System > Cert. Manager > Certificates
2. Import or generate a certificate signed by a CA that the agent host trusts (the ACME package supports Let's Encrypt)
3. Apply the certificate under System > Advanced > Admin Access > SSL Certificate
4. Confirm the certificate's Subject/SAN matches the hostname in the Knocknoc backend

Confirm the Hostname Matches the Certificate

1. In the Knocknoc backend configuration, confirm the pfSense URL uses the name on the certificate (not an IP address, unless the certificate also has an IP SAN)
2. If you need to use a different hostname, reissue the certificate to include it as a SAN

Use the Insecure Option (Lab Only)

If the pfSense host genuinely cannot present a trusted certificate (for example, a lab environment), enable Insecure in the Knocknoc backend configuration to skip TLS verification.

Skipping verification means an attacker on the network between the agent and pfSense could intercept the API key. Only use this when the agent and pfSense share a trusted segment.

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.