OPNsense Forum

Archive => 22.7 Legacy Series => Topic started by: gazd25 on October 14, 2022, 10:39:30 am

Title: 22.7.6 Upgrade HAProxy CRL Problem
Post by: gazd25 on October 14, 2022, 10:39:30 am

Hi All,

I've just updated my OPNSense from 22.7.5>6 this morning and I'm now seeing an error around HAProxy being unable to start due to a CRL problem because I use client certificate authentication.

All certs are being issued by a local CA on the OPNSense firewall

I've already tried removing and recreating the CRL then re-adding to the HAProxy frontend, none of which has made any difference. for now to get HAProxy to start correctly I've had to remove the CRL from the public facing frontend, but this is less than ideal.

If I try and re-add it I see the pictured error when doing a test syntax from the HAProxy GUI, so it's definitely related to the CRL somehow, but I cant figure out whats actually wrong.

Coupled to this, the crash reporter is now also regularly reporting the below error, even though HAProxy is functional albeit with no CRL for any revoked certs:

[14-Oct-2022 08:29:49 Europe/London] PHP Fatal error:  Uncaught Error: Call to undefined function crl_update() in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php:74
Stack trace:
#0 {main}
  thrown in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php on line 74
[14-Oct-2022 08:30:30 Europe/London] PHP Fatal error:  Uncaught Error: Call to undefined function crl_update() in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php:74
Stack trace:
#0 {main}
  thrown in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php on line 74
[14-Oct-2022 08:30:58 Europe/London] PHP Fatal error:  Uncaught Error: Call to undefined function crl_update() in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php:74
Stack trace:
#0 {main}
  thrown in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php on line 74

I know there was some changes to CRL handling, but I thought this was only supposed to impact OpenVPN which seems to be working fine.

Any help in resolving would be very much appreciated guys.

Many thanks

Gareth

Title: Re: 22.7.6 Upgrade HAProxy CRL Problem
Post by: franco on October 14, 2022, 12:04:27 pm

https://github.com/opnsense/plugins/commit/2c99d4a6870

# opnsense-patch -c plugins 2c99d4a6870

Problems concerning empty CRLs as described in the 22.7.6 release notes apply for HAProxy as well.


Cheers,
Franco

Title: Re: 22.7.6 Upgrade HAProxy CRL Problem
Post by: gazd25 on October 14, 2022, 01:19:10 pm

Thank you Franco, you are a superstar, I'll get this patch applied  ;D