OPNsense Forum
Archive => 17.1 Legacy Series => Topic started by: Taomyn on March 14, 2017, 08:05:33 pm
-
I decided to give the "Let's Encrypt" module a go, but I've hit a few issues.
- Whenever I request/renew a certificate I have to reboot the firewall to get my Internet connection back - no traffic going out. I don't see any residual rules left behind so I have no idea why this is happening. PPPoE with VLAN perhaps? I'm also not using the HAProxy option just generating certificates as I didn't want to run before I could walk - oh, and I was successful in getting both a test certificate and a real one, so that's all working.
- Is there a way to export the full certificate and also include a password? I'm actually wanting to use the module to generate certificates for another device and for some inexplicable reason it won't let me enter a blank password when importing - I'm thinking that they assume no-one stores full certificates without a password.
- The log file is being split at the wrong "column" and so displays something like:
[Tue Mar 14 19:43:34 CET 2017] Blah blah blah
-
I actually want to get a cert for my OPNsense box so i was thinking of using this. If my girls give me some time tonight I'll give this a spin and try to get this installed to see what happens.
-
Hi Taomyn,
thanks for your report.
- Whenever I request/renew a certificate I have to reboot the firewall to get my Internet connection back - no traffic going out. I don't see any residual rules left behind so I have no idea why this is happening. PPPoE with VLAN perhaps? I'm also not using the HAProxy option just generating certificates as I didn't want to run before I could walk - oh, and I was successful in getting both a test certificate and a real one, so that's all working.
Please provide some additional details. Which validation method are you using for your certificate?
I can only think of one validation method that might cause an issue: HTTP-01 OPNsense port forward. Are you using it?
If so, maybe post a screenshot of your settings. It's the only one that builds some port forward rules depending on either your configuration or some assumptions ("IP Auto-Discovery").
- Is there a way to export the full certificate and also include a password? I'm actually wanting to use the module to generate certificates for another device and for some inexplicable reason it won't let me enter a blank password when importing - I'm thinking that they assume no-one stores full certificates without a password.
The LE plugin just uses the system Certificate Manager (System -> Trust -> Certificates). It seems to lack this functionality.
I've created a feature request: https://github.com/opnsense/core/issues/1475
- The log file is being split at the wrong "column" and so displays something like:
[Tue Mar 14 19:43:34 CET 2017] Blah blah blah
This is a known bug: https://github.com/opnsense/plugins/issues/69
Regards
- Frank
-
Hi Taomyn,
this should have been my first question: Which version of OPNsense and the LE plugin are you using?
Regards
- Frank
-
OPNSense v17.1.2-amd64
os-acme-client v1.1
Yes, I'm using the HTTP-01 method only. I've attached a screenshot of the main settings.
-
OPNSense v17.1.2-amd64
os-acme-client v1.1
Yes, I'm using the HTTP-01 method only. I've attached a screenshot of the main settings.
Since you've specified your official IP, maybe remove "IP Auto-Discovery" and try again.
Regards
- Frank
-
Still the same when I untick that option - specifying the IP was the only way I could get it to work which is why it's there.
-
Still the same when I untick that option - specifying the IP was the only way I could get it to work which is why it's there.
Please have a look at the system log: System -> Log File.
Maybe these log messages can reveal the root cause of this issue.
Thanks
- Frank
-
I just updated to 17.1.3 which has a newer version of the LE plug-in, hopefully tonight I can give it another go to get logs and see what happens.
-
As promised, I tried again still kills my connection, this is the log from the actions:
Mar 16 17:24:24 config[71271]: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: failed to retrieve restart action from certificate
Mar 16 17:24:24 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: issued/renewed certificate: xxxxxne.co.uk
Mar 16 17:24:06 configd.py: [65b197e8-5ac6-4acd-b3a1-e8dedb650ef7] signing or renewing a certificate
Mar 16 17:24:06 configd.py: [42f73e2e-e5ac-4349-9fc5-0a9f667d8195] Tested for presence of plugin haproxy
And attached is a screenshot of the requested certificate. Hope it helps, so if you want me to test a patch/fix let me know.
-
Mar 16 17:24:24 config[71271]: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: failed to retrieve restart action from certificate
Mar 16 17:24:24 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: issued/renewed certificate: xxxxxne.co.uk
Mar 16 17:24:06 configd.py: [65b197e8-5ac6-4acd-b3a1-e8dedb650ef7] signing or renewing a certificate
Mar 16 17:24:06 configd.py: [42f73e2e-e5ac-4349-9fc5-0a9f667d8195] Tested for presence of plugin haproxy
These messages are normal. You haven't configured a restart action, so it's ok that it failed to retrieve it (but this message should be supressed by the LE plugin since it's useless).
And there is nothing else in the system log around the time when your internet connection died?
I'm sorry, I still have no idea what's wrong there :(
Regards
- Frank
-
No, those lines were all that was logged, then I rebooted the firewall to get my connection back - is there any way to get more info into the logs?
I still have a few more certificates I need to issue and I was saving them for further testing of this problem.
-
No, those lines were all that was logged, then I rebooted the firewall to get my connection back - is there any way to get more info into the logs?
The temporary pf rules, that are added during certificate validation, are stored in filesystem in /var/etc/acme-client/configs. Each certificate has it's own subfolder (represented by the internal certificate ID) and the subfolder should contain a file named "acme_anchor_rules". Would you please paste the contents of this file here?
Thanks
- Frank
-
I'll PM you the content of the file shortly
-
Or I would:
User 'fraenki' has blocked your personal message.
-
Or I would:
User 'fraenki' has blocked your personal message.
Try again, I've enabled personal messages. (Hello Spambots.)
-
Done, so you can disable it again if you wish, though I have yet to receive any spam to my Inbox
-
The auto-generated pf rules look good. They should not cause any harm, especially since you're not using a (HTTP) proxy server on your OPNsense firewall.
Please provide the output of the following commands for both situations, once (with a working internet connection) before running the LE plugin and a second time when the plugin killed your internet connection:
curl --head http://www.opnsense.org/
ping -c 3 8.8.8.8
EDIT: Please also check the firewall log for denied packages under Firewall -> Log Files -> Normal View.
-
Sent results by PM
-
Sent results by PM
Thanks again! The results show that your internet connection is still working (PING, DNS, TCP). So the issue does not actually kill you internet connection, but only affects (other) computers in your network.
Would you please repeat these tests on a computer in your network that looses the internet connection?
Thanks
- Frank
-
Actually I did at the time, and neither worked - sorry, I forgot to grab the info.
-
Does manually reloading the firewall rules fix your issue? (after you've lost the internet connection)
Firewall -> Diagnostics -> Filter Reload -> Reload Filter
-
I'm pretty sure I tried that when I first encountered the issue, but I can't be certain. I can try it again when I next get a chance.
-
Does manually reloading the firewall rules fix your issue? (after you've lost the internet connection)
Firewall -> Diagnostics -> Filter Reload -> Reload Filter
Good news, this fixes the issue but I'm pretty sure it didn't before with 17.1.2 so maybe something in 17.1.3 fixed that as well.
-
Don't suppose you know what command I could put into the "Custom command" field of a restart action that would reload the firewall rules? This might help me out and perhaps this should be one of the pre-defined system commands.