I've upgraded my system this morning to version 21.1 and just discovered that aliases are no longer editable.
As a work around I've made the needed changes in config.xml and pushed the apply button in the web interface. Still need to find out if that works as the change involves to allow access concerning a specific external IP address.
In addition:
Adding a new alias doesn't work either...
21.1?
no longer editable how?
Just like I said. Clicking the edit pencil in the GUI nothing happens. Same for clicking the + sign to add a new one.
Just like I said. Clicking the edit pencil in the GUI nothing happens. Same for clicking the + sign to add a new one.
I'm using Firefox 52.6.0 as this is the only browser to provide access. All other "newer" browsers complain as follows:
Quote
Secure Connection Failed
An error occurred during a connection to opnsense.koxkampseweg10.com. A required TLS feature is missing.
Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
Not sure if this is related. I'm using a Letsencrypt cert and Firefox is just accepting it as expected but other browsers don't.
I'm pretty sure this was fixed over a month ago in 21.1.1:
https://github.com/opnsense/changelog/blob/882c3cdfc94c29d9d320f7f318366bc6d2a27665/community/21.1/21.1.1#L34
Cheers,
Franco
QuoteI'm using a Letsencrypt cert
QuoteMOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
"OCSP Must Staple" enabled on LE cert?
@ Franco: Don't understand what you mean. I can't find anything related to this issue at "https://github.com/opnsense/changelog/blob/882c3cdfc94c29d9d320f7f318366bc6d2a27665/community/21.1/21.1.1#L34
"
@ Fright: Where can I find this option? Not available in the LE settings page...
But thanks for your support.
QuoteI can't find anything related to this issue at
need to see dev console errors from your browser.
but there was a compatibility issues with replaceAll() method.
https://forum.opnsense.org/index.php?topic=21199.0
and it was fixed on 21.1.1.
and this fix is mentioned exactly where @franco indicated
QuoteWhere can I find this option? Not available in the LE settings page
Services: Let's Encrypt: Certificates
edit Cert -> "Security Settings"
Quoteedit Cert -> "Security Settings"
edit Cert ->
Thanks for that but "OCSP Must Staple" was already enabled so that cannot be the issue...
this is the issue
I could be wrong (I hope @franco will correct me) but I have not found evidence that the GUI currently supports stapling. therefore to use modern browsers, you need to either disable the stapling requirements in the browser (if they allow it. FF seems still allows it) or change\make\assign the certificate without OCSP Staple
https://www.thesslstore.com/blog/ocsp-ocsp-stapling-ocsp-must-staple/
https://support.mozilla.org/en-US/questions/1149911
Hello Fright,
I've decided to first upgrade to the latest version, so now I'm on 21.1.3. That at least solved the UI problems encountered earlier.
With respect to LE I can confirm that ocsp_must_staple is responsible because I can get access or not by toggling security.ssl.enable_ocsp_must_staple from true to false in the browser settings. However, "OCSP Must Staple" is enabled in the LE cert settings but even forcing a cert renewal doesn't solve the issue. Any idea what to look for?
Thank you!
sorry, I didn't quite understand
you need to uncheck the "OCSP Must Staple" box manually and then force the renewal.
is this what you did? was the renewal successful?
Hi Fright,
Aha, I first did misunderstood but have now unchecked the "OCSP Must Staple" box but that results in another error in recent browsers (Edge, Firefox). It says "A potential DNS Rebind attack has been detected". SO what now?
need to know the DNS settings and the details of accessing the opnsense, but the easiest way is to open the GUI via IP and disable this protection: System: Settings: Administration - > Disable DNS rebinding checks
Thanks for your efforts but "Disable DNS rebinding checks" was already unchecked...
yes. and you need to enable it and "Save"
or if you try to access GUI by name that does not match the settings in System: Settings: General try adding this name to the System: Settings: Administration->Alternate hostnames
Hi Fright,
You are making impressive long days and thanks a lot for offering all these suggestions.
For now I'm stuck because I have forced too many renewals ending up with "too many certificates already issued for exact set of domains".
Sadly none of your suggestions led to a solution but only result, once accepting an acceptation, into an insecure connection. So I need to dive into this somewhat deeper. I now think that this behavior, as it seem to be a DNS issue, may be occurs because the public advertised FQDN (external IP address) is in conflict with the internal published FQDN (internal IP address (LAN) using a local DNS).
Could this be the case?
QuoteI have forced too many renewals ending up with "too many certificates already issued for exact set of domains".
if you have already received a certificate without a must-staple, then there is no need to do it anymore )
QuoteSadly none of your suggestions led to a solution but only result, once accepting an acceptation, into an insecure connection.
more details please? did you enable "Disable DNS Rebinding Checks"? did you add Alternate Hostnames (if the server name in the browser is different from the hostname in System: Settings: General)? What is the result now when trying to access from the browser by name?
Quoteas it seem to be a DNS issue, may be occurs because the public advertised FQDN (external IP address) is in conflict with the internal published FQDN (internal IP address (LAN) using a local DNS).
this is possible and depends on the DNS settings. if internal DNS-servers are used by the opnsense as forwarders, then, of course, receiving a response with a private address from the forwarder is a sign of DNS-Rebinding attack
Quote from: gdur on March 12, 2021, 03:02:20 PM
I've upgraded my system this morning to version 21.1 and just discovered that aliases are no longer editable.
As a work around I've made the needed changes in config.xml and pushed the apply button in the web interface. Still need to find out if that works as the change involves to allow access concerning a specific external IP address.
In addition:
Adding a new alias doesn't work either...
I believe you are talking about the same issue I'm facing via Chromium Edge browser. This works fine in Chrome.
https://forum.opnsense.org/index.php?topic=22051.msg104550#msg104550
@ Fright,
I herewith can confirm that it was indeed a local DNS conflicting issue. I've changed the local record to the public IP address and that solved the problem.
Thanks again for all your input
@gdur
not a perfect solution imho but glad it works )
@ Fright,
I totally agree but I'm afraid I need to spend more time to figure out what the appropriate DNS settings should be in the General settings. My first guess is that I should define an external DNS server (let's say 8.8.8.8) at the first position and than as a secondary my local DNS server (which is now the only one defined). Or maybe just select " Allow DNS server list to be overridden by DHCP/PPP on WAN"?
For now at least it works without complaining.
@gdur
schemes and solutions depend on internal services and client settings. if the internal network is small and there are no special requirements for the DNS (AD or some), then it is quite possible to do with the use of the Unbound available on Opnsense and abandon the internal servers. If internal servers are necessary or more convenient, then I would prefer to use only internal servers, and the unbound would be designated as a forwarder for internal servers (the unbound itself can be configured for forwarding or recursion).
after choosing a scheme a solution for the DNS Rebinding issue can be offered.
unless, of course, this is a simple mismatch of the hostname in the OPN config and the hostname in http request