Hello,
I have created a new HTTP server via the Nginx plugin. In the same way as many others before.
However, now I get the following error message for the newly created server after restarting the nginx service:
cannot load certificate "/usr/local/etc/nginx/key/subdomain.mydomain.tld.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/etc/nginx/key/subdomain.mydomain.tld.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
The wildcard certificate (*.mydomain.tld) created via the ACME client was selected as the TLS certificate (as with the other HTTP servers).
The check mark for "Enable Let's Encrypt Plugin Support" is not set.
Where is the error and how can I force the use of the wildcard certificate?
Hi
i don't think it has anything to do with the certificate type (the setup script doesn't check the certificate contents). maybe there are errors in the backend log?
Or the "HTTPS Listen Address" is empty?
Quote from: Fright on October 13, 2022, 04:45:29 PM
maybe there are errors in the backend log?
Where can I find this log?
Quote from: Fright on October 13, 2022, 04:45:29 PM
Or the "HTTPS Listen Address" is empty?
No, its exactly the same configuration as in all other HTTP-servers which are working.
Edit:
No entry in the backend log of OPNsense -> System -> Logs.
hm. any messages (except "php_fpm already running?") if you run
/usr/local/opnsense/scripts/nginx/setup.php
?
Quote from: Fright on October 14, 2022, 09:16:40 PM
hm. any messages (except "php_fpm already running?") if you run
/usr/local/opnsense/scripts/nginx/setup.php
?
No.
Just "php_fpm allready running? (pid=56775)."
Found the error.
I had added the line "add_header 'Access-Control-Allow-Origin' '*';" for a previously created HTTP server in the nginx configuration via the xxxxxxxx-xxxx-xxxx-xxxxxxxx_post/*.conf.
This apparently led to the described error for all subsequently created HTTP servers.
After I removed the *.conf, the error disappeared.
OK, I guess I spoke too soon.
When I then wanted to create another HTTP server (same setting, only different upstream and different subdomain), the error occurred again.
Hi
i think i found some..and its a little regression at https://github.com/opnsense/plugins/commit/9f80395a3bfbc0a09c6d65d3cb0e9a66217e03e5
while trying to figure out how to solve it nifty, I see a temporary workaround for that by manually running '/usr/local/opnsense/scripts/nginx/setup.php' after adding the server with a new name and certificate and clicking the Apply button. In this case the certificate files will be in the right place and you will need to hit Apply again
Huh, why... is setup.php not called correctly? Which OPNsense version is this?
Cheers,
Franco
@franco Hi)
im testing on 22.7.6
/usr/local/etc/rc.d/nginx contains "reload_precmd="nginx_checkconfig" which is called before _setup. so we have at Apply hit:
-templates reloaded (with new server certs references in nginx.conf)
-nginx fails config check (certs files not ready yet because setup.php is not yet started)
-setup not started because config check return error
@franco
how dirty is that syntax for /etc/rc.conf.d/nginx :
reload_precmd="/usr/local/opnsense/scripts/nginx/setup.php; nginx_checkconfig"
restart_precmd="/usr/local/opnsense/scripts/nginx/setup.php; nginx_checkconfig"
nginx_enable="YES"
for cases like this?
It's supposed to call setup.php on start/reload/restart by default. Is nginx rc script fudging these actions somehow?
Cheers,
Franco
if i understand this right at https://github.com/opnsense/src/blob/a72dccaa7d6ced2a547c5d7f7a739e0a494ee333/libexec/rc/rc.subr#L1185
_precmd is executed before _setup. and if _precmd fails (like in this case) _setup will not run.
or can we switch _setup/_precmd order?
nginx rc:
https://github.com/freebsd/freebsd-ports/blob/main/www/nginx/files/nginx.in
Yikes ok, nginx_checkconfig as precmd stops start/reload :(
In that case we need to switch indeed. Commit in a bit.
Thanks,
Franco
Thanks !! :)
This then...
https://github.com/opnsense/src/commit/ca9cdd508ee
# fetch https://raw.githubusercontent.com/opnsense/src/ca9cdd5/libexec/rc/rc.subr
# mv rc.subr /etc/
Cheers,
Franco
thanks again! will test in hour or two..
@franco
Quote
# fetch https://raw.githubusercontent.com/opnsense/src/ca9cdd5/libexec/rc/rc.subr
# mv rc.subr /etc/
like a charm!
hope @psychofaktory will confirm too
thanks again
Ok, we will pick this up in 22.7.7... thanks for the analysis! :)
Cheers,
Franco
Quote from: Fright on October 17, 2022, 04:04:31 PM
hope @psychofaktory will confirm too
Can confirm it works perfect with the fix.
A big thank you!
thanks for the feedback!
Quote from: psychofaktory on October 17, 2022, 05:21:26 PM
Quote from: Fright on October 17, 2022, 04:04:31 PM
hope @psychofaktory will confirm too
Can confirm it works perfect with the fix.
A big thank you!
I ran into this issue today and found this post doing some googling. I applied your fix and it resolved the issue for me as well. Just figured I'd add another +1