Since the upgrade all working good, except for Google Drive backup failed when I tried a manual one.
The error was that the p12 key wasn't valid.
I removed and regenerated a new key but get the following response:
The following input errors were detected:
- Invalid P12 key, openssl_pkcs12_read() failed
- Saved settings, but remote backup failed.
Pretty sure this isn't a me problem as all the other settings are unchanged.
Can someone give theirs a go
Same here :(
Same here :(
I can confirm the same behavior.
This has also now been logged as a bug https://github.com/opnsense/core/issues/7184 (https://github.com/opnsense/core/issues/7184)
Thank you for the confirmation folks!
The info in the bugtracker to solve the issue did not work for me, but it pointed me into the right direction:
https://www.practicalnetworking.net/practical-tls/openssl-3-and-legacy-providers/ (https://www.practicalnetworking.net/practical-tls/openssl-3-and-legacy-providers/)
I modified the /usr/local/openssl/openssl.cnf file
[provider_sect]
default = default_sect
legacy = legacy_sect
and
[default_sect]
activate = 1
[legacy_sect]
activate = 1
restarted webgui --> Backup worked
Since it's patching a template it doesn't work immediately, but a reboot or a reconfiguration of the trust subsystem would do the trick (but I don't know which GUI knob that is from the top of my head).
Cheers,
Franco
Got that franco, thank you for clarification
Quote from: amichel on January 31, 2024, 07:49:49 PM
I modified the /usr/local/openssl/openssl.cnf file
[provider_sect]
default = default_sect
legacy = legacy_sect
and
[default_sect]
activate = 1
[legacy_sect]
activate = 1
restarted webgui --> Backup worked
This worked for me as well after a reboot.
Thanks all, muchly appreciated!
This worked flowless and corrected the issue thank you so much for the information.
Works as described by amichel and Starrbuck. Thank you very much
Will there be a future patch/update that will be deployed to address this issue for those of us that do not want to manually modify the file referenced above?
Quote from: adamrc on February 02, 2024, 07:40:47 PM
Will there be a future patch/update that will be deployed to address this issue for those of us that do not want to manually modify the file referenced above?
You don't have to manually edit the file. You can just apply the commit from github yourself.
opnsense-patch d8ba131
Or you can wait until the next OPNsense update.
Quote from: jp0469 on February 02, 2024, 09:40:57 PM
Quote from: adamrc on February 02, 2024, 07:40:47 PM
Will there be a future patch/update that will be deployed to address this issue for those of us that do not want to manually modify the file referenced above?
You don't have to manually edit the file. You can just apply the commit from github yourself.
opnsense-patch d8ba131
Or you can wait until the next OPNsense update.
That worked great! Thanks! I had to reboot for the changes to apply.
i am seeing this issue with 24.10_7 business edition. would it be safe to apply the same patch to the business edition?
opnsense-patch d8ba131
The commit is 9 months old and already included and the thread is stale for that same amount of time... Maybe you're looking at a different issue?
Cheers,
Franco
unsure, i am running 24.10_7 and getting the exact same error...
https://imgur.com/a/8wrkApM
i don't see legacy in /usr/local/openssl/openssl.cnf, but i do see it in /usr/local/opnsense/service/templates/OPNsense/Trust/openssl.cnf its like the template isn't being applied? i have rebooted several times now at this point.
i installed 24.10 fresh and upgraded to 24.10_7, then applied my 24.7.7 config, as i was moving over from community to business.
https://github.com/opnsense/core/commit/d8ba131aadcceb2dd9719627a1363b34aad41e70
seems like i should see legacy provider, but i don't, since /usr/local/openssl/openssl.cnf seems wrong
# /usr/local/bin/openssl list -providers
Providers:
default
name: OpenSSL Default Provider
version: 3.0.15
status: active
if i execute /usr/local/etc/rc.syshook.d/early/15-templates manually, it has no output and returns success 0. but /usr/local/openssl/openssl.cnf remains unchanged
System: Trust: Settings: Enable legacy, apply, done?
Cheers,
Franco
that didn't seem to work. i still get the same error.
https://imgur.com/a/7A1sn5q
once i enabled legacy trust, i rebooted. now i see legacy from openssl
# /usr/local/bin/openssl list -providers
Providers:
default
name: OpenSSL Default Provider
version: 3.0.15
status: active
legacy
name: OpenSSL Legacy Provider
version: 3.0.15
status: active
but trying to do a backup still get the same error
(https://i.imgur.com/d83BfyF.png)