I decided to give the "Let's Encrypt" module a go, but I've hit a few issues.
- Whenever I request/renew a certificate I have to reboot the firewall to get my Internet connection back - no traffic going out. I don't see any residual rules left behind so I have no idea why this is happening. PPPoE with VLAN perhaps? I'm also not using the HAProxy option just generating certificates as I didn't want to run before I could walk - oh, and I was successful in getting both a test certificate and a real one, so that's all working.
- Is there a way to export the full certificate and also include a password? I'm actually wanting to use the module to generate certificates for another device and for some inexplicable reason it won't let me enter a blank password when importing - I'm thinking that they assume no-one stores full certificates without a password.
- The log file is being split at the wrong "column" and so displays something like:
[Tue Mar 14 19:43:34 CET 2017] Blah blah blah
I actually want to get a cert for my OPNsense box so i was thinking of using this. If my girls give me some time tonight I'll give this a spin and try to get this installed to see what happens.
Hi Taomyn,
thanks for your report.
Quote from: Taomyn on March 14, 2017, 08:05:33 PM
- Whenever I request/renew a certificate I have to reboot the firewall to get my Internet connection back - no traffic going out. I don't see any residual rules left behind so I have no idea why this is happening. PPPoE with VLAN perhaps? I'm also not using the HAProxy option just generating certificates as I didn't want to run before I could walk - oh, and I was successful in getting both a test certificate and a real one, so that's all working.
Please provide some additional details. Which validation method are you using for your certificate?
I can only think of one validation method that might cause an issue: HTTP-01 OPNsense port forward. Are you using it?
If so, maybe post a screenshot of your settings. It's the only one that builds some port forward rules depending on either your configuration or some assumptions ("IP Auto-Discovery").
Quote from: Taomyn on March 14, 2017, 08:05:33 PM
- Is there a way to export the full certificate and also include a password? I'm actually wanting to use the module to generate certificates for another device and for some inexplicable reason it won't let me enter a blank password when importing - I'm thinking that they assume no-one stores full certificates without a password.
The LE plugin just uses the system Certificate Manager (System -> Trust -> Certificates). It seems to lack this functionality.
I've created a feature request: https://github.com/opnsense/core/issues/1475
Quote from: Taomyn on March 14, 2017, 08:05:33 PM
- The log file is being split at the wrong "column" and so displays something like:
[Tue Mar 14 19:43:34 CET 2017] Blah blah blah
This is a known bug: https://github.com/opnsense/plugins/issues/69
Regards
- Frank
Hi Taomyn,
this should have been my first question: Which version of OPNsense and the LE plugin are you using?
Regards
- Frank
OPNSense v17.1.2-amd64
os-acme-client v1.1
Yes, I'm using the HTTP-01 method only. I've attached a screenshot of the main settings.
Quote from: Taomyn on March 15, 2017, 05:19:44 PM
OPNSense v17.1.2-amd64
os-acme-client v1.1
Yes, I'm using the HTTP-01 method only. I've attached a screenshot of the main settings.
Since you've specified your official IP, maybe remove "IP Auto-Discovery" and try again.
Regards
- Frank
Still the same when I untick that option - specifying the IP was the only way I could get it to work which is why it's there.
Quote from: Taomyn on March 15, 2017, 05:41:39 PM
Still the same when I untick that option - specifying the IP was the only way I could get it to work which is why it's there.
Please have a look at the system log: System -> Log File.
Maybe these log messages can reveal the root cause of this issue.
Thanks
- Frank
I just updated to 17.1.3 which has a newer version of the LE plug-in, hopefully tonight I can give it another go to get logs and see what happens.
As promised, I tried again still kills my connection, this is the log from the actions:
QuoteMar 16 17:24:24 config[71271]: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: failed to retrieve restart action from certificate
Mar 16 17:24:24 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: issued/renewed certificate: xxxxxne.co.uk
Mar 16 17:24:06 configd.py: [65b197e8-5ac6-4acd-b3a1-e8dedb650ef7] signing or renewing a certificate
Mar 16 17:24:06 configd.py: [42f73e2e-e5ac-4349-9fc5-0a9f667d8195] Tested for presence of plugin haproxy
And attached is a screenshot of the requested certificate. Hope it helps, so if you want me to test a patch/fix let me know.
QuoteMar 16 17:24:24 config[71271]: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: failed to retrieve restart action from certificate
Mar 16 17:24:24 opnsense: /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php: AcmeClient: issued/renewed certificate: xxxxxne.co.uk
Mar 16 17:24:06 configd.py: [65b197e8-5ac6-4acd-b3a1-e8dedb650ef7] signing or renewing a certificate
Mar 16 17:24:06 configd.py: [42f73e2e-e5ac-4349-9fc5-0a9f667d8195] Tested for presence of plugin haproxy
These messages are normal. You haven't configured a restart action, so it's ok that it failed to retrieve it (but this message should be supressed by the LE plugin since it's useless).
And there is nothing else in the system log around the time when your internet connection died?
I'm sorry, I still have no idea what's wrong there :(
Regards
- Frank
No, those lines were all that was logged, then I rebooted the firewall to get my connection back - is there any way to get more info into the logs?
I still have a few more certificates I need to issue and I was saving them for further testing of this problem.
Quote from: Taomyn on March 17, 2017, 02:48:17 PM
No, those lines were all that was logged, then I rebooted the firewall to get my connection back - is there any way to get more info into the logs?
The temporary pf rules, that are added during certificate validation, are stored in filesystem in /var/etc/acme-client/configs. Each certificate has it's own subfolder (represented by the internal certificate ID) and the subfolder should contain a file named "acme_anchor_rules". Would you please paste the contents of this file here?
Thanks
- Frank
I'll PM you the content of the file shortly
Or I would:
User 'fraenki' has blocked your personal message.
Quote from: Taomyn on March 20, 2017, 12:32:24 PM
Or I would:
User 'fraenki' has blocked your personal message.
Try again, I've enabled personal messages. (Hello Spambots.)
Done, so you can disable it again if you wish, though I have yet to receive any spam to my Inbox
The auto-generated pf rules look good. They should not cause any harm, especially since you're not using a (HTTP) proxy server on your OPNsense firewall.
Please provide the output of the following commands for both situations, once (with a working internet connection) before running the LE plugin and a second time when the plugin killed your internet connection:
curl --head http://www.opnsense.org/
ping -c 3 8.8.8.8
EDIT: Please also check the firewall log for denied packages under Firewall -> Log Files -> Normal View.
Sent results by PM
Quote from: Taomyn on March 20, 2017, 07:04:52 PM
Sent results by PM
Thanks again! The results show that your internet connection is still working (PING, DNS, TCP). So the issue does not actually kill you internet connection, but only affects (other) computers in your network.
Would you please repeat these tests on a computer in your network that looses the internet connection?
Thanks
- Frank
Actually I did at the time, and neither worked - sorry, I forgot to grab the info.
Does manually reloading the firewall rules fix your issue? (after you've lost the internet connection)
Firewall -> Diagnostics -> Filter Reload -> Reload Filter
I'm pretty sure I tried that when I first encountered the issue, but I can't be certain. I can try it again when I next get a chance.
Quote from: fraenki on March 21, 2017, 03:58:15 PM
Does manually reloading the firewall rules fix your issue? (after you've lost the internet connection)
Firewall -> Diagnostics -> Filter Reload -> Reload Filter
Good news, this fixes the issue but I'm pretty sure it didn't before with 17.1.2 so maybe something in 17.1.3 fixed that as well.
Don't suppose you know what command I could put into the "Custom command" field of a restart action that would reload the firewall rules? This might help me out and perhaps this should be one of the pre-defined system commands.