Hi guys,
I am hoping someone could help me.
I have HA proxy configured and integrated with Lets Encrypt, 1 Front-end on port 443 and several back-ends, ACLs etc
However I just hit the mark of 30 SSLs added to the same front-end and once I try to add more I receive a error in config
any idea why there is a limit ?
Please see the picture attached.
Thanks
Hi akron,
Notified maintainer.
Cheers,
Franco
Quote from: franco on July 21, 2017, 10:30:57 AM
Hi akron,
Notified maintainer.
Cheers,
Franco
Thanks
any idea why is this happening? I'm open to speculation dont mind to try work around it...
Cheers
The error would suggest one or all certificates are put on a single line, which causes the line read to fail at some point because the line buffer is too small.
It would be in the config file, you can see the line is too long, but I have no idea why.
Cheers,
Franco
Quote from: franco on July 21, 2017, 12:51:53 PM
The error would suggest one or all certificates are put on a single line, which causes the line read to fail at some point because the line buffer is too small.
It would be in the config file, you can see the line is too long, but I have no idea why.
Cheers,
Franco
Humm I see, this only happens when I reach the 30 ssl mark, 29 ssls are fine, 30 gives the error. I can alternate the SSLs as long as i dont go over 30 everything works perfectly.
it would be a shame if there is no fix, this is such a great box OPNsense..
Cheers
But the same holds true for 31 certs or 32... Could you check the actual config file to see why the line is overly long? It's what the error says, not that it's more than 29 certs. :)
Thanks,
Franco
Quote from: franco on July 21, 2017, 02:17:29 PM
But the same holds true for 31 certs or 32... Could you check the actual config file to see why the line is overly long? It's what the error says, not that it's more than 29 certs. :)
Thanks,
Franco
Where is the config file location ?
There are two paths in your screenshot, one for a .conf file and one for a .pem file.
Quote from: franco on July 21, 2017, 03:09:46 PM
There are two paths in your screenshot, one for a .conf file and one for a .pem file.
Yes right :)
so in the line 62 i have:
bind PUBLIC IP:443 name PUBLIC IP:443 ssl crt /var/etc/haproxy/ssl/4435345346dcdd7a.pem crt /var/etc/haproxy/ssl/345353453534.pem crt /var/etc/haproxy/ssl/59294353454353572.pem crt /var/etc/haproxy/ssl/54354353453d.pem crt /var/etc/haproxy/ssl/3452342456.pem
and goes forever on that line until the last certificate.
is there any way to split that line into 63 and 64 so HAproxy can read it correctly ?
Can you try this simple patch? https://github.com/opnsense/plugins/commit/bd96fcfe
From the root shell it installs via:
# opnsense-patch -c plugins bd96fcfe
After that, apply the configuration again.
If it doesn't work, run the patch command again to remove the patch.
Cheers,
Franco
Quote from: franco on July 21, 2017, 05:34:36 PM
Can you try this simple patch? https://github.com/opnsense/plugins/commit/bd96fcfe
From the root shell it installs via:
# opnsense-patch -c plugins bd96fcfe
After that, apply the configuration again.
If it doesn't work, run the patch command again to remove the patch.
Cheers,
Franco
Thanks but it killed it ;D
reverted back...
I have some ssl enforced settings on the global config... not sure if i should take it back and then apply the patch again
Quote from: akron on July 21, 2017, 06:02:44 PM
Quote from: franco on July 21, 2017, 05:34:36 PM
Can you try this simple patch? https://github.com/opnsense/plugins/commit/bd96fcfe
From the root shell it installs via:
# opnsense-patch -c plugins bd96fcfe
After that, apply the configuration again.
If it doesn't work, run the patch command again to remove the patch.
Cheers,
Franco
Thanks but it killed it ;D
reverted back...
I have some ssl enforced settings on the global config... not sure if i should take it back and then apply the patch again
Hi Franco,
Any other work around worth trying ?
Cheers
Hi akron,
Looking at your output and the previous fix, the line escape was added, but the newline was missing. D'oh, sorry.
New try with *two* characters, instead of one:
https://github.com/opnsense/plugins/commit/00151b8
# opnsense-patch 00151b8
Cheers,
Franco
Quote from: franco on July 24, 2017, 06:44:08 PM
Hi akron,
Looking at your output and the previous fix, the line escape was added, but the newline was missing. D'oh, sorry.
New try with *two* characters, instead of one:
https://github.com/opnsense/plugins/commit/00151b8
# opnsense-patch 00151b8
Cheers,
Franco
Thanks Franco however it says "fetch: https://github.com/opnsense/core/commit/00151b8.patch: Not Found
" :D
I will apply this once the link its working and let you know the result.
Cheers
# opnsense-patch -c plugins 00151b8
This is better...
Quote from: franco on July 24, 2017, 10:11:01 PM
# opnsense-patch -c plugins 00151b8
This is better...
Right, so it seems I'm getting the same error again..
I know I'm late to the party... I'll try to prepare a fix later today, requires a few code changes and tests. :)
Regards
- Frank
Quote from: fraenki on July 25, 2017, 12:29:40 AM
I know I'm late to the party... I'll try to prepare a fix later today, requires a few code changes and tests. :)
Regards
- Frank
Thanks no worries ;D
According to the manual "crl" argument also takes directories, that seems to be the only solution of of this long line debacle. :D
Quote from: franco on July 25, 2017, 02:45:51 PM
According to the manual "crl" argument also takes directories, that seems to be the only solution of of this long line debacle. :D
No, actually crt-list makes more sense in this case, IMHO.
http://cbonte.github.io/haproxy-dconv/1.7/configuration.html#crt-list
I'm working on this right now.
Regards
- Frank
Quote from: franco on July 25, 2017, 02:45:51 PM
According to the manual "crl" argument also takes directories, that seems to be the only solution of of this long line debacle. :D
I have never used HAproxy before and I'm not trying to be greedy or anything or wanting infinite ssl certificates with one system. ;D
I am just short in public IPs, only one in fact and wanted to see if I could deploy further SSLs in one box.
OPNsense has been choice number one here after ditching UTM and pfsense and so far is the best traffic eater Firewall appliance i ever seen 8)
Cheers
The fix is ready for testing:
opnsense-patch -c plugins 6a82b37
For reference: https://github.com/opnsense/plugins/pull/209
Regards
- Frank
Quote from: fraenki on July 25, 2017, 04:16:16 PM
The fix is ready for testing:
opnsense-patch -c plugins 6a82b37
For reference: https://github.com/opnsense/plugins/pull/209
Regards
- Frank
Nice one fraenki is working now ;D Thanks for this
will this be shipped in future releases or we need to always patch ?
Thanks both for the help
Cheers
Quote from: fraenki on July 25, 2017, 04:16:16 PM
The fix is ready for testing:
opnsense-patch -c plugins 6a82b37
For reference: https://github.com/opnsense/plugins/pull/209
Regards
- Frank
Also where can I contribute or buy you guys a beer..?
Quote from: akron on July 25, 2017, 04:33:27 PM
will this be shipped in future releases or we need to always patch ?
It will be available in 17.7.1 (at the latest). :)
Quote from: akron on July 25, 2017, 04:40:23 PM
Also where can I contribute or buy you guys a beer..?
You're always welcome to report issues, suggest enhancements or even provide some fixes:
https://github.com/opnsense/core/issues
https://github.com/opnsense/plugins/issues
On the other hand, the OPNsense projects welcomes donations too:
https://opnsense.org/donate/
Thanks for reporting this issue!
Regards
- Frank
Quote from: fraenki on July 25, 2017, 05:00:27 PM
Quote from: akron on July 25, 2017, 04:33:27 PM
will this be shipped in future releases or we need to always patch ?
It will be available in 17.7.1 (at the latest). :)
Quote from: akron on July 25, 2017, 04:40:23 PM
Also where can I contribute or buy you guys a beer..?
You're always welcome to report issues, suggest enhancements or even provide some fixes:
https://github.com/opnsense/core/issues
https://github.com/opnsense/plugins/issues
On the other hand, the OPNsense projects welcomes donations too:
https://opnsense.org/donate/
Thanks for reporting this issue!
Regards
- Frank
Donated
Thank you
Yay, thanks to both of you! :)
We'll add this for 17.7.1, we want to play it safe for 17.7.
Cheers,
Franco