OPNsense Forum
Archive => 20.1 Legacy Series => Topic started by: evergreek on July 07, 2020, 04:22:00 pm
-
Hello Guys.. have a bit of a problem.. Yesterday I updated the SSL certificate from the default one to the one for my domain .. on the webui config page.. now the UI is not loading.. I see the following error message on the logs..
root@OPNsense:/var/log # /usr/local/etc/rc.restart_webgui
Starting web GUI...failed.
Generating RRD graphs...done.
root@OPNsense:/var/log # /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
2020-07-07 09:19:54: (mod_openssl.c.513) SSL: couldn't read private key from '/var/etc/cert.pem'
2020-07-07 09:19:54: (server.c.1207) Initialization of plugins failed. Going down.
When I cat /var/etc/cert.pem
I see the following (keys removed)
root@OPNsense:/var/etc # more cert.pem
-----BEGIN CERTIFICATE-----
XXXXXXXX
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
XXXXXXXXXX
-----END PRIVATE KEY-----
looks like it cannot read the private key? Any way to revert this to the "default" ssl cert?
-
This may be a complete "shot-in-the-dark".
I looked at my default /var/etc/cert.pem file and there is a blank line between END CERTIFICATE and BEGIN PRIVATE KEY.
Possibly, a blank line is needed in order to correctly parse the file ?
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
-
...
-----END PRIVATE KEY-----
looks like it cannot read the private key? Any way to revert this to the "default" ssl cert?
Can't you simply revert from the shell to a previous version ?
At least that should give you access to the gui even with a cert error. Then you can recreate the cert and before installing I would intermediately also configure the gui to listen on port 80
amichel
-
Sorry to resurrect this thread, but I've just had the same problem on 20.7. It appears that if there are any errors in the certs (in my case a stray character at the end of the Cert) it causes lighttp to fail to start and you're left with a gui-less system.
This is far from ideal if the firewall is in a data center and you've got no remote access to the console. The code needs to run some sort of validation check on the cert to make sure its valid before you assign it to the GUI or put in some fallback code to restore the SSL to the old one if it fails to start.
-
https://redmine.lighttpd.net/projects/lighttpd/issues please report here. It seems simple and sane enough to fix it at the source.
This only happens with imported certificates?
You can always revert the config from the console and choose "restart all services" afterwards.
Cheers,
Franco
-
@mgsteve do you have the cert files that caused the error for you? Can you share the exact files? (Please do not share the private key. If it is part of the ssl.pemfile or ssl.ca-file, then please remove the contents between "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" (or similar) before posting, but otherwise leave those lines as-is so that I can see the format of the file.)
I am a lighttpd developer and have been unable to reproduce the issue. I tried different combinations of stray char at end of file, and differences in line endings ("\n" and "\r\n"), but lighttpd 1.4.59 with openssl 1.1.1i handles them just fine. lighttpd uses openssl routines to read certificate files, so I don't think this is an issue with lighttpd, but if lighttpd can detect the issue, maybe lighttpd can issue better error trace.
Maybe the issue you were having was related to https://forum.opnsense.org/index.php?topic=20325.0 ?