OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: NUeB on January 11, 2021, 05:30:04 pm

Title: [SOLVED] Can't access opnsense web GUI after broken(?) update (…)
Post by: NUeB on January 11, 2021, 05:30:04 pm
Hello,

while updating to OPNsense 20.7.7_1 through the web interface the update (or maybe just the browser, FF that is) got stuck in "updating…". After 15 Minutes or so I tried reloading the page and got an error:
Quote
Secure Connection Failed

An error occurred during a connection to 10.6.69.1. Peer reports it experienced an internal error.

Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

Learn more…

That error now persists. I can no longer access the firewall (an APU4D4) through the web interface.

I can connect via serial or ssh, everything looks good to me (having no clue where to look for the problem…). An update from console has nothing to to. Even after rebooting the firewakll the problem persists.

Besides that everything seems to work as usual. What shall I do to get the web GUI back?
Title: Re: Can't access opnsense web GUI after broken(?) update -- Secure Connection Failed
Post by: NUeB on January 11, 2021, 07:26:13 pm
/var/log/lighthttpd.log looks like this:

Code: [Select]
Jan 11 19:20:59 sentinel lighttpd[82635]: (server.c.1508) server started (lighttpd/1.4.58)
Jan 11 19:20:59 sentinel lighttpd[82635]: (mod_deflate.c.546) DEPRECATED: compress.filetype replaced with deflate.mimetypes
Jan 11 19:20:59 sentinel lighttpd[82635]: (mod_deflate.c.559) DEPRECATED: compress.cache-dir replaced with deflate.cache-dir
Jan 11 19:21:10 sentinel lighttpd[82635]: (mod_openssl.c.1085) SSL: building cert chain for TLS server name (null): error:00000000:lib(0):func(0):reason(0)
Jan 11 19:21:10 sentinel lighttpd[82635]: (mod_openssl.c.3067) SSL: 1 error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error
Jan 11 19:21:12 sentinel lighttpd[82635]: (mod_openssl.c.1085) SSL: building cert chain for TLS server name (null): error:00000000:lib(0):func(0):reason(0)
Jan 11 19:21:12 sentinel lighttpd[82635]: (mod_openssl.c.3067) SSL: 1 error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error
Title: Re: Can't access opnsense web GUI after broken(?) update -- Secure Connection Failed
Post by: robgnu on January 11, 2021, 09:12:00 pm
Hi,

if you use Let's encrypt for WebGUI try the following command:

> php /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --all --force

Restart lighttpd after command run. (Or reboot machine).

Robert
Title: Re: Can't access opnsense web GUI after broken(?) update -- Secure Connection Failed
Post by: NUeB on January 11, 2021, 10:05:12 pm
if you use Let's encrypt (…)

Thanks, but I use self signed certificates only.
Title: Re: Can't access opnsense web GUI after broken(?) update -- Secure Connection Failed
Post by: NUeB on January 12, 2021, 09:20:35 pm
Just found this thread: https://forum.opnsense.org/index.php?topic=20514.0

… with the helpful console command:

Code: [Select]
opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart
Works for me.
Title: Re: Can't access opnsense web GUI after broken(?) update -- Secure Connection Failed
Post by: NUeB on January 12, 2021, 10:03:16 pm
I found out that an expired self signed certificate seemed to be causing the previous problems. So I created a new one and made a dumb mistake — looks like I chose wrong type, because FF now says:

Quote
Secure Connection Failed

An error occurred during a connection to 10.6.69.1. Certificate key usage inadequate for attempted operation.

Error code: SEC_ERROR_INADEQUATE_KEY_USAGE

I can still access the firewall via ssh.

Where is the opnsense configuration located in the filesystem? Where can I find the names of my self signed certificates, so that I can fix this manually?
Title: Re: Can't access opnsense web GUI after broken(?) update -- Secure Connection Failed
Post by: gpb on January 13, 2021, 12:24:26 am
If you're using a 3rd party A/V, you may need to disable it temporarily, that's what I had to do.
Title: Re: Can't access opnsense web GUI after broken(?) update -- Secure Connection Failed
Post by: franco on January 13, 2021, 08:34:33 am
Edit /conf/config.xml to remove the relevant "ssl-certref", e.g.

# grep -nr ssl-certref /conf/config.xml
264:      <ssl-certref>XXXXXXXXXXXX</ssl-certref>

(make sure this is the one under "webgui")

# vi /conf/config.xml
:264d

Then restart GUI to force a reissue:

# configctl webgui restart

With 21.1 going forward the following already works to simplify the process....

# configctl webgui restart renew


Cheers,
Franco
Title: Re: Can't access opnsense web GUI after broken(?) update -- Secure Connection Failed
Post by: NUeB on January 13, 2021, 10:21:58 pm
Edit /conf/config.xml to remove the relevant "ssl-certref", e.g.

# grep -nr ssl-certref /conf/config.xml
264:      <ssl-certref>XXXXXXXXXXXX</ssl-certref>
Thanks a lot!  :)
Title: Re: Can't access opnsense web GUI after broken(?) update -- Secure Connection Failed
Post by: NUeB on January 17, 2021, 04:51:08 pm
After installing a new self signed certificate, I can also again upgrade lighttpd to version 1.4.58 again.

Problem solved. Thanks for the support.

(Also: reminder set to renew the certificate before expiry…)
Title: Re: [SOLVED] Can't access opnsense web GUI after broken(?) update (…)
Post by: franco on January 17, 2021, 08:00:52 pm
Thanks for confirming. We will do necessary steps to make this easier in 21.1.x. The lighttpd behavioural change and release timing is unfortunate and hard to trace in these cases.


Cheers,
Franco
Title: Re: [SOLVED] Can't access opnsense web GUI after broken(?) update (…)
Post by: gstrauss on February 20, 2021, 05:37:53 am
@Franco, lighttpd 1.4.56 migrates from old openssl interfaces (<= openssl 1.0.1) to newer openssl certificate callback interfaces, and lighttpd 1.4.56 tries to build the certificate chain when one is not provided.  The best solution is to provide the certificate chain:
Code: [Select]
    ssl.privkey= "/etc/lighttpd/certs/www.example.com/privkey.pem"
    ssl.pemfile= "/etc/lighttpd/certs/www.example.com/fullchain.pem"

I am a lighttpd developer and am looking into the "building cert chain" issue, which was only recently reported in https://redmine.lighttpd.net/boards/2/topics/9620

If you are aware of other issues with lighttpd, please post to https://redmine.lighttpd.net/boards/2/ so that lighttpd developers are aware of the issue, and you can link to forum.opnsense.org.
Title: Re: [SOLVED] Can't access opnsense web GUI after broken(?) update (…)
Post by: franco on February 20, 2021, 08:24:44 pm
Glenn,

Thanks for popping up here, really appreciate the help. :)

So no more ssl.ca-file, right?


Cheers,
Franco
Title: Re: [SOLVED] Can't access opnsense web GUI after broken(?) update (…)
Post by: gstrauss on February 20, 2021, 11:13:29 pm
> So no more ssl.ca-file, right?

Correct: if the full certificate chain is provided in ssl.pemfile, then ssl.ca-file is no longer needed for that purpose (building the certificate chain).

ssl.ca-file is still used for client certificate verification -- if that is enabled with ssl.verifyclient.* -- and might contain the certificates for the CA which issues the client certificates.