Messages

I ran the firmware healthcheck and noticed I had the same missing dependency on my system.

Thanks for the hint. I've now checked this on my box, under OPNsense 21.7.8 the dependencies are alright:

Code Select Expand

# pkg info -dx py37-markupsafe
py37-markupsafe-1.1.1_1:
        python37-3.7.11
        py37-setuptools-57.0.0


but after upgrading to 22.1 it's broken just like you reported (and has to be removed manually as shown before).

As I can not remember to have had any "3rd party" stuff installed and I know that I didn't install anything manual, I do blame OPNsense update / upgrade for not cleaning this up in the first place: While 22.1 was being installed, the very first steps were removing all Python3.7 stuff, except for that package (sadly I was too slow to grab a screenshot of that).

Any help would be appreciated . Thanks.

After some reading I came to the conclusion, that py37-markupsafe is no longer needed. So I removed it:

Code Select Expand

# pkg delete py37-markupsafe
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 1 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
        py37-markupsafe: 1.1.1_1

Number of packages to be removed: 1

Proceed with deinstalling packages? [y/N]: y
[1/1] Deinstalling py37-markupsafe-1.1.1_1...
[1/1] Deleting files for py37-markupsafe-1.1.1_1: 100%

... I did this on my backup machine first to see if any side–effects occur. If not, I will do this on my production box after upgrading that one too.

I also get these messages about Python37 after the upgrade to 22.1

I can not remember to have installed any third party repo / manual ports. Never seen these messages before although I always update on the console.

'pkg updating' does not help me out...

Code Select Expand

# pkg updating
pkg: Unable to open: /usr/ports/UPDATING

Any hints on how to fix this appreciated, TIA.

Code Select Expand

Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0

>>> Missing package dependencies were detected.
>>> Found 2 issue(s) in the package database.

pkg-static: No packages available to install matching 'python37' have been found in the repositories
pkg-static: No packages available to install matching 'py37-setuptools' have been found in the repositories
>>> Summary of actions performed:

python37 dependency failed to be fixed
py37-setuptools dependency failed to be fixed

>>> There are still missing dependencies.
>>> Try fixing them manually.

>>> Also make sure to check 'pkg updating' for known issues.


After installing a new self signed certificate, I can also again upgrade lighttpd to version 1.4.58 again.

Problem solved. Thanks for the support.

(Also: reminder set to renew the certificate before expiry...)

Edit /conf/config.xml to remove the relevant "ssl-certref", e.g.

# grep -nr ssl-certref /conf/config.xml
264:      <ssl-certref>XXXXXXXXXXXX</ssl-certref>

Thanks a lot!  :)

I found out that an expired self signed certificate seemed to be causing the previous problems. So I created a new one and made a dumb mistake — looks like I chose wrong type, because FF now says:

Secure Connection Failed

An error occurred during a connection to 10.6.69.1. Certificate key usage inadequate for attempted operation.

Error code: SEC_ERROR_INADEQUATE_KEY_USAGE

I can still access the firewall via ssh.

Where is the opnsense configuration located in the filesystem? Where can I find the names of my self signed certificates, so that I can fix this manually?

Just found this thread: https://forum.opnsense.org/index.php?topic=20514.0

... with the helpful console command:

Code Select Expand

opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart

Works for me.

if you use Let's encrypt (...)

Thanks, but I use self signed certificates only.

/var/log/lighthttpd.log looks like this:

Code Select Expand

Jan 11 19:20:59 sentinel lighttpd[82635]: (server.c.1508) server started (lighttpd/1.4.58)
Jan 11 19:20:59 sentinel lighttpd[82635]: (mod_deflate.c.546) DEPRECATED: compress.filetype replaced with deflate.mimetypes
Jan 11 19:20:59 sentinel lighttpd[82635]: (mod_deflate.c.559) DEPRECATED: compress.cache-dir replaced with deflate.cache-dir
Jan 11 19:21:10 sentinel lighttpd[82635]: (mod_openssl.c.1085) SSL: building cert chain for TLS server name (null): error:00000000:lib(0):func(0):reason(0)
Jan 11 19:21:10 sentinel lighttpd[82635]: (mod_openssl.c.3067) SSL: 1 error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error
Jan 11 19:21:12 sentinel lighttpd[82635]: (mod_openssl.c.1085) SSL: building cert chain for TLS server name (null): error:00000000:lib(0):func(0):reason(0)
Jan 11 19:21:12 sentinel lighttpd[82635]: (mod_openssl.c.3067) SSL: 1 error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error


Hello,

while updating to OPNsense 20.7.7_1 through the web interface the update (or maybe just the browser, FF that is) got stuck in "updating...". After 15 Minutes or so I tried reloading the page and got an error:

Secure Connection Failed

An error occurred during a connection to 10.6.69.1. Peer reports it experienced an internal error.

Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

Learn more...

That error now persists. I can no longer access the firewall (an APU4D4) through the web interface.

I can connect via serial or ssh, everything looks good to me (having no clue where to look for the problem...). An update from console has nothing to to. Even after rebooting the firewakll the problem persists.

Besides that everything seems to work as usual. What shall I do to get the web GUI back?

Final update: @franco — your guess was absolutely right, it was the SSD in the old firewall.

I now installed a new SSD to the old FW and set up OPNsense with the latest configuration & updates. It's running perfectly fine. So now I have a hardware backup, just in case...  :)

The new hardware is here... and running!  :)

Installation from USB and via serial console was absolutely simple. Then I downloaded the configuration from the new box and compared it to the one saved from the old box. — I just had to change the interfaces' device names (like from <if>re0</if>
to <if>igb0</if> and so on) and upload that modified configuration to the firewall.

After a restart, it came up and looked just like the old firewall. After allowing the new MAC to access WAN in the FritzBox, everything is working as supposed.

So, migration really was an easy job. Thanks again, @franco for pointing me to the hardware error and to everyone in OPNsense for their support!

Thanks.  :)

New hardware is ordered, I'll keep you updated...

@franco - I guess that makes sense.  :( Thanks.

Best idea (to me) seems be to buy a complete new hardware which I can set up as long as the old one's still running. I'm in home office at least until October, so this might minimize risk to be offline for several days.

Is migration as easy as

• backup configuration of the old FW (i do so regularly)
• set up new hardware with fresh installed opnsense 20.7
• upload configuration to new FW
• use new FW

? Or is there any how-to-migrate instructions I can follow?

Any opinions on the PC Engines APU4D4 as a replacement? Old APU1D4 was never running high load; the APU4D4 is faster (and is even cheaper today).

Sorry, I should have mentioned, that there is no USB stick or any other device attached to the router.

It only has one single internal M2 SSD, no other drives, extension cards or else. The hardware was not modified after I set it up 2015.

And something's gone really wrong... I can not login to the console after the FW is up for some time.