Messages

The easiest fix would be to add "preserve" to both options, so you can individually update A and AAAA without deleting the other one.
I use the native backend, not sure if ddclient haves different

Hello,
I just came across exactly the same issue.
Is this something being worked on? Did you open a FR ticket for it?
The only workaround I see right now is to create separate hosts for v4 and v6 in deSEC.
I would really love to have ab option to update both A and AAAA record in one go.
Did someone try to implement this as custom?

thanks, Till

It works on my system after upgrade.

that works. Thanks for the hint.

Can I run my own automation script in the acme plugin? It seems to only have a list of commands to choose from.
thanks! Till

I actually got this working by using trust/cert/get

Thank you Cedrik, this was a good hint.
It actually pointed me towards the generate_file action that can (according to the browser session dump) generate crt,prv and pkcs12 files.
However there are two things to notice:
- The documentation says it requires POST while the browser session uses GET
- Neither does work with cURL. CSRF issue? I only get {"status":"failed"} as a response.
Has anyone ever tried this outside of an authenticated browser session?

Thanks for your help and kind regards, Till

Hi,
according to the docs:
https://docs.opnsense.org/development/api/core/trust.html
There is a raw_dump function. I assume it can be used to export a full certificate incl private key?
When I try to use it, it returns 404.
Does it exist?
I have a dedicated "api" user with the privileges: "System: Certificate Manager"
I have successfully tested it and parsed out the UUID by using:

Code Select Expand

CERT_UUID=$(curl -s -u "$API_KEY:$API_SECRET" "$HOST/api/trust/cert/search" | jq -r '.rows[] | select(.commonname == "<my common name>") | .uuid')Now when I run:

Code Select Expand

curl  -v -u "$API_KEY:$API_SECRET" "$HOST/api/trust/cert/raw_dump?uuid=$CERT_UUID"it returns 404.
Any hint?
I am running on 25.1.10.

thank you!

I had a couple of situations recently where my firewall got very unresponsive on some services incl the Web UI. Logging into the Web UI then takes up to a minute.
The only thing that helped getting back to normal was a reboot then. How can I diagnose what'S going on?
Some logs on the CLI which I could monitor when it happens?
The system is a an Atom CPU C3558 @ 2.20GHz (4 cores, 4 threads) with 64Gb RAM and ZFS mirrored boot device, latest version installed, all updates.
It does run Zenarmor an I have seen mongod consuming quite some CPU cycles but normally that isn't an issue.
Any hint on how to track this down next time it happens is appreciated.
TIA!

Anyone got a hint for me?
I use the ACME client to manage a number of certificates.
I would like to have an automation that sends me an email when a particular certificate has been renewed.
Any idea how to do that?
I thought about using monit in any way for that but have no clue how.
Thanks for any hint.
-Till

Das geht theoretisch - da muss normalerweise aber der ISP mitspielen, dass er die ONT-ID bei sich einträgt. Normal ist nur die ID des mitgelieferten ONT hinterlegt. Wegen Endgerätefreiheit müssen die ISPs das zwar zulassen, tun es aber sehr ungern.

Das ist auch insofern problematisch, weil Du so kein Backup hast (Highlander-Regel: es kann nur einen geben). Besser klappt es, wenn man die ID des originalen ONTs auslesen kann - das geht bei DG aber, je nach Ausbaugebiet und verbauter Technik, eventuell nicht.

Noch ein Nachteil dabei ist: Support macht DG nur für die eigene Technik.

Das ist m.E. den Stress nicht wert.

Guter Punkt.

Am Rande bemerkt: in der c't war kürzlich ein Artikel wie man ein zyxel pmg3000 für openwrt am Telekom Glasfaser Anschluss verwendet. Das ist ein SFP Slot Modem. Ggf läuft das auch unter OPNsense und an anderen Glasfaser Anschlüssen. Ich fand das ganz sexy das man kein zusätzliches externes Modem braucht.

That doesn't look related to my problem. Did you check you can resolve these addresses?
I can:

Code Select Expand

> set q=AAAA
> mirror.sfo12.us.leaseweb.net
Server: 2003:e6:7744:8501:242:43ff:feae:1c
Address: 2003:e6:7744:8501:242:43ff:feae:1c#53

Non-authoritative answer:
mirror.sfo12.us.leaseweb.net has AAAA address 2605:fe80:2100:b001::5187

So it might be a DNS problem on your end.

When I change from ddclient to native client, do I need to recreate all host records? Because the logs still show "ddclient" as process being used.
Thanks!

I think I have been spoiled by all the smooth upgrades I had in the past. This time it was all but smooth.
The server went unresponsive multiple times (had to hard-reboot), web gui not responding, LAN interface got unresponsive after a few minutes being up. I finally have it running now, but still occasionally can't connect to the web UI.
I have submitted a crash report. What else can I do to help?

I also now have this error message popping up in backend log every hour:

Code Select Expand

[07bbd436-4c8f-446a-9205-24455d9ba5f5] Script action stderr returned "b'Traceback (most recent call last):\n File "/usr/local/opnsense/scripts/OPNsense/Zenarmor/sensei-db-version.py", line 11, in <module>\n from packaging import version\nImportError: cannot import name \'version\' from \'packaging\' (unknown location)'"
Is Zenarmor fully supported with this release?
Thank you for your great work!