Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - yodaphone

#1
I have a VM running ubuntu and I'm trying to obtain a cert via http-01 challenge
i have forwarded the port 80 & 443 to the IP address of the VM and also setup Unbound & DNS (cloudflare) to point to my WAN address.

When i try to obtain a certificate using certbot on the VM, it errors out with this message. Any idea why this is failing.

The application I am using has some issues with using reverse proxies and hence I had to obtain a cert directly. However, I also have caddy configured on my firewall & if i get a cert using DNS-01 challenge, that works for fine for the same domain.

Any idea why I'm getting the " Timeout during connect (likely firewall problem)" error


sudo certbot --nginx --preferred-challenges http --agree-tos --no-eff-email -v --staging -d rust.mydomain.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Requesting a certificate for rust.mydomain.com
Performing the following challenges:
http-01 challenge for rust.mydomain.com
Waiting for verification...
Challenge failed for domain rust.mydomain.com
http-01 challenge for rust.mydomain.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: rust.mydomain.com
  Type:   connection
  Detail: x.x.x.x: Fetching http://rust.mydomain.com/.well-known/acme-challenge/7RkJ4hMZ8-muJIFtuJ2nz4XnLVdK0TF7t8tkebRG-Xk: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.


Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

2025-04-14 11:45:16,282:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2025-04-14 11:45:16,282:DEBUG:certbot._internal.error_handler:Calling registered functions
2025-04-14 11:45:16,282:INFO:certbot._internal.auth_handler:Cleaning up challenges
2025-04-14 11:45:17,437:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==2.9.0', 'console_scripts', 'certbot')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1894, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1450, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 143, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 517, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 428, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 496, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, self.config, best_effort)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2025-04-14 11:45:17,443:ERROR:certbot._internal.log:Some challenges have failed.

The LiveView in Firewall logs appears to pass the traffic

#2
Upgraded to 25.1.1 from 24.7 series & now most of the services/plugins i have do not start automatically. For e.g. AdGuard (my DNS lookups fail without this starting), CrowdSec, Insight Aggregator, RedisDB, vnStat & IDS. Unbound starts though. I have to manually start them from the dashboard. Any idea why this is happening & how to fix it?
#3
thanks.. that worked
#4
Bump!! Anyone please
#5
I have 2 FWs at 2 sites A & B that are connected over a Site to Site Wireguard Tunnel

Site A has 2 networks 192.168.11.1/24 (Primary LAN) and I also have another LAN NET 192.168.1.1/24

I have WAN on igb0 (interface name WAN)

LAN 1 192.168.11.1/24 on igb1 (interface name LAN)

LAN 2 192.168.1.1/24 on igb2 (interface name LABMACHINES)

All independent physical interfaces

I'm able to ping/access between 11.1/24 & 1.1/24 without any issues

I'm also able ping/access between 11.1/24 & 2.1/24 both ways

Site B has 1 network 192.168.2.2/24

How do i access 192.168.2.2/24 from Site A LAN NET 192.168.1.1/24 & 192.168.1.1/24 from Site B?

What Rules do I need to make this happen, please?
#6
UPDATE:

I disabled "Unbound DNS reporting" & this seems to have somewhat addressed the issue, but the issue still persists
#7
Just updated to OPNsense 23.1.r_20 but now seeing some spikes in CPU usage mainly caused by python3.9 & it hits 100% usage sometimes

please see attached animated GIF of top output

any idea why this is happening, as i havent seen this before

My FW
Intel(R) Celeron(R) CPU 3865U @ 1.80GHz
4GB RAM
ZFS
#8
22.1 Legacy Series / Wireguard Speed Issue
March 21, 2022, 04:59:58 PM
after i upgraded to 22.1.3, i'm having a weird wireguard S2S issue

1. Both use 22.1.3 with WG kmod
2. When i do an iperf test, SITE A to SITE B gives me an avg. of 14 Mbps (which is normal)
3. When i do an iperf test, SITE B to SITE A gives me an avg. of 322 Kbits/sec -  :o

The pings from either side are pretty much the same.

From SITE A TO SITE B

iperf3 -c 192.168.3.1 (SITE B)
Connecting to host 192.168.3.1, port 5201
[  5] local 10.17.0.1 port 20525 connected to 192.168.3.1 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec   213 KBytes  1.74 Mbits/sec    0   96.2 KBytes
[  5]   1.00-2.00   sec  1.25 MBytes  10.5 Mbits/sec    0    490 KBytes
[  5]   2.00-3.01   sec  3.31 MBytes  27.6 Mbits/sec  113    208 KBytes
[  5]   3.01-4.00   sec  3.22 MBytes  27.1 Mbits/sec  236    442 KBytes
[  5]   4.00-5.00   sec  1.64 MBytes  13.8 Mbits/sec    0    448 KBytes
[  5]   5.00-6.00   sec  1.56 MBytes  13.1 Mbits/sec    0    452 KBytes
[  5]   6.00-7.00   sec  1.62 MBytes  13.6 Mbits/sec    0    457 KBytes
[  5]   7.00-8.00   sec  1.07 MBytes  9.00 Mbits/sec    1    232 KBytes
[  5]   8.00-9.00   sec   832 KBytes  6.82 Mbits/sec    0    238 KBytes
[  5]   9.00-10.00  sec   870 KBytes  7.12 Mbits/sec    0    242 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  15.5 MBytes  13.0 Mbits/sec  350             sender
[  5]   0.00-10.27  sec  13.8 MBytes  11.2 Mbits/sec                  receiver

PING STATS


ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1): 56 data bytes
64 bytes from 192.168.3.1: icmp_seq=0 ttl=64 time=268.734 ms
64 bytes from 192.168.3.1: icmp_seq=1 ttl=64 time=268.170 ms
64 bytes from 192.168.3.1: icmp_seq=2 ttl=64 time=267.838 ms
64 bytes from 192.168.3.1: icmp_seq=3 ttl=64 time=268.463 ms
64 bytes from 192.168.3.1: icmp_seq=4 ttl=64 time=268.048 ms
64 bytes from 192.168.3.1: icmp_seq=5 ttl=64 time=267.684 ms
64 bytes from 192.168.3.1: icmp_seq=6 ttl=64 time=267.763 ms
^C
--- 192.168.3.1 ping statistics ---
7 packets transmitted, 7 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 267.684/268.100/268.734/0.358 ms



From SITE B TO SITE A

iperf3 -c 192.168.11.1 -p 5201
Connecting to host 192.168.11.1, port 5201
[  5] local 10.17.0.2 port 34521 connected to 192.168.11.1 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.01   sec   118 KBytes   955 Kbits/sec    1   22.7 KBytes
[  5]   1.01-2.00   sec   114 KBytes   940 Kbits/sec    1   14.7 KBytes
[  5]   2.00-3.00   sec  40.1 KBytes   329 Kbits/sec    2   9.38 KBytes
[  5]   3.00-4.00   sec  14.7 KBytes   120 Kbits/sec    2   5.37 KBytes
[  5]   4.00-5.00   sec  26.7 KBytes   218 Kbits/sec    0   10.8 KBytes
[  5]   5.00-6.00   sec  30.7 KBytes   252 Kbits/sec    1   9.40 KBytes
[  5]   6.00-7.00   sec  32.1 KBytes   263 Kbits/sec    0   13.4 KBytes
[  5]   7.00-8.01   sec  37.4 KBytes   304 Kbits/sec    1   10.7 KBytes
[  5]   8.01-9.00   sec  44.1 KBytes   363 Kbits/sec    1   8.04 KBytes
[  5]   9.00-10.01  sec  21.4 KBytes   173 Kbits/sec    1   5.37 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.01  sec   479 KBytes   392 Kbits/sec   10             sender
[  5]   0.00-10.29  sec   405 KBytes   322 Kbits/sec                  receiver

PING STATS

ping 192.168.11.1
PING 192.168.11.1 (192.168.11.1): 56 data bytes
64 bytes from 192.168.11.1: icmp_seq=0 ttl=64 time=267.604 ms
64 bytes from 192.168.11.1: icmp_seq=1 ttl=64 time=268.597 ms
64 bytes from 192.168.11.1: icmp_seq=2 ttl=64 time=268.139 ms
64 bytes from 192.168.11.1: icmp_seq=3 ttl=64 time=269.240 ms
64 bytes from 192.168.11.1: icmp_seq=4 ttl=64 time=268.669 ms
64 bytes from 192.168.11.1: icmp_seq=5 ttl=64 time=270.352 ms
64 bytes from 192.168.11.1: icmp_seq=6 ttl=64 time=270.733 ms
64 bytes from 192.168.11.1: icmp_seq=7 ttl=64 time=269.979 ms
64 bytes from 192.168.11.1: icmp_seq=8 ttl=64 time=267.509 ms
^C
--- 192.168.11.1 ping statistics ---
9 packets transmitted, 9 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 267.509/268.980/270.733/1.107 ms


There was no change in config from the previous version. I tried setting the MTU to 1420 but still no luck

Any help will be greatly appreciated.

PS: Tried it with a wireguard client from SITE A TO SITE B, same issue

#9
I too have this issue..
#10
thank you for your suggestions

I finally figured it out.

I had adguard home & had to move these to lines to the top in the Bootstrap DNS Servers under DNS Settings for this to work.

192.168.11.1:5353 (My firewall IP)
127.0.0.1:5353


They were the 1st 2 in the Upstream DNS Servers box, but i guess it needs to be on the top in both places.

#11
BUMP!!!

Anyone please help
#12
I recently migrated from pfsense

I've configured the host overrides to map internal IPs to hosts. But i cant ping them OR connect to them. These hosts are also defined in my cloudflare DNS server. instead of resolving the internal IP it returns the external IP of the firewall.

Any ideas as to why this happens?

for e.g. my bitwarden.domain.com is mapped to an internal IP 192.168.15.4 in UNBound Host Overrides
when i ping bitwarden.domain.com it returns the external IP

this used to work for me in pfsense where it returned the internal IP. I have flushed the cache etc. I had raised this issue in the legacy 20.1 too but had no solution. Yes, all these IP/hosts are configured on cloudflare with ACME

ANy ideas how to get this to resolve the internal IP?
#13
21.1 Legacy Series / Reboot stuck in 2 processes
June 17, 2021, 01:51:58 PM
Whenever i reboot my opnsense box the reboot pauses for a long time in these 2 steps. Any idea whats causing it?

1. "Configuring DNS Clients"
2. >>Invoking start script "newwanip"
Reconfiguring IPV4 on eth0

the process is kinda stuck for 2 minutes at each instance.

any idea whats causing this delay?
#14
Quote from: Jaxon on April 12, 2021, 10:59:42 PM
2) Now, if I change the following, I get the reverse behaviour.  Inside AdGuards Top Clients, I can see only IPs (no host names), but upstream DNS is now showing up as 108.162.218.241 (Cloudflare).

Adguard/DNS Settings:
127.0.0.1:5353
1.1.1.1
1.0.0.1


I've also experiments with a few things to no avail, like:

[/168.192.in-addr.arpa/]127.0.0.1:5353

[/168.192.in-addr.arpa/]127.0.0.1

[/168.192.in-addr.arpa/]192.168.0.1:5353

[/168.192.in-addr.arpa/]192.168.0.1

Do you have any suggestions what I might be doing wrong?

Hi, were you able to solve this? All I see are IP Addresses. I have way too many devices/clients to enter them manually
#15
Quote from: yeraycito on April 13, 2021, 09:04:18 PM


- Follow the tutorial explained above for Adguard.



Do we need both? Can one not configure just NextDNS without AdGurad?