Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - TheZeke

Pages1
#1
19.7 Legacy Series / Trouble with letsencrypt - certificate verified in logs but pending/failed in UI
November 14, 2019, 01:58:59 AM
Banging my head against the wall here. 

A new certificate in the UI shows pending/failed for this cert but it shows as validated and installed in the logs...

VERSION INFO:
Code Select

OPNsense 19.7.6-amd64
FreeBSD 11.2-RELEASE-p14-HBSD
OpenSSL 1.0.2t 10 Sep 2019


IMAGE:(scroll right to see the whole image)


TEXT:
Code Select
www.example.com pending validation failed 2019-11-13, 4:42:17 PM

But the log shows that it is being issued, validated and installed.

LOGS:
Code Select

[Wed Nov 13 19:42:13 EST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed Nov 13 19:42:13 EST 2019] DOMAIN_PATH='/var/etc/acme-client/home/www.example.com'
[Wed Nov 13 19:42:13 EST 2019] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Wed Nov 13 19:42:13 EST 2019] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Wed Nov 13 19:42:13 EST 2019] GET
[Wed Nov 13 19:42:13 EST 2019] url='https://acme-v02.api.letsencrypt.org/directory'
[Wed Nov 13 19:42:13 EST 2019] timeout=
[Wed Nov 13 19:42:13 EST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Wed Nov 13 19:42:13 EST 2019] ret='0'
[Wed Nov 13 19:42:13 EST 2019] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Wed Nov 13 19:42:13 EST 2019] ACME_NEW_AUTHZ
[Wed Nov 13 19:42:13 EST 2019] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Nov 13 19:42:13 EST 2019] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Wed Nov 13 19:42:13 EST 2019] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Wed Nov 13 19:42:13 EST 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Wed Nov 13 19:42:13 EST 2019] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Nov 13 19:42:13 EST 2019] ACME_VERSION='2'
[Wed Nov 13 19:42:13 EST 2019] Le_NextRenewTime='1578789378'
[Wed Nov 13 19:42:13 EST 2019] _on_before_issue
[Wed Nov 13 19:42:13 EST 2019] _chk_main_domain='www.example.com'
[Wed Nov 13 19:42:13 EST 2019] _chk_alt_domains
[Wed Nov 13 19:42:13 EST 2019] Le_LocalAddress
[Wed Nov 13 19:42:13 EST 2019] d='www.example.com'
[Wed Nov 13 19:42:13 EST 2019] Check for domain='www.example.com'
[Wed Nov 13 19:42:13 EST 2019] _currentRoot='/var/etc/acme-client/challenges'
[Wed Nov 13 19:42:13 EST 2019] d
[Wed Nov 13 19:42:13 EST 2019] _saved_account_key_hash is not changed, skip register account.
[Wed Nov 13 19:42:13 EST 2019] Signing from existing CSR.
[Wed Nov 13 19:42:13 EST 2019] Getting domain auth token for each domain
[Wed Nov 13 19:42:13 EST 2019] d
[Wed Nov 13 19:42:13 EST 2019] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Nov 13 19:42:13 EST 2019] payload='{"identifiers": [{"type":"dns","value":"www.example.com"}]}'
[Wed Nov 13 19:42:13 EST 2019] RSA key
[Wed Nov 13 19:42:14 EST 2019] HEAD
[Wed Nov 13 19:42:14 EST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Wed Nov 13 19:42:14 EST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g  -I  '
[Wed Nov 13 19:42:14 EST 2019] _ret='0'
[Wed Nov 13 19:42:14 EST 2019] POST
[Wed Nov 13 19:42:14 EST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Wed Nov 13 19:42:14 EST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Wed Nov 13 19:42:15 EST 2019] _ret='0'
[Wed Nov 13 19:42:15 EST 2019] code='201'
[Wed Nov 13 19:42:15 EST 2019] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/18203393/1506918997'
[Wed Nov 13 19:42:15 EST 2019] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/18203393/1506918997'
[Wed Nov 13 19:42:15 EST 2019] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/1227092248'
[Wed Nov 13 19:42:15 EST 2019] payload
[Wed Nov 13 19:42:15 EST 2019] POST
[Wed Nov 13 19:42:15 EST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/1227092248'
[Wed Nov 13 19:42:15 EST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Wed Nov 13 19:42:15 EST 2019] _ret='0'
[Wed Nov 13 19:42:15 EST 2019] code='200'
[Wed Nov 13 19:42:15 EST 2019] d='www.example.com'
[Wed Nov 13 19:42:15 EST 2019] Getting webroot for domain='www.example.com'
[Wed Nov 13 19:42:15 EST 2019] _w='/var/etc/acme-client/challenges'
[Wed Nov 13 19:42:15 EST 2019] _currentRoot='/var/etc/acme-client/challenges'
[Wed Nov 13 19:42:15 EST 2019] entry='"type":"http-01","status":"valid","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1227092248/XxhdjA","token":"Mz6G_rGWVo5h3I2Bex-sdg864DRJlJXoDjzM6kYnxuE","validationRecord":[{"url":"http://www.example.com/.well-known/acme-challenge/Mz6G_rGWVo5h3I2Bex-sdg864DRJlJXoDjzM6kYnxuE","hostname":"www.example.com","port":"80","addressesResolved":["xxx.xxx.xxx.xxx"],"addressUsed":"xxx.xxx.xxx.xxx"'
[Wed Nov 13 19:42:15 EST 2019] token='Mz6G_rGWVo5h3I2Bex-sdg864DRJlJXoDjzM6kYnxuE'
[Wed Nov 13 19:42:15 EST 2019] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/1227092248/XxhdjA'
[Wed Nov 13 19:42:15 EST 2019] keyauthorization='Mz6G_rGWVo5h3I2Bex-sdg864DRJlJXoDjzM6kYnxuE.82BCX5MHm5ak1HPtihc6YXMZscPcc8Zo5kxRP8MYn5Y'
[Wed Nov 13 19:42:15 EST 2019] www.example.com is already verified.
[Wed Nov 13 19:42:15 EST 2019] keyauthorization='verified_ok'
[Wed Nov 13 19:42:15 EST 2019] dvlist='www.example.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/chall-v3/1227092248/XxhdjA#http-01#/var/etc/acme-client/challenges'
[Wed Nov 13 19:42:15 EST 2019] d
[Wed Nov 13 19:42:15 EST 2019] vlist='www.example.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/chall-v3/1227092248/XxhdjA#http-01#/var/etc/acme-client/challenges,'
[Wed Nov 13 19:42:15 EST 2019] d='www.example.com'
[Wed Nov 13 19:42:15 EST 2019] www.example.com is already verified, skip http-01.
[Wed Nov 13 19:42:15 EST 2019] ok, let's start to verify
[Wed Nov 13 19:42:15 EST 2019] www.example.com is already verified, skip http-01.
[Wed Nov 13 19:42:15 EST 2019] pid
[Wed Nov 13 19:42:15 EST 2019] No need to restore nginx, skip.
[Wed Nov 13 19:42:15 EST 2019] _clearupdns
[Wed Nov 13 19:42:15 EST 2019] dns_entries
[Wed Nov 13 19:42:15 EST 2019] skip dns.
[Wed Nov 13 19:42:15 EST 2019] Verify finished, start to sign.
[Wed Nov 13 19:42:15 EST 2019] i='2'
[Wed Nov 13 19:42:15 EST 2019] j='26'
[Wed Nov 13 19:42:15 EST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/18203393/1506918997
[Wed Nov 13 19:42:15 EST 2019] url='https://acme-v02.api.letsencrypt.org/acme/finalize/18203393/1506918997'
[Wed Nov 13 19:42:15 EST 2019] payload='{"csr": "MIIEnzCCAocCAQAwHTEbMBkGA1UEAwwSZ2l0LmFidXNlLml3ZWIuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzZIOKqZtLqlPDX3eQ-y2BFHVNUhwbYm4yegPUJB9r-UgzG7JbpZUXPWNv9xii15OIjF9rYESOQb7XelJEqpp11gm2XB56tgVdmdr4yE8_WpZYC-f7FQbli5KTP_j8-hlfRu3rRhrV7RJkbMeKe5OpvwF6ZvLQ9KqdakHqh4dUQGZMFXD1a29UMdycRoOwk4APd3Eqb8Ze0lIDy-Z5LXlyY0ZjFjutzjSSVlRqsDSFV_nhu2Z2B9MejUtdUnTGgR7nSiNQIyBOutZZxoUdDcz7HPeyDoc2J0WOr2j_OXE3Gb9onhMWW2FzbFh6rKJ21Y9aCClM9ZflgudmKBdJ--gV4gTvkne4SVN7AXQbczg9pmPp9qsUOg2jUMAmhm_0X7ksVVOw6zBvesxeMtkCtO2GzBhLJX3Zm81NJ_MlFdlAqzvsN48ExsxU4Y-GO4PkMuduBRD_wX-7XrfccNF0ddMNMDiGyMXefHeK7WjDd79ozuYWUgNzKkz_VPPZmP6UHdqYaixB2BfKvGi2PKFBOo6YqgmmOrY4qGs0VWfZx68UXabF3GGe4BwjVcAStZtnYn3qpGnJsX0AP0PBX8q7DfXUS_nJygY650xe-NYUcA6U0f8E3yJB8tvhZ_b9Wo1h53yDJIkvA5AR-znpMsRdI0Vco_5qvm7XNm7a2P9g_rqhjMCAwEAAaA9MDsGCSqGSIb3DQEJDjEuMCwwCwYDVR0PBAQDAgXgMB0GA1UdEQQWMBSCEmdpdC5hYnVzZS5pd2ViLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEAuhtZIld6L-drIcZI_pzj7Sn7QfBxeMcJhnQxxcz5yU-Ea2f4_XmUdhG5jmZ8weAE3ZP-L4wdonae4J71ESfk92Vri1Y_EUW3P6goE4tPUpKCr5B-UmVpYcQa64-fNCw9j1oyJHKvdbooVsdmGSdVaqR_kcl2EF5zynVfgAa7TPUwS--1uA8xRqPFLFTTL4QpnWw0zndTXIw1yen95UQvWVKnIMFVP6YUD13tzY0kIM__WxJ_gJy7agJ5EgHe0P99tY2TOUTJoeFndYf_W4vNDAu8BaVJGA5ubqLGbXCPXtZTN7-_TWERZ6HrJioCeUgBUNQ--WNjvmv52CfPqX24FO0dObA_PmnxLpv_V2AgLYOjGfJHTGISt0g43THdyS9IeHuTxy1ig9-vXQ-azaeuFZIdX4ppJUpLRqJBpThyA8TXI1igQoZ6L0LCkP2JSMPupiE7v7eGMeJ-VJ1TVqXQGbGdb-po1FxF9otVWEq1ziZjDjGb99gf9h6iIk-SUW4996dGfiqOlYKsCaAsoMpt2nEdkXjyBx0fPlUhcvj4uyZ4LaKxYa8rHvUGe8zi-SoWNGYbW1X-89mhjeoxBi5J3mpKRHy5b7-225SOpxN0BXMeYakKSjsRMocQgityOl-m1BGqnZq0ArDFrVSbMJCe_wvGSLsZehuew0ODRPYkzHc"}'
[Wed Nov 13 19:42:15 EST 2019] POST
[Wed Nov 13 19:42:15 EST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/finalize/18203393/1506918997'
[Wed Nov 13 19:42:15 EST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Wed Nov 13 19:42:16 EST 2019] _ret='0'
[Wed Nov 13 19:42:16 EST 2019] code='200'
[Wed Nov 13 19:42:16 EST 2019] Order status is valid.
[Wed Nov 13 19:42:16 EST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04f2f79d7df8c6b7745d0a84c0a2a133704f'
[Wed Nov 13 19:42:16 EST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/04f2f79d7df8c6b7745d0a84c0a2a133704f
[Wed Nov 13 19:42:16 EST 2019] url='https://acme-v02.api.letsencrypt.org/acme/cert/04f2f79d7df8c6b7745d0a84c0a2a133704f'
[Wed Nov 13 19:42:16 EST 2019] payload
[Wed Nov 13 19:42:16 EST 2019] POST
[Wed Nov 13 19:42:16 EST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/cert/04f2f79d7df8c6b7745d0a84c0a2a133704f'
[Wed Nov 13 19:42:16 EST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Wed Nov 13 19:42:16 EST 2019] _ret='0'
[Wed Nov 13 19:42:16 EST 2019] code='200'
[Wed Nov 13 19:42:16 EST 2019] Found cert chain
[Wed Nov 13 19:42:16 EST 2019] _end_n='36'
[Wed Nov 13 19:42:16 EST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04f2f79d7df8c6b7745d0a84c0a2a133704f'
[Wed Nov 13 19:42:16 EST 2019] Cert success.
[Wed Nov 13 19:42:16 EST 2019] Your cert is in  /var/etc/acme-client/home/www.example.com/www.example.com.cer
[Wed Nov 13 19:42:16 EST 2019] v2 chain.
[Wed Nov 13 19:42:16 EST 2019] The intermediate CA cert is in  /var/etc/acme-client/home/www.example.com/ca.cer
[Wed Nov 13 19:42:16 EST 2019] And the full chain certs is there:  /var/etc/acme-client/home/www.example.com/fullchain.cer
[Wed Nov 13 19:42:17 EST 2019] Installing cert to:/var/etc/acme-client/certs/5dcc88dd2fce17.31790163/cert.pem
[Wed Nov 13 19:42:17 EST 2019] Installing CA to:/var/etc/acme-client/certs/5dcc88dd2fce17.31790163/chain.pem
[Wed Nov 13 19:42:17 EST 2019] Installing key to:/var/etc/acme-client/keys/5dcc88dd2fce17.31790163/private.key


Any idea what I can do here to make it show up properly in the UI.  I also need to actually use the certificate in HAProxy but it's not selectable.
#2
18.7 Legacy Series / 2 Firewalls - Strange issue during upgrade of one of them (tar: Damaged tar ...)
October 27, 2018, 12:16:12 AM
I have two opnsense firewalls in a production environment. I upgraded the second one (UI 64.x.x.12) first and all went well.  While upgrading the first one (UI 64.x.x.11) to 18.7 however a strange thing happened.  These are both VMs running under Xen.

1.) After the upgrade the GUI said ***REBOOT*** but didn't reboot.  I waited for several minutes but it did not reboot on it's own like the other one did.
2.) I soft booted the VM manually and it shutdown nicely and rebooted without issue.
3.) During the upgrade process it rebooted itself a few times after applying patches/upgrades.
4.) During the final phase of the upgrade I got a strange issue..  It said the following repeatedly:
    tar: Damaged tar archive
    tar: Retrying...
    tar: Damaged tar archive
    tar: Retrying...
    tar: Damaged tar archive
    tar: Retrying...
5.) I quickly took a screenshot so I could remember the exact wording of the messages
6.) For a laugh I hit ctrl-C on the console of the VM
7.) It loaded some stuff during the boot but then dropped to a console
8.) I rebooted it again (by typing 'reboot')
9.) The same thing happened where it kept looping saying "tar: Damaged tar archive" repeatedly.
10.) I hit ctrl-C again and it finished booting and is now up and working.

During this whole ordeal the secondary firewall took over operations successfully so there was no hit on service.

I logged into the GUI and all seems to be well but I don't want to perform the updates to 18.7 now because I don't know what's going to happen during the reboot.  I took a backup (encrypted) of the configuration for safe keeping.

So my questions are:
1) Should I do the updates and see what happens?
2) Can I fix this 'tar: Damaged tar archive' thing before I reboot it again and then do the updates?
3) Should I just reinstall it and then apply the configuration backup to a fresh install?

What's the best course of action here?

Screen shot attached.
#3
Hardware and Performance / Not able to use DGE-530T Gigabit Ethernet Adapter (rev.C1) [Realtek RTL8169]
February 01, 2018, 06:30:50 PM
Hello,

This PC is AMD64 with one on-board NIC (bfe0) and two PCI cards (identical cards).  They are both DGE-530T Gigabit Ethernet Adapter (rev.C1) [Realtek RTL8169] (single port GigE).

So from a brand new install with no additional packages added or anything (virgin) what steps should I take to get these two NIC's operational?

Applicable DMESG output:
root@OPNsense:/usr/src # dmesg | grep 'network' | grep 'no driver attached'
pci4: <network, ethernet> at device 8.0 (no driver attached)
pci4: <network, ethernet> at device 9.0 (no driver attached)

PCICONF output:
root@OPNsense:/usr/src # pciconf -lv | tail -10
none11@pci0:4:8:0:   class=0x020000 card=0x43021186 chip=0x43021186 rev=0x10 hdr=0x00
    vendor     = 'D-Link System Inc'
    device     = 'DGE-530T Gigabit Ethernet Adapter (rev.C1) [Realtek RTL8169]'
    class      = network
    subclass   = ethernet
none12@pci0:4:9:0:   class=0x020000 card=0x43021186 chip=0x43021186 rev=0x10 hdr=0x00
    vendor     = 'D-Link System Inc'
    device     = 'DGE-530T Gigabit Ethernet Adapter (rev.C1) [Realtek RTL8169]'
    class      = network
    subclass   = ethernet

OPNsense 18.1_1
root@OPNsense:/usr/src # uname -a
FreeBSD OPNsense.localdomain 11.1-RELEASE-p6 FreeBSD 11.1-RELEASE-p6  6621d681e(stable/18.1)  amd64

I previously tried with OPNsense 17 to install the tools package from GitHub and do 'make buildworld' and 'make buildkernel' so I could then build the kernel module to override the if_re module provided by the FreeBSD kernel.  I had trouble with the buildworld (first step) so I scrapped things and installed OPNsense 18 and I'm starting new now.

After reading a bit though I've discovered that DGE-530T actually uses the sk(4) module.  I've tried creating a /boot/loader.conf.local with if_sk_load="YES" and rebooting but that didn't do anything different. 

So is it re(4) or sk(4)?  How do I get one of those to load for these NICs?
Pages1