"
Works fine :D To me that button looked like a "refresh" button (for just refreshing the web UI). Feeling stupid now m) Thank you!
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#1
19.1 Legacy Series / Re: OPNsense 19.1: nginx.conf is only rewritten/updated upon disabling+re-enabling
February 13, 2019, 02:01:38 PM #2
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
February 13, 2019, 01:59:43 PM
Whoohoo, fixed by AdSchellevis in https://github.com/opnsense/core/commit/67f49486708770633ca615ee41f53439e0a962ce and scheduled for 19.1.2 by franco :D
#3
19.1 Legacy Series / Re: OPNsense 19.1: nginx.conf is only rewritten/updated upon disabling+re-enabling
February 13, 2019, 10:31:24 AM
Nope, I didn't. Never noticed this kind of button before :) Is it an "Apply" button (which is labelled "Apply" in other places)?! Doesn't show a mouseover description :(
#4
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
February 13, 2019, 10:19:43 AM
Seems there was already a github issue for this problem which should be reopened: https://github.com/opnsense/core/issues/1487
#5
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
February 13, 2019, 10:19:00 AM
@newsense You don't seem to understand the basics here and I don't have the time and energy to explain (sorry about that). I'd recommend to read the documentation about the Certificate Depth option (or the OpenVPN --tls-verify option).
#6
19.1 Legacy Series / OPNsense 19.1: nginx.conf is only rewritten/updated upon disabling+re-enabling
February 13, 2019, 08:37:39 AM
Hi!
It seems that /usr/local/etc/nginx/nginx.conf is only rewritten/updated upon disabling+re-enabling the nginx service.
I added an HTTP server and a Location, but no server {} entry was visible in nginx.conf, even after re-starting the service.
Only after I disabled and re-enabled the service, the nginx.conf was rewritten/updated and contains the configured server {} entry.
I consider this a bug?
Cheers,
Wolfram
It seems that /usr/local/etc/nginx/nginx.conf is only rewritten/updated upon disabling+re-enabling the nginx service.
I added an HTTP server and a Location, but no server {} entry was visible in nginx.conf, even after re-starting the service.
Only after I disabled and re-enabled the service, the nginx.conf was rewritten/updated and contains the configured server {} entry.
I consider this a bug?
Cheers,
Wolfram
#7
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
February 13, 2019, 08:33:29 AM
See my initial posting :)
#8
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
February 13, 2019, 07:13:43 AM
The openvpn server process is using a single CA (namely the "VPN CA"), not the full local CA chain:
I consider this a (very annoying) bug in OPNsense, as the OpenVPN configuration logic should be intelligent enough to resolve the full local CA chain.
Code Select
[root@opnsense ~]# ps auxwwf | grep [o]penvpn
root 28509 0.0 0.2 1062000 7576 - Ss 07:04 0:00.09 /usr/local/sbin/openvpn --config /var/etc/openvpn/server1.conf
[root@opnsense ~]# grep '^ca' /var/etc/openvpn/server1.conf
ca /var/etc/openvpn/server1.ca
[root@opnsense ~]# grep 'BEGIN CERTIFICATE' /var/etc/openvpn/server1.ca | wc -l
2
[root@opnsense ~]# /usr/local/bin/openssl x509 -in /var/etc/openvpn/server1.ca -noout -subject
subject= /C=xxx/ST=xxx/L=xxx/O=xxx/emailAddress=xxx/CN=VPN CA
[root@opnsense ~]#
I consider this a (very annoying) bug in OPNsense, as the OpenVPN configuration logic should be intelligent enough to resolve the full local CA chain.
#9
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
February 13, 2019, 07:03:19 AM
It's unchanged, obviously.
#10
19.1 Legacy Series / Re: OPNsense 19.1: OpenVPN and intermediate CA doesn't work
February 13, 2019, 06:07:20 AM
I'm talking about *server* log/error messages, not *client* ones.
The server complains that it cannot verify the client certificate.
The server complains that it cannot verify the client certificate.
#11
19.1 Legacy Series / [SOLVED] OPNsense 19.1: OpenVPN and intermediate CA doesn't work
February 12, 2019, 09:03:01 PM
Hi!
I have created the following setup:
1. Created "Root CA" using the OPNsense trust manager
2. Created "Server CA" as intermediate of Root CA using the OPNsense trust manager
3. Created "VPN CA" as intermediate of Root CA using the OPNsense trust manager
4. Generated a server certificate "Server Cert" signed by "Server CA" using the OPNsense trust manager
5. Created an OpenVPN server using the wizard with the following settings:
5.1. Server Certificate: "Server Cert"
5.2. Peer Certificate Authority: "VPN CA"
5.3. Certificate Depth: "Do Not Check"
5.4. Strict User/CN Matching: (x)
6. Created a user "vpnuser" with a client certificate issued by "VPN CA"
7. Created an OpenVPN client export for the "vpnuser"
Then, I when I try to connect from the client, the server complains that it cannot verify an issuer certificate:
The strange workaround, according to two other existing threads in this forum (https://forum.opnsense.org/index.php?topic=9888.0 and https://forum.opnsense.org/index.php?topic=4830.0), is to manually append the "Root CA" certificate data at the end of the "VPN CA" certificate data in the OPNsense trust manager.
That should not be required! OPNsense should configure OpenVPN to use the entire local CA certificate chain.
Cheers,
Wolfram
I have created the following setup:
1. Created "Root CA" using the OPNsense trust manager
2. Created "Server CA" as intermediate of Root CA using the OPNsense trust manager
3. Created "VPN CA" as intermediate of Root CA using the OPNsense trust manager
4. Generated a server certificate "Server Cert" signed by "Server CA" using the OPNsense trust manager
5. Created an OpenVPN server using the wizard with the following settings:
5.1. Server Certificate: "Server Cert"
5.2. Peer Certificate Authority: "VPN CA"
5.3. Certificate Depth: "Do Not Check"
5.4. Strict User/CN Matching: (x)
6. Created a user "vpnuser" with a client certificate issued by "VPN CA"
7. Created an OpenVPN client export for the "vpnuser"
Then, I when I try to connect from the client, the server complains that it cannot verify an issuer certificate:
Code Select
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 TLS Error: TLS handshake failed
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 TLS Error: TLS object -> incoming plaintext read error
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 TLS_ERROR: BIO read tls_read_plaintext error
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=xx, ST=xxx, L=xxx, O=xxx, emailAddress=xxx, CN=VPN CA
The strange workaround, according to two other existing threads in this forum (https://forum.opnsense.org/index.php?topic=9888.0 and https://forum.opnsense.org/index.php?topic=4830.0), is to manually append the "Root CA" certificate data at the end of the "VPN CA" certificate data in the OPNsense trust manager.
That should not be required! OPNsense should configure OpenVPN to use the entire local CA certificate chain.
Cheers,
Wolfram
#12
19.1 Legacy Series / OPNsense 19.1 VGA version on Sophos XG115 Rev 2
February 10, 2019, 10:06:53 PM
Hi!
When running the OPNsense VGA installer (OPNsense-19.1-OpenSSL-vga-amd64.img.bz2) on a Sophos XG115 Rev 2, I can see the console output on the VGA display until the line "Booting...".
From there on, all console output is only displayed on the serial port.
I thought the VGA version of OPNsense should be using VGA-only and the serial port not at all...?
Cheers,
Wolfram
When running the OPNsense VGA installer (OPNsense-19.1-OpenSSL-vga-amd64.img.bz2) on a Sophos XG115 Rev 2, I can see the console output on the VGA display until the line "Booting...".
From there on, all console output is only displayed on the serial port.
I thought the VGA version of OPNsense should be using VGA-only and the serial port not at all...?
Cheers,
Wolfram
#13
19.1 Legacy Series / Re: cpdup failure in 19.1-rc1 installer
February 07, 2019, 10:16:09 AM
According to https://github.com/pcengines/apu2-documentation/blob/master/docs/pfSense-install-guide.md the issue (which affects only mainline BIOS versions, not legacy 4.0.x) is solved in mainline BIOS versions *after* 4.6.7 (latest one currently is 4.9.0.1).
The installation of OPNsense 19.1 worked well using mainline BIOS 4.9.0.1 on my APU4C4 (which just arrived this week with BIOS 4.6.1 flashed, meh).
The installation of OPNsense 19.1 worked well using mainline BIOS 4.9.0.1 on my APU4C4 (which just arrived this week with BIOS 4.6.1 flashed, meh).
Pages1
