Messages

PS: does this work too?

# devfs rule apply path crypto hide
# configctl webgui restart

Yes, it does:

root@iefw01:/var/log # opnsense-revert -r 21.1.4 openssl
Fetching openssl.txz: ... done
Verifying signature with trusted certificate pkg.opnsense.org.20210104... done
openssl-1.1.1j_1,1: already unlocked
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        openssl: 1.1.1k,1

Number of packages to be installed: 1

The process will require 14 MiB more space.
[1/1] Installing openssl-1.1.1k,1...
Extracting openssl-1.1.1k,1: 100%
root@iefw01:/var/log # configctl webgui restart
OK
root@iefw01:/var/log # devfs rule apply path crypto hide
root@iefw01:/var/log # configctl webgui restart
OK
root@iefw01:/var/log #

Then:

$ curl -k https://fw/ | head -n1
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2952  100  2952    0     0  38337      0 --:--:-- --:--:-- --:--:-- 38337
<!doctype html>

Hello,

I stumbled about the exact same issue when updating from 21.1.3 to 21.1.4 just a few minutes ago. Self-signed certificates (from the system, nothing customized), no LetsEncrypt, neither reboots nor manual webui restarts changed the situation.

$ curl -k https://fw.domain.tld/
curl: (56) OpenSSL SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error, errno 0

The workaround as posted earlier works fine:

root@fw:/var/log # opnsense-revert -r 21.1.3 openssl
Fetching openssl.txz: .... done
Verifying signature with trusted certificate pkg.opnsense.org.20210104... done
openssl-1.1.1k,1: already unlocked
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        openssl: 1.1.1j_1,1

Number of packages to be installed: 1

The process will require 14 MiB more space.
[1/1] Installing openssl-1.1.1j_1,1...
Extracting openssl-1.1.1j_1,1: 100%
root@fw:/var/log # configctl webgui restart
OK
root@fw:/var/log #

Now it works:

$ curl -k https://fw.domain.tld/
<!doctype html>
[...]

Regards,
Patrik

I was updating from 20.1 to 20.7.3 today and was experiencing the exact same behavior:

[59/69] Upgrading php73-opcache from 7.3.20 to 7.3.22...
[59/69] Extracting php73-opcache-7.3.22: .......... done
[60/69] Upgrading os-wireguard from 1.2 to 1.3...
[60/69] Extracting os-wireguard-1.3: .......... done
Stopping configd...done
Starting configd.
Keep version OPNsense\Wireguard\General (0.0.1)
Keep version OPNsense\Wireguard\Server (0.0.2)
Migrated OPNsense\Wireguard\Client from 0.0.4 to 0.0.5
Reloading plugin configuration
Configuring system logging...done.
Reloading template OPNsense/Wireguard: OK

At this point, it was stuck. After reboot however I was able to update the missing 9 packages just fine.

The funny thing is, I sent the exact the same feedback to @mimugmail via Twitter. As the form doesn't accept "#" or hostnames into the field.

At the moment I've workedaround it by modifying the config file directly: (to be honest I don't know if that's persistent across reboots)

Code Select Expand


# cat /var/unbound/etc/dot.conf
server:
  tls-cert-bundle: /etc/ssl/cert.pem
forward-zone:
  name: "."
  forward-tls-upstream: yes
  forward-addr: 45.90.28.0#xx.dns1.nextdns.io
  forward-addr: 2a07:a8c0::#xx.dns1.nextdns.io
  forward-addr: 45.90.30.0#xx.dns2.nextdns.io
  forward-addr: 2a07:a8c1::#xx.dns2.nextdns.io


Just had the same issue with 20.1.4. Snortrules version by @scyto worked for me as well.

With certain users, it's always that one feature we don't have. We can't be good at everything all the time. :)

I know that many projects, OPNsense is no exception here, can not statisfy the need of just everyone around the globe. My intention was just raising a bit attention to this feature request - maybe for any priorisation for kind of roadmaps or so.

Probably crowdfunding-stuff would be great here. I'm an individual, OPNsense would be for private usage and I do not have enough resources to contribute tons of money to fund this alone :) (I would, if I could)

I personally think it's more a "maybe", as what I've seen in the previous linked GitHub issue. It's also quite a important feature for me - basically one of the core reasons I haven't migrated over to OPNsense yet.