Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Mr. Browny

Pages1
#1
21.1 Legacy Series / Re: Let's Encrypt: while renewal of Certificate - lost internet connections/access
February 21, 2021, 12:55:18 PM
Hi Frank,
thanks for your reply and the tips.

you are right, i am using HTTP-01 to generate a valid lets encrypt cert.

I followed your hint and changed the generation to DNS-01 with haproxy.
Now it is working fine and the described problem is gone.

Thank you very much.
#2
21.1 Legacy Series / Let's Encrypt: while renewal of Certificate - lost internet connections/access
February 15, 2021, 10:37:13 PM
Hello together,

ich had a really strange problem.
Whenever I request/renew a certificate I have to reboot the firewall to get my Internet connection back.
The firewall had furthermore a connection to the internet, but no traffic going out.
This happens always if a start renewal of a certifcate.

If i reboot firewall or reload filters at ssh console with "configctl filter reload", the connection is getting functional.

An other user had the same problem like me: https://forum.opnsense.org/index.php?topic=4792.0
But in my opinion it looks like an error in Opnsense or let´s encrypt.

There are now error message in system - general logs except the following one:

2021-02-15T22:28:57   sshd[37286]   Unable to negotiate with 185.239.242.158 port 57798: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]   
2021-02-15T22:28:18   sshd[86814]   Unable to negotiate with 185.239.242.158 port 34914: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1 [preauth]   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: using challenge type: http_portfwd_on_wan   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: using IPv4 address: 87.aaa.bbb.cc   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: using IPv4 address: 192.168.21.1   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: using IPv4 address: 87.xxx.yyy.zz   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: account is registered: DynDns my   
2021-02-15T22:28:18   opnsense[84212]   AcmeClient: issue certificate: mydyndnsdomain.hoster.eu

Meta-Data:
OPNsense 21.1.1-amd64
FreeBSD 12.1-RELEASE-p13-HBSD
OpenSSL 1.1.1i 8 Dec 2020
os-acme-client (installed)   2.3   Let's Encrypt client

Do someone know this behavior?
Pages1