OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of liceo »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - liceo

Pages: [1] 2 3 ... 7
1
24.1 Legacy Series / Re: ACME client issues w/Cloudflare
« on: May 30, 2024, 10:30:22 pm »
Quote
Had the same issue on a wildcard cert. Solved it by removing the SAN entry.
The SAN value will still be present on the final cert.

You're right, it has something to do with the SAN. For testing i have removed all SAN and the validadion is working again. But removing the SAN, they are also removed from the certificate of course.

But it's kinda wierd: After removing the SAN equal to the domain it worked again. Now i can add the other SAN (e.g. *.domain.com) again and it still seems to work..

So many thanks for the hint @Modaeus!

2
24.1 Legacy Series / Re: ACME client issues w/Cloudflare
« on: May 29, 2024, 09:47:28 pm »
I tried with ZoneID Key already, same result. I can't see any TXT records but ACME plugin normally removes it after validation. Maybe im too slow to catch it. I also tried to add the key manually, but on every round ACME generates a new key.

3
24.1 Legacy Series / Re: ACME client issues w/Cloudflare
« on: May 29, 2024, 04:46:01 pm »
Quote from: Monviech on May 29, 2024, 04:08:39 pm
If its a customer who is complaining, why not just buy a certificate? Getting a wildcard certificate for the domain/s fixes the problem instantly and it doesn't cost much for a business.

Agree, but i would like to fix THIS problem. It was working for years now, something seems to be changed.

4
24.1 Legacy Series / Re: ACME client issues w/Cloudflare
« on: May 29, 2024, 03:17:36 pm »
Some more logs...

Code: [Select]
2024-05-29T14:56:40 opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 8 --debug 2 --server 'letsencrypt' --dns 'dns_cf' --dnssleep '300' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/62b86c7fd6ddb9.24403730' --certpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/cert.pem' --keypath '/var/etc/acme-client/keys/62b86c7fd6ddb9.24403730/private.key' --capath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/fullchain.pem' --domain 'mydomain.com' --domain 'mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5f806aef5d0241.03202364_prod/account.conf'
2024-05-29T14:56:40 opnsense AcmeClient: using challenge type: Cloudflare DNS Validation
2024-05-29T14:56:40 opnsense AcmeClient: account is registered: avbs-acme
2024-05-29T14:56:40 opnsense AcmeClient: using CA: letsencrypt
2024-05-29T14:56:40 opnsense AcmeClient: issue certificate: mydomain.com
2024-05-29T14:56:40 opnsense AcmeClient: certificate must be issued/renewed: mydomain.com
2024-05-29T12:54:44 opnsense AcmeClient: validation for certificate failed: mydomain.com
2024-05-29T12:54:44 opnsense AcmeClient: domain validation failed (dns01)
2024-05-29T12:54:44 opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt_test' --dns 'dns_cf' --dnssleep '300' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/62b86c7fd6ddb9.24403730' --certpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/cert.pem' --keypath '/var/etc/acme-client/keys/62b86c7fd6ddb9.24403730/private.key' --capath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/fullchain.pem' --domain 'mydomain.com' --domain 'mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5f806aef5d0241.03202364_stg/account.conf''
2024-05-29T12:54:29 opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt_test' --dns 'dns_cf' --dnssleep '300' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/62b86c7fd6ddb9.24403730' --certpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/cert.pem' --keypath '/var/etc/acme-client/keys/62b86c7fd6ddb9.24403730/private.key' --capath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/fullchain.pem' --domain 'mydomain.com' --domain 'mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5f806aef5d0241.03202364_stg/account.conf'
2024-05-29T12:54:29 opnsense AcmeClient: using challenge type: Cloudflare DNS Validation
2024-05-29T12:54:29 opnsense AcmeClient: account is registered: avbs-acme
2024-05-29T12:54:29 opnsense AcmeClient: using CA: letsencrypt_test
2024-05-29T12:54:29 opnsense AcmeClient: issue certificate: mydomain.com
2024-05-29T12:54:29 opnsense AcmeClient: certificate must be issued/renewed: mydomain.com

5
24.1 Legacy Series / Re: ACME client issues w/Cloudflare
« on: May 29, 2024, 01:41:10 pm »
Same problem here, one of my website's cert has expired now!! No clue how to fix and customer already complaining. Running

Code: [Select]
AcmeClient: domain validation failed (dns01)
acme.ch seems to have problems adding the txt, but i can't see why..

Code: [Select]
[Wed May 29 12:54:39 CEST 2024] Add txt record error.
This is geeting urgent!

6
24.1 Legacy Series / Re: arprequest_internal: cannot find matching address
« on: March 23, 2024, 05:16:17 pm »
Quote from: wntrmt on March 23, 2024, 02:32:05 pm
same here. my opnsense vm suddenly lost configuration and i am unable to restore it because it throws mentioned error

proxmox 8.1.4
[mention]wntrmt [/mention] Lost config? This seems to be something else.

I think i cold solve the „arp“ Problem deactivating the hardware acceleration features on the interfaces. Now opnsense survives a quick disconnect from the network again.

7
24.1 Legacy Series / Re: arprequest_internal: cannot find matching address
« on: March 22, 2024, 05:41:22 am »
Just happened again. This is a serious issue! The only way to solve this is to reboot the VM..

8
24.1 Legacy Series / Re: arprequest_internal: cannot find matching address
« on: February 18, 2024, 12:51:42 pm »
Wierd… never have seen something like this. Maybe related to FreeBSD?

The main problem ist, that the failover also not properly work. Fail over works but it tries to fail back and then loosing connection completely

9
24.1 Legacy Series / arprequest_internal: cannot find matching address
« on: January 31, 2024, 10:47:47 pm »
Hi all

I had a shot interruption on a physical swtich which is connected to a Hyper-V host. On the Hyper-V host, there is a OPNSense running (since years).

After the connection went up again, the OPNsense was unable to recover from the short outage and the box stayed completeley disconnected while throwing the error "arprequest_internal: cannot find matching address" The only way to bring back the OPNSense back was a reboot!

I have recreated the virtual switch on Hyper-V and removed Zenarmor just to isolate the problem. No success

Someone experience the same? Any ideas?

10
High availability / Re: CARP WAN VIP not reachable
« on: December 11, 2023, 11:02:49 am »
Ah, ok. But may you also try disable SR-IOV..

11
High availability / Re: CARP WAN VIP not reachable
« on: December 10, 2023, 09:28:30 am »
I was able to solve it! I had to recreate the virtual switch on Hyper-V servers without SR-IOV enabled.

12
High availability / CARP WAN VIP not reachable
« on: December 09, 2023, 08:27:37 pm »
[mention]danbet [/mention] Do you also run OPNsense on Hyper-V?

13
German - Deutsch / Re: newbie benötigt unterstützung Default deny / state violation rule
« on: December 08, 2023, 05:16:54 pm »
Klassiker, ist mir auch schon oft passiert

14
High availability / CARP WAN VIP not reachable
« on: December 08, 2023, 04:57:21 pm »
Hi all

I setup again a new HA cluster running on two Hyper-V boxes. I did the HA setup same as my other installations but this time i cannot reach the CARP VIP from the WAN side. It‘s a pretty standard setup at follows:

  • Two ONPSense with LAN and WAN Interfaces
  • MAC spoofing is enabled
  • Added a CARP VIP on both interfaces
  • Setup sync between HA pairs
  • Failover is working tested from the LAN
  • Ping to all Interfaces including the VIPs possible from LAN

What does NOT work now:


  • I Can reach the real WAN IPs from the WAN transfer network but NOT the VIP
  • I cannot use the WAN VIP in the outbound NAT rule > Internet is not reachable anymore

I did recreate all the VIPs, recreate the outbound NAT rule, rebooted several times, checked the Firewall logs,  checked the TCPDump (not one package to the WAN VIP..).

Any ideas??

Many thanks!

15
Intrusion Detection and Prevention / Re: IPS Category Blocking doesn't work
« on: July 21, 2023, 01:26:32 pm »
Fair point, this is even more efficient.. Thanks!

Pages: [1] 2 3 ... 7
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2