"
I don't know for Samba, but a Windows DC can run with an external DNS server. The important aspect is: The DNS server needs to allow dynamic updates. This way, the DC creates all relevant DNS entries (including SRV) needed for operation.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#1
General Discussion / Re: How to resolve SRV record to use Active Directory
November 26, 2024, 10:05:48 PM #2
24.1, 24.4 Legacy Series / Re: ACME client issues w/Cloudflare
May 30, 2024, 10:30:22 PMQuoteHad the same issue on a wildcard cert. Solved it by removing the SAN entry.
The SAN value will still be present on the final cert.
You're right, it has something to do with the SAN. For testing i have removed all SAN and the validadion is working again. But removing the SAN, they are also removed from the certificate of course.
But it's kinda wierd: After removing the SAN equal to the domain it worked again. Now i can add the other SAN (e.g. *.domain.com) again and it still seems to work..
So many thanks for the hint @Modaeus!
#3
24.1, 24.4 Legacy Series / Re: ACME client issues w/Cloudflare
May 29, 2024, 09:47:28 PM
I tried with ZoneID Key already, same result. I can't see any TXT records but ACME plugin normally removes it after validation. Maybe im too slow to catch it. I also tried to add the key manually, but on every round ACME generates a new key.
#4
24.1, 24.4 Legacy Series / Re: ACME client issues w/Cloudflare
May 29, 2024, 04:46:01 PMQuote from: Monviech on May 29, 2024, 04:08:39 PM
If its a customer who is complaining, why not just buy a certificate? Getting a wildcard certificate for the domain/s fixes the problem instantly and it doesn't cost much for a business.
Agree, but i would like to fix THIS problem. It was working for years now, something seems to be changed.
#5
24.1, 24.4 Legacy Series / Re: ACME client issues w/Cloudflare
May 29, 2024, 03:17:36 PM
Some more logs...
Code Select
2024-05-29T14:56:40 opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 8 --debug 2 --server 'letsencrypt' --dns 'dns_cf' --dnssleep '300' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/62b86c7fd6ddb9.24403730' --certpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/cert.pem' --keypath '/var/etc/acme-client/keys/62b86c7fd6ddb9.24403730/private.key' --capath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/fullchain.pem' --domain 'mydomain.com' --domain 'mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5f806aef5d0241.03202364_prod/account.conf'
2024-05-29T14:56:40 opnsense AcmeClient: using challenge type: Cloudflare DNS Validation
2024-05-29T14:56:40 opnsense AcmeClient: account is registered: avbs-acme
2024-05-29T14:56:40 opnsense AcmeClient: using CA: letsencrypt
2024-05-29T14:56:40 opnsense AcmeClient: issue certificate: mydomain.com
2024-05-29T14:56:40 opnsense AcmeClient: certificate must be issued/renewed: mydomain.com
2024-05-29T12:54:44 opnsense AcmeClient: validation for certificate failed: mydomain.com
2024-05-29T12:54:44 opnsense AcmeClient: domain validation failed (dns01)
2024-05-29T12:54:44 opnsense /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php: AcmeClient: The shell command returned exit code '1': '/usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt_test' --dns 'dns_cf' --dnssleep '300' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/62b86c7fd6ddb9.24403730' --certpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/cert.pem' --keypath '/var/etc/acme-client/keys/62b86c7fd6ddb9.24403730/private.key' --capath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/fullchain.pem' --domain 'mydomain.com' --domain 'mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5f806aef5d0241.03202364_stg/account.conf''
2024-05-29T12:54:29 opnsense AcmeClient: running acme.sh command: /usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt_test' --dns 'dns_cf' --dnssleep '300' --home '/var/etc/acme-client/home' --cert-home '/var/etc/acme-client/cert-home/62b86c7fd6ddb9.24403730' --certpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/cert.pem' --keypath '/var/etc/acme-client/keys/62b86c7fd6ddb9.24403730/private.key' --capath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/chain.pem' --fullchainpath '/var/etc/acme-client/certs/62b86c7fd6ddb9.24403730/fullchain.pem' --domain 'mydomain.com' --domain 'mydomain.com' --days '1' --force --keylength '4096' --accountconf '/var/etc/acme-client/accounts/5f806aef5d0241.03202364_stg/account.conf'
2024-05-29T12:54:29 opnsense AcmeClient: using challenge type: Cloudflare DNS Validation
2024-05-29T12:54:29 opnsense AcmeClient: account is registered: avbs-acme
2024-05-29T12:54:29 opnsense AcmeClient: using CA: letsencrypt_test
2024-05-29T12:54:29 opnsense AcmeClient: issue certificate: mydomain.com
2024-05-29T12:54:29 opnsense AcmeClient: certificate must be issued/renewed: mydomain.com
#6
24.1, 24.4 Legacy Series / Re: ACME client issues w/Cloudflare
May 29, 2024, 01:41:10 PM
Same problem here, one of my website's cert has expired now!! No clue how to fix and customer already complaining. Running
acme.ch seems to have problems adding the txt, but i can't see why..
This is geeting urgent!
Code Select
AcmeClient: domain validation failed (dns01)acme.ch seems to have problems adding the txt, but i can't see why..
Code Select
[Wed May 29 12:54:39 CEST 2024] Add txt record error.This is geeting urgent!
#7
24.1, 24.4 Legacy Series / Re: arprequest_internal: cannot find matching address
March 23, 2024, 05:16:17 PMQuote from: wntrmt on March 23, 2024, 02:32:05 PM[mention]wntrmt [/mention] Lost config? This seems to be something else.
same here. my opnsense vm suddenly lost configuration and i am unable to restore it because it throws mentioned error
proxmox 8.1.4
I think i cold solve the ,,arp" Problem deactivating the hardware acceleration features on the interfaces. Now opnsense survives a quick disconnect from the network again.
#8
24.1, 24.4 Legacy Series / Re: arprequest_internal: cannot find matching address
March 22, 2024, 05:41:22 AM
Just happened again. This is a serious issue! The only way to solve this is to reboot the VM..
#9
24.1, 24.4 Legacy Series / Re: arprequest_internal: cannot find matching address
February 18, 2024, 12:51:42 PM
Wierd... never have seen something like this. Maybe related to FreeBSD?
The main problem ist, that the failover also not properly work. Fail over works but it tries to fail back and then loosing connection completely
The main problem ist, that the failover also not properly work. Fail over works but it tries to fail back and then loosing connection completely
#10
24.1, 24.4 Legacy Series / arprequest_internal: cannot find matching address
January 31, 2024, 10:47:47 PM
Hi all
I had a shot interruption on a physical swtich which is connected to a Hyper-V host. On the Hyper-V host, there is a OPNSense running (since years).
After the connection went up again, the OPNsense was unable to recover from the short outage and the box stayed completeley disconnected while throwing the error "arprequest_internal: cannot find matching address" The only way to bring back the OPNSense back was a reboot!
I have recreated the virtual switch on Hyper-V and removed Zenarmor just to isolate the problem. No success
Someone experience the same? Any ideas?
I had a shot interruption on a physical swtich which is connected to a Hyper-V host. On the Hyper-V host, there is a OPNSense running (since years).
After the connection went up again, the OPNsense was unable to recover from the short outage and the box stayed completeley disconnected while throwing the error "arprequest_internal: cannot find matching address" The only way to bring back the OPNSense back was a reboot!
I have recreated the virtual switch on Hyper-V and removed Zenarmor just to isolate the problem. No success
Someone experience the same? Any ideas?
#11
High availability / Re: CARP WAN VIP not reachable
December 11, 2023, 11:02:49 AM
Ah, ok. But may you also try disable SR-IOV..
#12
High availability / Re: CARP WAN VIP not reachable
December 10, 2023, 09:28:30 AM
I was able to solve it! I had to recreate the virtual switch on Hyper-V servers without SR-IOV enabled.
#13
High availability / CARP WAN VIP not reachable
December 09, 2023, 08:27:37 PM
[mention]danbet [/mention] Do you also run OPNsense on Hyper-V?
#14
German - Deutsch / Re: newbie benötigt unterstützung Default deny / state violation rule
December 08, 2023, 05:16:54 PM
Klassiker, ist mir auch schon oft passiert [emoji6]
#15
High availability / CARP WAN VIP not reachable
December 08, 2023, 04:57:21 PM
Hi all
I setup again a new HA cluster running on two Hyper-V boxes. I did the HA setup same as my other installations but this time i cannot reach the CARP VIP from the WAN side. It's a pretty standard setup at follows:
What does NOT work now:
I did recreate all the VIPs, recreate the outbound NAT rule, rebooted several times, checked the Firewall logs, checked the TCPDump (not one package to the WAN VIP..).
Any ideas??
Many thanks!
I setup again a new HA cluster running on two Hyper-V boxes. I did the HA setup same as my other installations but this time i cannot reach the CARP VIP from the WAN side. It's a pretty standard setup at follows:
- Two ONPSense with LAN and WAN Interfaces
- MAC spoofing is enabled
- Added a CARP VIP on both interfaces
- Setup sync between HA pairs
- Failover is working tested from the LAN
- Ping to all Interfaces including the VIPs possible from LAN
What does NOT work now:
- I Can reach the real WAN IPs from the WAN transfer network but NOT the VIP
- I cannot use the WAN VIP in the outbound NAT rule > Internet is not reachable anymore
I did recreate all the VIPs, recreate the outbound NAT rule, rebooted several times, checked the Firewall logs, checked the TCPDump (not one package to the WAN VIP..).
Any ideas??
Many thanks!
