OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of vielhak »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - vielhak

Pages: [1]
1
High availability / CARP maintenance mode via command line / API
« on: August 04, 2022, 08:23:09 am »
Hi there,

is there a way to enter/leave the carp maintenance mode via command line or API? I would like to automate some things and did not find anything in the docs or the forum.

best regards,
Torsten

2
20.7 Legacy Series / Re: Update 20.7.6 to 20.7.7 Update ERR_SSL_PROTOCOL_ERROR
« on: January 12, 2021, 06:01:08 pm »
Ah... I was wrong... there is no intermediate ca from LetsEncrypt. But the opnsense  chooses the (wrong)

Common Name: Let's Encrypt Authority X3

as CA for the webgui but the CA is now

Common Name: R3

which is a new CA (Valid From: October 7, 2020)

If I put the right CA inside /var/etc/ca.pem it works, too.... I not sure why and how the opnsense chooses the CA which is put in /var/etc/ca.pem.

So, after deleting the old Lets Encrypt CA from the trust store and reissue a new certificate (force via lets encrypt plugin),  everything works automatically. For me it is ok now, perhaps this helps somebody out there. Thanks for your support!



3
20.7 Legacy Series / Re: Update 20.7.6 to 20.7.7 Update ERR_SSL_PROTOCOL_ERROR
« on: January 12, 2021, 05:15:56 pm »
Quote from: franco on January 12, 2021, 12:38:51 pm
The chain is properly appended, but only if the parent CA(s) are known to System: Trust: Authorities.

Hmmm...Let's Encrypt Authority X3 (Let's Encrypt) and R3 (Let's Encrypt) were/are in the trusted Authorities. But the full chain is not copied to the *pem file by the opnsense framework (only key+cert).

Perhaps we are looking at different problems with the same effect!?

If I take a self-signed cert for the webgui => no problem with firefox/chrome/edge (on Windows).
If I take the Lets Encrypt cert => ERR_SSL_PROTOCOL_ERROR in chrome+edge, SSL_ERROR_INTERNAL_ERROR_ALERT in firefox
If I add the intermediate directly in the *pem => No problems

tested TLS1.3, no problem with the fullchain

Code: [Select]
...
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=XXXXXXXXX
*  start date: Dec  7 22:01:20 2020 GMT
*  expire date: Mar  7 22:01:20 2021 GMT
...


4
20.7 Legacy Series / Re: Update 20.7.6 to 20.7.7 Update ERR_SSL_PROTOCOL_ERROR
« on: January 12, 2021, 12:04:19 pm »
I think the problem is that when you use Lets Encrypt Certificates via acme.sh the certificate in
Code: [Select]
ssl.pemfile = "/var/etc/cert.pem" (/var/etc/lighty-webConfigurator.conf)is only the private key + certificate.
The intermediate certifcate is missing. If you put the intermediate certificate into
Code: [Select]
/var/etc/cert.pem and restart the lighthttp it is working for me.
e.g.
Code: [Select]
cd /var/etc/acme-client/home/<MYNAME>
cat fullchain.cer <MYNAME>.key > /var/etc/cert.pemRestart lighthttpd

Perhaps it is this simple?

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2