Messages

It seems my issue slightly differs from what is explained in that thread. To sum up, I create an Authority Certificate #1, another Authority Certificate #2 and #3. When I delete Authority Certificate #1, #2 and #3 are gone...  :-\

This was reported and fixed in time for 24.1 I believe? https://github.com/opnsense/core/issues/7088


Cheers,
Franco

Dear all,

I manage dozen of IPs and I use OPNSense to sign all my internal certificates. 

I noticed a very weird thing and I would like to understand what happened. I just need to understand if I'm doing something wrong or if this may be a bug.

I created an authority certificate named Internal Reunion CA. At expiration, I created a new authority certification named Internal Reunion CA 2023. Il also create another certificate used for my backup system Bacula. Today I decided to delete the old Internal Reunion CA authority because outdated and no more used at all. What a surprise when I noticed that ONPSense also deleted all the other certificates. Thanks to the configuration history I was able to restore all that stuff, but I don't understand why and how this could happen? Of course each of those cert have been created using the GUI -> Create an internal Certificate Authority.

Any idea ???

Running OPNSense 24.1.6

Ok, thanks for confirming that. I will renew all and take care next time :-)

Just want to do that because I have much more servers than clients...

I did try what I suggested but seems not working... Clients are complaining not recognizing the server certificate, even if the CA was signed with the initial private key... I fear that I will have to renew all my stuff, just did it 2 weeks ago and did not noticed the CA expiration coming soon... My fault...

Dear all,

Just a basic question there. I use OPNSense to manage all my internal SSL certificates. My internal certificate authority is going to expire in a couple of weeks and I'm just wondering whether it is possible to renew the existing CA. If a create a new one, I'll need to renew all my SSL certificates within my network.

I think I may avoid this by using the existing CA private key to sign the renewed CA, but I don't know how to do it on OPNSense.

Should I simply create a new CA on an external system, using the current private key for signature?

Cheers,
R.

Franco, you are just amazing  ;D

I'm able to sign my certs again.

Cheers

# opnsense-patch 854350f14bc

Digging a little be more into it, here is the pkg check output.

Do you think this may by linked?

Code Select Expand

root@mercure:~ # pkg check -da
Checking all packages: 100%
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0

>>> Missing package dependencies were detected.
>>> Found 2 issue(s) in the package database.

pkg: No packages available to install matching 'python37' have been found in the repositories
pkg: No packages available to install matching 'py37-setuptools' have been found in the repositories
>>> Summary of actions performed:

python37 dependency failed to be fixed
py37-setuptools dependency failed to be fixed

>>> There are still missing dependencies.
>>> Try fixing them manually.

>>> Also make sure to check 'pkg updating' for known issues.

Dear all,

I've upgraded to OPNSense version 22.7.6 and since then, I'm no more able to sign my SSL certificates for my internal PKI.  :-[

This is what I do:

System > Trust > Certificates > Sign a Certificate Signing Request

The Show Details looks great.

Then Next and I get the message Unknown Error Occurred. Try Again.

The crash reporter indicates the following:

Code Select Expand

[22-Oct-2022 07:57:33 Europe/Paris] PHP Fatal error:  Uncaught Error: Call to undefined method phpseclib3\File\X509::getOID() in /usr/local/www/system_certmanager.php:134
Stack trace:
#0 /usr/local/www/system_certmanager.php(411): parse_csr('-----BEGIN CERT...')
#1 {main}
  thrown in /usr/local/www/system_certmanager.php on line 134

Code Select Expand

User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.4 Safari/605.1.15
FreeBSD 13.1-RELEASE-p2 stable/22.7-n250239-dde4437e8f2 SMP amd64
OPNsense 22.7.6 2eef9015b
Plugins os-net-snmp-1.5_1 os-ntopng-1.2_1 os-redis-1.1_1 os-vmware-1.5_1 os-zabbix-agent-1.13
Time Sat, 22 Oct 2022 08:00:50 +0200
OpenSSL 1.1.1q  5 Jul 2022
Python 3.9.14
PHP 8.0.24

I'm just stuck at that stage, because I have a lot of clients relying on this authority  :-\

Any idea?

Cheers

Yes I guess this is the clue thank you!

I've found the following thread where someone encountered the same issue :

https://forum.opnsense.org/index.php?topic=19378.0

Sometime amazing how you can waste time for almost nothing. I did check everything but Mac addresses 😤

Hi there,

I've been struggling for two days with a very weird problem.

I run OPNSense on a VM on ESXi 6.7 with 3 interfaces (LAN, WAN and DMZ). No rocket science till now.

I wanted to add a new interface for a 4G backup connection. However, as soon as a add this new interface in VmWare (just adding this new interface, nothing more), when I reboot OPNSense, the LAN interface does not respond anymore. If a have a look at startup summary, the IP is the good one, on my LAN network plan. I use static IPs.

I don't understand why just adding a new interface could lead to unresponsiveness on my LAN IF  :-\

Totally stuck at that point.

Any advice would be very appreciated.....

Hi there,

Still having some trouble with those strange pflog0: promiscuous mode disabled / enabled in my log file.

What is pflog0 actually ?

Cheers,

R.

Hi there!

Obviously my post is confusing I do apologize.

When I say I lost the connection, that's due to the fact OPNSense becomes unresponsive.

Digging a little bit in ESXi log file, I found the following strange message happening from time to time, related to the VM linked to OPNSense

Code Select Expand

2021-02-12T18:32:47.919Z| vmx| I125: Destroying virtual dev for scsi0:0 vscsi=8336
2021-02-12T18:32:47.919Z| vmx| I125: VMMon_VSCSIStopVports: No such target on adapter

I didn't found yet is this may be a root cause.

Just thinking about my underlaying VMWare infrastructure rather than a faulty OPNSense...

Cheers

Dear all,

This is a desperate call for help because I'm now struggling for months with disconnection issues, happening randomly on OPNSense.

My setup :
PowerEdge R240 - ESXi 6.7 and OPNSense 21.1 running in a VM.

Everything worked smoothly for months and the first issue happened since version 20.7.
I do experience random network disconnection. When this happens, OPNSense interfaces becomes totally unresponsive, but access to console remains possible.
I've checked for logs, but nothing really significant neither on ESXi side, nor in OPNSense. The only thing correlated with this frozen state, is a bunch of pflog0: promiscuous mode enabled / disabled in OPNSense log file. Sometimes hundreds of entries, looks like if something is looping.

I don't know how / what investigate further and this issue just makes me crazy.

Just thinking about switching to pfSense to see if this issue still remains.

I've seen dozen of similar issues in this forum, but never seen any outcome / resolution.

Any help would be really appreciated.

Cheers

Ok.... Same here.

And do you have open-vm tools installed? I think I don't  ???

R.

Thanks ! I've only 2 other VM running Debian...

Are you using VMXNET3 adaptor? For all of OPSense interfaces?