Messages

1

Tutorials and FAQs / Re: Tutorial 2023/05: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: June 21, 2023, 01:46:53 pm »

I'm having problems with my certificate not renewing, automatically and manually. I get the error 'domain validation failed (dns01)' in the 'System log' tab under ACME. I haven't changed my DNS hostname and it can still be accessed from the web (albeit with the 'NET::ERR_CERT_DATE_INVALID' error), including from the SSL Labs server certificate test website. I haven't made any recent changes to my HAProxy config either.

I thought maybe my internal DNS was a problem since I have query forwarding enabled in Unbound that redirects to the DNSCrypt-Proxy app in OPNsense, so I tried disabling it so that my ISP's DNS is used instead and the same thing happened. I also tried resetting the ACME client under Settings and again the same thing happened when I tried to manually renew.

What else should I try, or what other info do I need to give for troubleshooting?

Got it working by changing the API key for my desec hostname. Not sure why the old one stopped working, but just in case anyone else is in the same boat as me try deleting your API key, create a new one, then paste that into the challenge type settings.

2

Tutorials and FAQs / Re: Tutorial 2023/05: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: June 19, 2023, 10:59:08 am »

I'm having problems with my certificate not renewing, automatically and manually. I get the error 'domain validation failed (dns01)' in the 'System log' tab under ACME. I haven't changed my DNS hostname and it can still be accessed from the web (albeit with the 'NET::ERR_CERT_DATE_INVALID' error), including from the SSL Labs server certificate test website. I haven't made any recent changes to my HAProxy config either.

I thought maybe my internal DNS was a problem since I have query forwarding enabled in Unbound that redirects to the DNSCrypt-Proxy app in OPNsense, so I tried disabling it so that my ISP's DNS is used instead and the same thing happened. I also tried resetting the ACME client under Settings and again the same thing happened when I tried to manually renew.

What else should I try, or what other info do I need to give for troubleshooting?

3

Tutorials and FAQs / Re: Tutorial 2023/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: March 04, 2023, 07:15:52 pm »

Hi,

I followed this tutorial and my services now work as intended by typing https://[service].[hostname] for each web service I have (in Docker containers). Now I have a Docker called Organizr installed which I want to act as a 'homepage' that displays links to those services, and I want this to be accessible by just typing https://[hostname] and still use the same Let's Encrypt certificate to secure it.

How can I do this within the framework of this setup?

OK I tried by adding my full hostname as a new entry to the sub-domains mapping file followed by the corresponding backend for the Organizr service. When I type the hostname without https:// it doesn't load any SSL certificate or try to auto-redirect to HTTPS.  If I manually type https:// with the hostname, it gives an 'ERR_SSL_VERSION_OR_CIPHER_MISMATCH' error in my browser.

4

Tutorials and FAQs / Re: Tutorial 2023/02: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating

« on: March 04, 2023, 12:07:38 am »

Hi,

I followed this tutorial and my services now work as intended by typing https://[service].[hostname] for each web service I have (in Docker containers). Now I have a Docker called Organizr installed which I want to act as a 'homepage' that displays links to those services, and I want this to be accessible by just typing https://[hostname] and still use the same Let's Encrypt certificate to secure it.

How can I do this within the framework of this setup?

5

23.1 Legacy Series / IPv6 on WAN not working after update to 23.1.1

« on: February 16, 2023, 01:25:43 pm »

Hi,

Just updated to 23.1.1 and I noticed that I don't seem to get an IPv6 address on my WAN. I didn't change any settings before updating. I currently have the following settings for WAN for IPv6:

Code: [Select]

IPv6 configuration type: DHCPv6
Configuration mode: Basic
Request only an IPv6 prefix: [ticked]
Prefix delegation size: 56
Use IPv4 connectivity: [ticked]
This is my LAN setup for v6:

Code: [Select]

IPv6 configuration type: Track interface
IPv6 interface: WAN
IPv6 prefix ID: 1
Manual configuration (Allow manual adjustment of DHCPv6 and Router Advertisements): [ticked]
When I go to Services > DHCPv6 > [LAN], it says 'No available address range for configured interface subnet size'. Again I didn't change anything here before updating and it was working previously.

This worked before updating to 23.1.1 so I'm not sure what's happened. Where could I look to troubleshoot why my router doesn't get a v6 address anymore?

6

23.1 Legacy Series / HAProxy: accessing multiple sites by typing a "folder" name?

« on: February 02, 2023, 11:13:36 am »

Hi,

I currently have a DDNS hostname which points to my IP address and this is currently setup to redirect to one of my Docker containers on my server in the HAProxy settings. I have a second container which I also want to access remotely and I was wondering if I can do this in such a way that I could type a "folder" name after the hostname that would correspond to the container I want to access.

For instance, if I have Docker containers named 'first' and 'second', I would like to be able to type the following in the web browser to access each one respectively:

https://[hostname]/first
https://[hostname]/second

Is this possible in HAProxy?

7

22.7 Legacy Series / HAProxy: website loads only in some browsers

« on: January 15, 2023, 01:18:11 am »

Greetings,

I have Nextcloud setup on my home server and I want to be able to access it from both inside and outside my network via my DDNS hostname, which I've managed to get working...sort of.

It loads the login page fine if I use Firefox, Chrome or Brave (Chromium-based). But it turns out not all browsers are created equally after all...well either that or my configuration is wrong somewhere.  If I use Microsoft Edge it takes its time to give the error text "ERR_CONNECTION_TIMED_OUT", which is weird since it's now also Chromium-based. I also tested with a couple of mobile browsers including Samsung Internet Browser, SmartCookieWeb (both of which timed out in similar fashion), and Bromite (Chromium-based, this one works).

What could Firefox and Chrome be doing to load it which apparently Edge cannot do? Is this even an HAProxy issue? Any ideas?

8

22.7 Legacy Series / Re: Question about config backup/restore

« on: November 16, 2022, 11:22:37 pm »

Thanks for the input, at least that should reduce setup time

9

22.7 Legacy Series / Question about config backup/restore

« on: November 16, 2022, 01:54:36 pm »

I'm investigating the possibility of upgrading the PC on which my OPNsense installation runs for something newer, and I wanted to ask about configuration backups. At the moment I have a few plugins installed and running on my existing setup and wondered whether the plugins (or the record of them being installed) and/or their data get backed up when you create a config backup. Or would I need to manually reinstall/reconfigure the corresponding plugins on any new installation?

When I look at the Restore section under System > Configuration > Backups and open the drop-down menu to choose what to restore, I couldn't see anything mentioning plugins so I wasn't sure if it gets grouped under something else without explicitly listing it.

10

21.1 Legacy Series / Re: Suricata vs Sensei

« on: February 24, 2021, 06:18:22 pm »

OK, maybe I'll run both together and see how it goes.  Thanks 

11

21.1 Legacy Series / Suricata vs Sensei

« on: February 24, 2021, 11:36:06 am »

I recently heard about this OPNsense plugin called Sensei, which by the sounds of it basically adds all sorts of network protection tools as well as extra web filtering to your installation.  Is this like Suricata on steroids?  Would Sensei replace all its functionality making Suricata unnecessary, or could the two work side-by-side?

12

21.1 Legacy Series / Re: Very strange cron behaviour

« on: February 24, 2021, 11:21:43 am »

You could try moving the script into one of the folders mentioned in this link:

https://docs.opnsense.org/development/backend/autorun.html

Depending on which folder you put it in, the script will run under different conditions (e.g. the 'monitor' folder for "scripts handling gateway monitoring events").  You could then update the .conf file accordingly with the path.

13

21.1 Legacy Series / Re: Download encrypted OPNsense config file via script?

« on: February 23, 2021, 11:16:04 am »

Bump.

Perhaps there's an internal command that could be run on the server instead?  Even if it saved a local copy of an encrypted XML config I could probably work out the rest in a script in order to push the file elsewhere (e.g. local file server) for safer keeping as well as scheduling the task.

14

21.1 Legacy Series / Download encrypted OPNsense config file via script?

« on: February 20, 2021, 09:33:50 pm »

I found the following thread on this forum...

https://forum.opnsense.org/index.php?topic=15349.0

...but it's just over a year old so I thought I'd start a new thread to ask my question about this.  Is it possible to use some of the commands in that script to also set a password for the config before downloading, just like you'd set one in the web GUI when manually downloading the config?

15

21.1 Legacy Series / Email alert when WAN drops/reconnects?

« on: February 16, 2021, 01:15:32 pm »

I'd like to get an email alert from OPNsense when my WAN connection has dropped and reconnected. As a bonus it would be nice if it could also show me the new IP addresses (v4 and v6) within the email. How could I do this?