Messages

[TIP]

Thank you everyone! Sorry I did not reply sooner - having the outage kept me mostly offline.

You probably installed a newer version of OpnSense where ISC DHCP has become a plugin. Once you have your internet back up, you can reinstall the package and get everything up and running again.

Yep, that was exactly it! I had updated OPNsense just 2 days before the line went down, so I had not noticed the new names.

the original static DHCP listings

Small TIP for when you get everything working again :

You can Export all Static DHCP Mappings from ISC/KEA/DNSmasqd to a .CSV file and Import it back into ISC/KEA/DNSmasqd again.

So switching between any of those DHCP Services has been made very easy and without any issues too! :)

Oh, this is PERFECT, thank you!

[...]due to heavy snow, a power line went down and sent a surge up the cable line.[...]

Cable as in DOCSIS? I wonder if something like this would have helped (and be worth the insertion loss). It's just a hunk of aluminum with a (replaceable) gas tube (mine has the 90V). What's the likelihood of lightning striking twice, so to speak?

Yes, a gas discharge tube is on my list! The DOCSIS modem caught fire!

Fried Protectli FW2B - the RAM also had magic smoke loss, as did the Cat5e cable

The innards of the S33 Modem:


The actual cable on the pole - whatever sort of joiner was there, I think it may have evaporated.


The line is (mostly) back up, as is the new modem and router. I say mostly, as the damage was so severe they are going to have a lineman back out to do more work.

I have been running OPNsense for 3+ years, and unfortunately due to heavy snow, a power line went down and sent a surge up the cable line. This let the magic smoke out of the modem, Cat6 cable, and the router running OPNsense.

Fortunately, I take nightly backups, and after getting new (identical) hardware (Protectli FW2B) I was able to install OPNsense and upload my config.xml.

I am running the latest download iso, and we still don't have a main internet line to update any packages, as that line was melted.

However, while the backup worked, the original static DHCP listings seem to be missing - I set them up back in the day when they were called DHCPv4 under the Services menu, but now I only see the KEA DHCP and no other options.

This is a problem, as many devices are not seeming to get their static DHCP leases back, and I cannot remember what I set them to all those years ago.

Where should I look for these settings?

Also, given that I currently have no internet, will OPNsense try to get the missing packages I installed prior when I do have WAN again? That is, does the config.xml remember the Plugins I had and can pull them again?

You could just increase your certificate lifetime a bit? 24 hours is a bit arbitrary. I'm not sure how I feel about this passive revocation concept, but the fact that you have to use a force option is a rather large clue that the tooling wasn't designed for it....

I am using passive revocation, so unfortunately I cannot increase my certificate lifetime. However, since switching to 25.1 the problem seems to happen less often. At least so far. It still fails, but I set the cron job to try to run every 6 hours, instead of every 12 hours, and now it seems to fail for the first run, then succeed on the second, and continue like that.

Well, here is a fun one to revisit this. I logged into OPNsense today, and found that my above hack wasn't seeming to work anymore. Probably because of updates. Makes sense. I upgraded to 25.1, and it seems that the entire codebase has changed (again, makes sense) but now I cannot renew my certificates because OPNsense does not seem to believe that they need to be - even though they expire after 24 hours.


New files seen here:
https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient

Ok, so commenting out the code like so:

Code Select Expand


        // Decide whether or not to continue.
        //if (!($this->needsRenewal()) and !($this->force)) {
            // Renewal not required. Do nothing.
        //    LeUtils::log("issue/renewal not required for certificate: " . (string)$this->config->name);
        //    return false;
        //}


Works now - this is the sanity check that exists to prevent spamming I provider. In my case, since I am the provider I am ok with spamming my own service. However, I think this is a terrible hack - if you can even call it that because sanity checks are a good idea.

Anyone know where `force` is properly set? I would have assumed config.xml, but it seems not to be so - or I don't understand OPNSense enough yet.

I am using step-ca as well for all my home configs, and it is working... partially... with OPNSense.

In fact, trying to troubleshoot I stumbled across your post. My issue is different, I can get step-ca to work with HTTP validation, but I cannot get it to renew quickly as OPNSense seems to think that a renewal is not required.

My issue/thread is here:

https://forum.opnsense.org/index.php?topic=34054.0

Did you get yours working? If not, I can share my configs that got me to start the renewal - I am just trying to figure out how to get it to actually renew when the cron job tells it to do so.

So, if I am reading this correctly (and with my PHP skills being terrible, I am not certain I am).

This is the code that controls when the plugin runs, and it does contain a "force" option:

https://github.com/opnsense/plugins/blob/master/security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeCertificate.php

What I am (so far) unable to figure out is if this code is rejecting the re-issue, or if it is acme.sh itself.

As far as I can tell, changing the public function boolean from false to true in line 53 should enable force:

Code Select Expand

public function __construct(string $uuid, bool $force = false, bool $cron = false)

But it does not seem to do so. Maybe I am reading the code wrong and it is defined elsewhere.

Looking at the acme log - it seems like acme isn't being called by the PHP code, because I see no acme logs. But I do see acme client logs:

Code Select Expand

2023-05-17T09:53:00-07:00 opnsense AcmeClient: issue/renewal not required for certificate: opnsense.home.lan
2023-05-17T09:52:58-07:00 opnsense AcmeClient: issue/renewal not required for certificate: opnsense.home.lan
2023-05-17T09:52:30-07:00 opnsense AcmeClient: issue/renewal not required for certificate: opnsense.home.lan
2023-05-17T09:50:34-07:00 opnsense AcmeClient: issue/renewal not required for certificate: opnsense.home.lan
2023-05-17T09:36:50-07:00 opnsense AcmeClient: issue/renewal not required for certificate: opnsense.home.lan
2023-05-17T09:09:52-07:00 opnsense AcmeClient: issue/renewal not required for certificate: opnsense.home.lan
2023-05-17T09:08:37-07:00 opnsense AcmeClient: issue/renewal not required for certificate: opnsense.home.lan
2023-05-17T09:08:34-07:00 opnsense AcmeClient: issue/renewal not required for certificate: opnsense.home.lan
2023-05-17T09:01:42-07:00 opnsense AcmeClient: issue/renewal not required for certificate: opnsense.home.lan
2023-05-17T09:01:06-07:00 opnsense AcmeClient: issue/renewal not required for certificate: opnsense.home.lan
2023-05-17T00:10:00-07:00 opnsense AcmeClient: issue/renewal not required for certificate: opnsense.home.lan
2023-05-16T18:39:50-07:00 opnsense AcmeClient: issue/renewal not required for certificate: opnsense.home.lan

It all seems related to this post, which was for a different issue.

https://forum.opnsense.org/index.php?topic=25797.0

In case anyone is wondering, this is the header of the certificate as I post this at 10 am on May 17 2023

Code Select Expand

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5d:2d:4e:d0:c2:d4:15:51:31:f9:2e:4e:55:38:37:8c
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = Tiny Intermediate CA
        Validity
            Not Before: May 16 20:58:27 2023 GMT
            Not After : May 17 20:59:27 2023 GMT
        Subject: CN = opnsense.home.lan
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:



I guess I have not figured out how to properly set the force flag - now that I know it is actually in the code.



*EDIT*

Yes, it is within this PHP code - I just need to figure out how to ensure the force flag gets enabled:

Code Select Expand


        // Decide whether or not to continue.
        if (!($this->needsRenewal()) and !($this->force)) {
            // Renewal not required. Do nothing.
            LeUtils::log("issue/renewal not required for certificate: " . (string)$this->config->name);
            return false;
        }


I have the Acme Client plugin, I installed it following this tutorial:

https://forum.opnsense.org/index.php?topic=23339.0

It works fine with one caveat. I am not running a "normal" 90 day letsencrypt sort of cert. Instead, I am running a SmallStep CA of my own on a Raspberry Pi. This means my certificates only last 24 hours. (Passive Revocation)

Details Here:
https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/

On my other systems, I force acme.sh to run with the --force flag (or I use certbot) this way, I can update the certificate every 10 hours.

For the Acme Plugin for Opnsense, it refuses to renew my certificate based on the cron job because it assumes it does not need to as it ran less than 10 hours prior. For my TrueNAS (BSD based) system, I just changed the acme.sh parameters to include the "--force" flag, and it now runs as expected via cron.

The acme plugin for OPNsense does not appear to do that - or not give me a way to handle that. I can't seem to figure out where to add flags in the GUI. I could go to the shell and edit this - but that feels like a kludge, and I am not sure if the plugin updates it will maintain any changed I would make.

When I try to trigger the cron job to update the certificate I get:

• 2023-05-16T10:00:00-07:00   opnsense   AcmeClient: issue/renewal not required for certificate: opnsense.home.lan

It should be possible to add the --force flag to the acme plugin.

Does anyone know how to do that?