Messages

1

General Discussion / Re: Expired letsencrypt ssl cert locked out of GUI

« on: May 27, 2024, 01:48:51 pm »

Thankyou, your advice got me further than I had in several days on my own!
The shell menu wasn't available to the admin user, but I was able to reset the root user password as noted in the docs. This allowed me to log in a root and follow your suggestion below.

I got webGUI back on HTTP and removed the expired certs, but when I switch back to HTTPs and select the self signed cert, the browser is still being issued an old expired cert (completely the wrong cert too somehow). Network has a wildcard cert of

Code: [Select]

*.subdomain.domain.TLDwhich was what the Opnsense was/should be using. There was also a second cert for a specific web exposed app

Code: [Select]

subdomain2.domain.TLDwhich I have since deleted.

The Opnsense install is getting the correct IP (checked by ping), but is being issued the subdomain2 cert.
I have locked myself out over and over trying to get back to a HTTPS using the default self signed cert so I can take your advice and reverse proxy the GUI.

Is it possible to force the cert beyond just selecting it from 'System > Settings > Administration - SSL Certificate'?

2

General Discussion / Expired letsencrypt ssl cert locked out of GUI

« on: May 25, 2024, 02:08:32 pm »

Hi all,

I had set up SSL using the ACME plugin using letsencrypt, and all was working well. I did not need to access the GUI for months, and now that I do, it is returning

Code: [Select]

503 Service Unavailable
No server is available to handle this request.
The cert being shown to the browser has

Code: [Select]

Issued By
    Common Name (CN) R3
    Organization (O) Let's Encrypt
    Organizational Unit (OU) <Not Part Of Certificate>
Validity Period
    Issued On Friday, December 29, 2023 at 8:50:18 PM
    Expires On Thursday, March 28, 2024 at 8:50:17 PMwhich is clearly long out of date.

From serching the forums it appears that the expired cert is tied to the 503 error.

I had a cron job set up to renew the cert which does not seem to have run.

Code: [Select]

<job uuid="611156f2-ca1a-4107-b788-bc046178280b">
<origin>AcmeClient</origin>
<enabled>1</enabled>
<minutes>0</minutes>
<hours>0</hours>
<days>*</days>
<months>*</months>
<weekdays>*</weekdays>
<who>root</who>
<command>acmeclient cron-auto-renew</command>
<parameters/>
<description>AcmeClient Cronjob for Certificate AutoRenewal</description>
</job>
I still have SSH, but only as an admin, not as root.

My problem is, how do I revert to either the default SSL or enable HTTP so I can access the GUI? I have been trying everything I can think of for several days with no success. Many of the suggestions I have found are not working due to the lack of root privileges available to me.

My backups all include the letsencrypt SSL config, so rolling back to them would not fix the issue.
I REALLY don't want to start from a clean install again!

3

General Discussion / Re: HAProxy is currently DISABLED

« on: December 28, 2023, 12:11:24 pm »

Aaaaand I found it myself.... duh

Services > HAProxy > Settings > Settings > Service : Enable HAProxy

4

General Discussion / HAProxy is currently DISABLED

« on: December 28, 2023, 11:55:47 am »

Hi all,
Im wanting to expose some servers in my homelab to the web, and the HAProxy looks like the best way to do it.
Tutorials I have been looking at are

• How to: Opnsense+HAProxy as reverse proxy for self-hosted serviceshttps://community.spiceworks.com/how_to/177181-opnsense-haproxy-as-reverse-proxy-for-self-hosted-services
• Tutorial 2023/12: HAProxy + Let's Encrypt Wildcard Certificateshttps://forum.opnsense.org/index.php?topic=23339.0

I have acme client and ddclient up and running (previously done).
I have installed the HAProxy plugin, and see it in services, however, it shows as disabled in the config??

Code: [Select]

#
# Automatically generated configuration.
# Do not edit this file manually.
#

#
# NOTE: HAProxy is currently DISABLED
#
global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats






# statistics are DISABLED

I previously had ngix installed and running, so I removed it, did a restart, uninstalled HAProxy, restarted, reinstalled HAProxy, etc. etc. thinking that may have been the cause, but it does not seem to have resolved the disabled issue.

How do I enable the plugin??
Thanks in advance!

5

General Discussion / Simple interface status monitoring

« on: December 15, 2023, 01:10:07 am »

Hi All,

Simple requirement, but not immediately obvious how to implement.

I have a basic OPNSense instance running on dedicated hardware. 1 WAN, 1 LAN.
My WAN interface is dropping for brief periods throughout the day. This is nothing to do with OPNSense, its the ISP device that is dropping.

What I am looking for is a way to capture when the interface is down. It is reported on the dashboard WHILE its down, but there is nothing in the GUI logs.

I have NetFlow and Insight running, but this isn't really showing the interface status, only the traffic (or lack of).

Simplest solution is a log that I can query that shows

• Interface (WAN):Up:(~time)
• Interface (WAN):Down:(~time)
• Interface (WAN):Up:(~time)

and so on.

Best solution would be to push these events out to / be able to query them from a different server on my network.

End goal is to be able to show ISP how unstable their network/ hardware is and force them to fix it.

Im sure there is an OOTB solution, I just need to be pointed in the right direction!
Thanks in advance.

6

General Discussion / Re: Cannot reach a client with ping

« on: February 28, 2023, 01:16:05 pm »

I thought it would be embarrassingly simple...
Turned off the domain firewall in Windows security on the client @ .101 and hey presto.

Thanks tiermutter!!

7

General Discussion / Cannot reach a client with ping

« on: February 28, 2023, 12:59:19 pm »

Hi all, first post and its an embarrassingly simple one.
I have just set up an OPNSense machine on physical hardware to act as a firewall/ router.

It is set up with the WAN interface connected to my existing LAN while I get it set up.
ISP Modem/Router -> Dumb Switch -> OPNSense Machine -> Dumb Switch -> Clients (2)

So far I have:

• Installed the OS
• Run the automatic interface assignment

DHCP is working correctly, and there are only the auto configured rules in the firewall.

Open DNS is disabled
Unbound DNS is enabled

All other settings are defaults.

• Both clients have internet access
• Both clients have OPNSense GUI access
• One client (192.168.x.100) can ping both the OPNSense machine (192.168.x.1) and the other client
• One client (192.168.x.101) can ping the OPNSense machine (192.168.x.1), but not the other client

I cannot understand why the client at .101 cannot be pinged from either the OPNSense machine or the client at .100.

I wont upload a bunch of screen shots yet, as I dont know what is helpful and what is not.
Thanks in advance for any help!