"
Yep, that job is created if you click the 'update schedule' tab in ACME settings. Apart from that, I have other manually added jobs and all of them were not working. I just started my investigation from the ACME job that was first on the list.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
24.1, 24.4 Legacy Series / Re: Cron doesn't run any scheduled job
May 25, 2024, 08:00:20 PM
julsssark, I use the os-acme-client plugin to generate certificates for my domains and that job auto-renews them (they are valid only for 3 months).
#3
24.1, 24.4 Legacy Series / Re: Cron doesn't run any scheduled job
May 25, 2024, 06:15:47 PM
Problem FIXED. It's almost a story for the movie ))
The 'permission denied' reason was that the opnsense/service/configd_ctl.py is a python file which shebang runs /usr/local/bin/python3 but the /usr/local/bin folder lost its all/world permission (it had rwxr-x---) because of my misconfigured ansible script that has installed some stuff under the /bin folder earlier. So because of this, /usr/local/bin/python3 was unaccessible for all non-wheel users and silently failed for them when executing .py scripts.
Thank you for directing me with this mystery, @Ben S!
The 'permission denied' reason was that the opnsense/service/configd_ctl.py is a python file which shebang runs /usr/local/bin/python3 but the /usr/local/bin folder lost its all/world permission (it had rwxr-x---) because of my misconfigured ansible script that has installed some stuff under the /bin folder earlier. So because of this, /usr/local/bin/python3 was unaccessible for all non-wheel users and silently failed for them when executing .py scripts.
Thank you for directing me with this mystery, @Ben S!
#4
24.1, 24.4 Legacy Series / Re: Cron doesn't run any scheduled job
May 25, 2024, 05:20:03 PM
Yes, all intermediate folders are readable by all:
Code Select
# ls -ld / /usr /usr/local /usr/local/sbin /usr/local/opnsense /usr/local/opnsense/service /usr/local/sbin/configctl /usr/local/opnsense/service/configd_ctl.py
drwxr-xr-x 21 root wheel 1024 May 24 21:53 /
drwxr-xr-x 13 root wheel 512 Apr 2 15:52 /usr
drwxr-xr-x 17 root wheel 512 Apr 2 15:55 /usr/local
drwxr-xr-x 11 root wheel 512 Apr 2 15:55 /usr/local/opnsense
drwxr-xr-x 6 root wheel 512 May 21 22:27 /usr/local/opnsense/service
-rwxr-xr-x 1 root wheel 6081 May 21 10:49 /usr/local/opnsense/service/configd_ctl.py
drwxr-xr-x 2 root wheel 2560 May 21 22:27 /usr/local/sbin
lrwxr-xr-x 1 root wheel 34 May 21 10:50 /usr/local/sbin/configctl -> ../opnsense/service/configd_ctl.py
#5
24.1, 24.4 Legacy Series / Re: Cron doesn't run any scheduled job
May 25, 2024, 02:58:15 PM
Thanks for the quick response.
The 'crontab -l -u nobody' shows the ../cron/nobody content, thanks.
When I tried 'su -m nobody -c 'configctl acmeclient cron-auto-renew'' it gave me '/usr/local/sbin/configctl: Permission denied' although both /usr/local/sbin/configctl and ../opnsense/service/configd_ctl.py that it reference are readable for public:
I tried to grant nobody access to that file:
but got: acl_get_file() failed: Operation not supported
The 'crontab -l -u nobody' shows the ../cron/nobody content, thanks.
When I tried 'su -m nobody -c 'configctl acmeclient cron-auto-renew'' it gave me '/usr/local/sbin/configctl: Permission denied' although both /usr/local/sbin/configctl and ../opnsense/service/configd_ctl.py that it reference are readable for public:
Code Select
lrwxr-xr-x 1 root wheel 34 May 21 10:50 /usr/local/sbin/configctl -> ../opnsense/service/configd_ctl.py
-rwxr-xr-x 1 root wheel 6081 May 21 10:49 /usr/local/opnsense/service/configd_ctl.py
I tried to grant nobody access to that file:
Code Select
setfacl -m u:nobody:rx /usr/local/sbin/configctlbut got: acl_get_file() failed: Operation not supported
#6
24.1, 24.4 Legacy Series / Cron doesn't run any scheduled job
May 25, 2024, 12:06:06 PM
I've scratched my head with this problem so need your help (I`m quite a noob with freebsd but learning).
OPNsense 24.1.7_4-amd64
FreeBSD 13.2-RELEASE-p11
Problem: none of my custom jobs (system->settings->cron) are run no matter what I tried.
Description:
The cron daemon auto-starts and runs any OPNsense jobs with no problem (see it in backend logs):
I've added a new custom job on the system->settings->cron page to run every midnight:
0 0 * * * AcmeClient Cronjob for Certificate AutoRenewal Renew ACME
of course, I clicked the Apply button so the cron changes are reflected/logged in system->log files->backed:
and this job is successfully added to /var/cron/tabs/nobody:
My other discoveries:
* the /var/log/cron folder doesn't exist while 'google' says it should and contains the cron logs. Don't know whether is true but still.
* crontab -l outputs only jobs from /var/cron/tabs/root but none from /nobody:
Problem:
No matter what schedule I set for this job, or added other jobs that do other stuff, even if they run every minute (*/1 * * * *) - none of these custom jobs are run.
But the job is successfully run manually via configctl <command> <subcommand>!
And seems these custom jobs didn't work from the beginning (my opnsesne was installed couple months ago) because one of my jobs was checking firmware updates and I never saw the 'new version' notification shown to me when I logged in into opnsese web UI.
I.e. I've tried to add other custom jobs at ->Cron page, change their schedule to run on specific time or recurrent - they are not run nor found in the Backend logs by any keyword.
Then I added the 'shutdown host' job that runs a custom actions script to shutdown the host and .... it didn't run.
I also tried to restart the cron service, restart the opnsense host, read opnsense github issues, reddit channel, this forum, google, etc. - no luck.
It's f...ng magic that just doesn't work.
OPNsense 24.1.7_4-amd64
FreeBSD 13.2-RELEASE-p11
Problem: none of my custom jobs (system->settings->cron) are run no matter what I tried.
Description:
The cron daemon auto-starts and runs any OPNsense jobs with no problem (see it in backend logs):
Code Select
# service cron status
cron is running as pid 7636.
# ps ax | grep
7636 - Ss 0:00.00 /usr/sbin/cron -s
I've added a new custom job on the system->settings->cron page to run every midnight:
0 0 * * * AcmeClient Cronjob for Certificate AutoRenewal Renew ACME
of course, I clicked the Apply button so the cron changes are reflected/logged in system->log files->backed:
Code Select
2024-05-25T12:50:27 Debug configd.py OPNsense/Cron generated //var/cron/tabs/nobody
2024-05-25T12:50:27 Notice configd.py generate template container OPNsense/Cron
2024-05-25T12:50:27 Notice configd.py [1541edde-25f0-4024-9ea3-bb6e7bc58af8] generate template OPNsense/Cron
and this job is successfully added to /var/cron/tabs/nobody:
Code Select
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#
# User-defined crontab files can be loaded via /etc/cron.d
# or /usr/local/etc/cron.d and follow the same format as
# /etc/crontab, see the crontab(5) manual page.
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
#minute hour mday month wday command
# Origin/Description: AcmeClient/AcmeClient Cronjob for Certificate AutoRenewal
0 0 * * * /usr/local/sbin/configctl -d 'acmeclient cron-auto-renew'
My other discoveries:
* the /var/log/cron folder doesn't exist while 'google' says it should and contains the cron logs. Don't know whether is true but still.
* crontab -l outputs only jobs from /var/cron/tabs/root but none from /nobody:
Code Select
# crontab -l
SHELL=/bin/sh
PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
REQUESTS_CA_BUNDLE=/etc/ssl/cert.pem
#minute hour mday month wday command
1 * * * * (/usr/local/sbin/configctl -d syslog archive) > /dev/null
2 * * * * (/usr/local/sbin/expiretable -v -t 3600 sshlockout) > /dev/null
3 * * * * (/usr/local/sbin/expiretable -v -t 3600 virusprot) > /dev/null
4 * * * * (/usr/local/etc/rc.expireaccounts) > /dev/null
*/4 * * * * (/usr/local/sbin/ping_hosts.sh) > /dev/null
0 22 * * * (/usr/local/sbin/configctl -d firmware changelog cron) > /dev/null
0 */24 * * * (/usr/local/etc/rc.syshook.d/backup/20-rrd) > /dev/null
1 3 1 * * (/usr/local/sbin/configctl -d filter schedule bogons) > /dev/null
* * * * * (/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables.lock /usr/local/opnsense/scripts/filter/update_tables.py) > /dev/null
Problem:
No matter what schedule I set for this job, or added other jobs that do other stuff, even if they run every minute (*/1 * * * *) - none of these custom jobs are run.
But the job is successfully run manually via configctl <command> <subcommand>!
And seems these custom jobs didn't work from the beginning (my opnsesne was installed couple months ago) because one of my jobs was checking firmware updates and I never saw the 'new version' notification shown to me when I logged in into opnsese web UI.
I.e. I've tried to add other custom jobs at ->Cron page, change their schedule to run on specific time or recurrent - they are not run nor found in the Backend logs by any keyword.
Then I added the 'shutdown host' job that runs a custom actions script to shutdown the host and .... it didn't run.
I also tried to restart the cron service, restart the opnsense host, read opnsense github issues, reddit channel, this forum, google, etc. - no luck.
It's f...ng magic that just doesn't work.
#7
General Discussion / Re: [os-caddy] Handle HTTPS and SSH traffic together
April 06, 2024, 10:48:21 AM
Thank you for the reference, I've missed that 'TCP/UDP support' notice.
I've looked at the caddy.layer4 app and apart its alpha status it currently supports only a json config which isn't compatible with caddyfile. So seems the only way here is to move to an other reverse proxy.
I've looked at the caddy.layer4 app and apart its alpha status it currently supports only a json config which isn't compatible with caddyfile. So seems the only way here is to move to an other reverse proxy.
#8
General Discussion / [os-caddy] Handle HTTPS and SSH traffic together
April 05, 2024, 11:52:30 PM
Hi,
Newcomer to OPNSense and Caddy plugin for my homelab, so bear with me, please. Googles, searched this and Caddy forums with no luck.
What I have: opnsense 24.1.4 (with web UI on 4433 port), os-caddy 1.5.2 on 443 port, both reside on the same host 192.168.1.1.
What I need:
1) add/expose a mydomain.tld from OPNSense's Unbound to my home network which (domain) will point to my intranet IP with a real server (RealServer below).
2) when someone opens https://<mydomain.tld> he should be redirected to RealServer:port.
3) when someone SSH to mydomain.tld:22 he should eventually SSH to RealServer:22.
4) nice to have: if someone reaches mydomain.tld:any_port_except_443 he should reach the same RealServer:any_port_except_443
What I did:
OPNSense:
* add mydomain.tld to Unbound and point it out to 192.168.1.1 so the caddy will route its requests.
Caddy:
* add the mydomain.tld to domains tab and a handler for it to proxify mydomain.tld:443 to RealServer:port.
So far so good, if I open https://mydomain.tld I indeed received the RealServer:port web page.
The problem is with SSH (22) TCP port which isn't HTTP and doesn't auto-handled by caddy. I was trying to add the second same domain (caddy/Domains tab) but with Reverse Proxy Port=22 and a corresponding handler to RealServer:22 but that didn't help (SSH connection was successful but I've connected to my OPNSesne box instead of RealServer since mydomain.tld points to 192.168.1.1 in Unbound).
So the question, how to define a single reverse proxy domain and multiple handlers for https and tcp source ports pointing to the same destination server but different ports?
Ideally, if I could define one handler to proxify mydomain.tld:443 -> RealServer:someport and another 'wildcard' handler mydomain.tld:anyport -> RealServer:anyport, but if I will need to define a handler per specific port explicitly I could live with it.
I've found that Caddy has the Layer4 app which seems fullfils my needs to proxify TCP traffic but os-caddy isn't built with it and doesn't support it so it's kinda a hard way I would like to ommit for now.
@Monviech, your help will be very appreciated. Thanks for the plugin a lot, BTW.
Newcomer to OPNSense and Caddy plugin for my homelab, so bear with me, please. Googles, searched this and Caddy forums with no luck.
What I have: opnsense 24.1.4 (with web UI on 4433 port), os-caddy 1.5.2 on 443 port, both reside on the same host 192.168.1.1.
What I need:
1) add/expose a mydomain.tld from OPNSense's Unbound to my home network which (domain) will point to my intranet IP with a real server (RealServer below).
2) when someone opens https://<mydomain.tld> he should be redirected to RealServer:port.
3) when someone SSH to mydomain.tld:22 he should eventually SSH to RealServer:22.
4) nice to have: if someone reaches mydomain.tld:any_port_except_443 he should reach the same RealServer:any_port_except_443
What I did:
OPNSense:
* add mydomain.tld to Unbound and point it out to 192.168.1.1 so the caddy will route its requests.
Caddy:
* add the mydomain.tld to domains tab and a handler for it to proxify mydomain.tld:443 to RealServer:port.
So far so good, if I open https://mydomain.tld I indeed received the RealServer:port web page.
The problem is with SSH (22) TCP port which isn't HTTP and doesn't auto-handled by caddy. I was trying to add the second same domain (caddy/Domains tab) but with Reverse Proxy Port=22 and a corresponding handler to RealServer:22 but that didn't help (SSH connection was successful but I've connected to my OPNSesne box instead of RealServer since mydomain.tld points to 192.168.1.1 in Unbound).
So the question, how to define a single reverse proxy domain and multiple handlers for https and tcp source ports pointing to the same destination server but different ports?
Ideally, if I could define one handler to proxify mydomain.tld:443 -> RealServer:someport and another 'wildcard' handler mydomain.tld:anyport -> RealServer:anyport, but if I will need to define a handler per specific port explicitly I could live with it.
I've found that Caddy has the Layer4 app which seems fullfils my needs to proxify TCP traffic but os-caddy isn't built with it and doesn't support it so it's kinda a hard way I would like to ommit for now.
@Monviech, your help will be very appreciated. Thanks for the plugin a lot, BTW.
#9
24.1, 24.4 Legacy Series / Unbound: umount: /var/unbound/lib: not a file system root directory
March 15, 2024, 09:32:16 PM
With every OPNsense reboot the following unbound-related errors appear in opnsense logs:
If I reboot the unbound service manually the following errors appear in the log:
Unbound is working correctly and the /var/unbound/lib folder is mounted/present on the host.
It's a very fresh OPNsense 24.1.3_1-amd64 installation. I've googled and searched this forum for these errors with no luck.
Is there anything I can do to get rid of them?
Code Select
2024-03-15T00:15:22 Error opnsense /usr/local/sbin/pluginctl: The command '/sbin/umount '/var/unbound/lib'' returned exit code '1', the output was 'umount: /var/unbound/lib: not a file system root directory'
2024-03-15T00:15:22 Error opnsense /usr/local/sbin/pluginctl: The command '/bin/kill -'TERM' '39073''(pid:/var/run/unbound.pid) returned exit code '1', the output was 'kill: 39073: No such process'
2024-03-15T00:15:22 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure unbound_start (execute task : unbound_configure_do(1))
2024-03-15T00:15:22 Notice opnsense /usr/local/sbin/pluginctl: plugins_configure unbound_start (1)
If I reboot the unbound service manually the following errors appear in the log:
Code Select
2024-03-15T22:02:01 Error opnsense /usr/local/sbin/pluginctl: The command '/sbin/mount -r -t nullfs '/lib' '/var/unbound/lib'' returned exit code '1', the output was 'mount_nullfs: /var/unbound/lib: Resource deadlock avoided'
2024-03-15T22:02:01 Error opnsense /usr/local/sbin/pluginctl: The command '/sbin/umount '/var/unbound/lib'' returned exit code '1', the output was 'umount: unmount of /var/unbound/lib failed: Device busy'
Unbound is working correctly and the /var/unbound/lib folder is mounted/present on the host.
It's a very fresh OPNsense 24.1.3_1-amd64 installation. I've googled and searched this forum for these errors with no luck.
Is there anything I can do to get rid of them?
Pages1
