OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of pingus »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - pingus

Pages: [1] 2
1
24.7 Production Series / Remove old certificates from Revocation Index
« on: September 03, 2024, 11:11:31 am »
Hi

I have about 10 old certificates listed in Trust -> Revocation Index. They all have no CRL Name. If I want to add a CRL Name I get the following errors:

Certificate does not seem to exist
or
Cert revocation error: CA certificate invalid: invalid date

If I want to add the CRL to the haproxy and run the systax test I get the following:

[NOTICE] (78607) : haproxy version is 2.8.10-f28885f
[NOTICE] (78607) : path to executable is /usr/local/sbin/haproxy
[ALERT] (78607) : config : Couldn't open the ca-file '/tmp/haproxy/ssl/66d6c087b4b4f5.93264053.crllist' (no certificate or crl found).
[ALERT] (78607) : config : parsing [/usr/local/etc/haproxy.conf.staging:166] : 'bind *:4443' in section 'frontend' : 'crl-file' : unable to load /tmp/haproxy/ssl/66d6c087b4b4f5.93264053.crllist
[ALERT] (78607) : config : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] (78607) : config : Fatal errors found in configuration.

How can I remove those entries and start with a clean revocation list?


2
21.1 Legacy Series / Re: Many thanks and the traffic graphs are beautiful!
« on: March 16, 2021, 12:33:28 pm »
So I will reply to my self: Just select all interfaceses in the dropdown box  8) ... :o

3
21.1 Legacy Series / Re: Many thanks and the traffic graphs are beautiful!
« on: March 16, 2021, 12:31:27 pm »
Hi

Hmm, I only see one interface. Do I have to change something to see all interfaces as it was before on the dashboard?

Regards,
Thomas

4
19.1 Legacy Series / Re: Let's Encrypt: Doesn't seem to know it's working?
« on: June 14, 2019, 08:05:21 pm »
+1 19.1.9 still the same.

5
19.1 Legacy Series / Re: FRR IPv4 routes are not displayed
« on: June 03, 2019, 03:50:01 pm »
I have the same problem.

Edit:
Works on VM
Does not work on 2x APU2

6
19.1 Legacy Series / Re: Let's Encrypt: Doesn't seem to know it's working?
« on: April 06, 2019, 07:40:07 pm »
Have the same problem: https://forum.opnsense.org/index.php?topic=11350.msg51317#msg51317

7
18.7 Legacy Series / Let's Encrypt DNS-01 wildcard validation failed
« on: January 28, 2019, 04:26:52 pm »
Hi

I could request a dns-01 (cloudflare) wildcard certificate successfully but under Services->Let's Encrypt->Certificates it shows up with Last Acme Status vaildation failed. Is this a bug or went something wrong with the wildcard cert? The cert itself is workling well.

Edit: I also got a host certificate with dns-01 and it also shows validation failed.

Regards,
Pingus

8
17.1 Legacy Series / Re: [WORKAROUND] OpenVPN Site to site not routing
« on: June 27, 2017, 03:16:21 pm »
See this post here: https://forum.opnsense.org/index.php?topic=3984.msg20878#msg20878

Try to add a Client exception with the remote subnet readded as already done within the server settings.

9
17.1 Legacy Series / Re: Let's Encrypt certificates not visible in haproxy
« on: June 06, 2017, 06:11:43 pm »
Oh, there was a bug report on the firewall:

PHP Errors:

[06-Jun-2017 09:06:50 Europe/Zurich] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 123
[06-Jun-2017 09:08:45 Europe/Zurich] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 123
[06-Jun-2017 09:10:01 Europe/Zurich] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 123

10
17.1 Legacy Series / Re: Let's Encrypt certificates not visible in haproxy
« on: June 06, 2017, 03:42:13 pm »
Let's Encrypt Authority X3 (Let's Encrypt) is added.

Older certificates generated with an earlier version of opnsense (for different domains than the two I need now) are still visible in haproxy

11
German - Deutsch / Re: Reverse Proxy mit HAProxy-Plugin
« on: June 06, 2017, 03:08:58 pm »
Bei mir funktioniert es meistens, habe aber mit der Nextcloud dahinter auch immer wieder timeouts ...
So ganz rund läuft die Sense leider noch nicht aber da es nicht meine Hauptfirewall ist, kann ich ein paar Unzulänglichkeiten verschmerzen.

12
17.1 Legacy Series / Let's Encrypt certificates not visible in haproxy
« on: June 06, 2017, 09:19:55 am »
Hi

With 17.1.8 I created two new LE certificates. I successfully got them and they are visible under System->Trusts->Certificates but I am not able to add them to the haproxy frontend because they are not in the certificates drop down list.

Firewall restart didn't help. Removing the certificates and re-issuing didn't help.

I could add certificates with one of the version before.

What else can I do? Any other ideas?

Regards
Pingus

13
16.7 Legacy Series / Re: Access network behind an OpenVPN client? P2P setup: Need manual route?
« on: May 15, 2017, 02:16:41 pm »
Try to add a Client exception with the remote subnet readded as already done within the server settings.

Edit: If this is possible with version 16. I only "know" version 17

14
German - Deutsch / Re: Reverse Proxy mit HAProxy-Plugin
« on: May 02, 2017, 01:54:05 pm »
Hi vita

Mit dem Problem habe ich mich auch schon herumgeschlagen. Keine Ahnung ob das so korrekt ist, zumindest funktioniert es so  ;D ) Schau dir dazu auch die bereits eingetragene ACL und Action von ACME (Lets Encrypt) an.

Als erstes erstellst du die Server. Anschliessend die entsprechenden Backends mit den vorher erstellten Servern.

Jetzt habe ich ACL's erstellt. Ffür jede Domain eine für SSL und wenn nötigt eine ACL für nonSSL.
Ausgefüllt habe ich jeweils den Namen für die ACL, Expression (SNI TLS extension matches für SSL / Host matches für nonSSL) und beim Value den Hostnamen (www.example.com).

Danach Actions einrichten, für jede URL eine. Darin definiert: Name, Test type:IF (default), Logical operator: OR, Choose action: Use Backend, Use Backend: das entsprechende Backend auswählen.

Jetzt ein Frontend für SSL und eines für nonSSL erstellen. Bei Listen Addresses habe ich jeweils *.80 und *.443 genommen. Type SSL / HTTPS oder HTTP / HTTPS. Wenn du möchtest ein default Backend auswählen. Die benötigten Zertifikate hinzufügen und dann unter Actions alle Actions hinzufügen.

Mit den Actions definierst du, zu welchem Backend das Frontend die Anfrage schickt. Für SSL muss man das mit SNI TLS extension lösen, bei nonSSL kann man das einfach über den Hostnamen lösen.

>> Bitte korrigiert mich, wenn ich hier etwas falsches Konfiguriert habe oder man das besser lösen kann!

15
German - Deutsch / Re: OpenVPN Routen funktionieren nicht
« on: April 24, 2017, 08:31:16 am »
Endlich hat es funktioniert. Ich musste für jeden Client "Client Specific Overrides" anlegen. Dort habe ich dann nur das Remote Netzwerk nochmals eingetragen (und den Common Name).
Beim Server sind die Remote Netzwerke ja schon in einer Komma getrennten Liste eingetragen.

Ist das so üblich? Für S2S müsste doch der Servereintrag genügen?:

These are the IPv4 networks that will be routed through the tunnel, so that a site-to-site VPN can be established without manually changing the routing tables. Expressed as a comma-separated list of one or more CIDR ranges. If this is a site-to-site VPN, enter the remote LAN/s here. You may leave this blank if you don't want a site-to-site VPN.

Pages: [1] 2
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2