Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - pingus

Pages1
#1
24.7, 24.10 Legacy Series / Remove old certificates from Revocation Index
September 03, 2024, 11:11:31 AM
Hi

I have about 10 old certificates listed in Trust -> Revocation Index. They all have no CRL Name. If I want to add a CRL Name I get the following errors:

Certificate does not seem to exist
or
Cert revocation error: CA certificate invalid: invalid date

If I want to add the CRL to the haproxy and run the systax test I get the following:

[NOTICE] (78607) : haproxy version is 2.8.10-f28885f
[NOTICE] (78607) : path to executable is /usr/local/sbin/haproxy
[ALERT] (78607) : config : Couldn't open the ca-file '/tmp/haproxy/ssl/66d6c087b4b4f5.93264053.crllist' (no certificate or crl found).
[ALERT] (78607) : config : parsing [/usr/local/etc/haproxy.conf.staging:166] : 'bind *:4443' in section 'frontend' : 'crl-file' : unable to load /tmp/haproxy/ssl/66d6c087b4b4f5.93264053.crllist
[ALERT] (78607) : config : Error(s) found in configuration file : /usr/local/etc/haproxy.conf.staging
[ALERT] (78607) : config : Fatal errors found in configuration.

How can I remove those entries and start with a clean revocation list?

#2
18.7 Legacy Series / Let's Encrypt DNS-01 wildcard validation failed
January 28, 2019, 04:26:52 PM
Hi

I could request a dns-01 (cloudflare) wildcard certificate successfully but under Services->Let's Encrypt->Certificates it shows up with Last Acme Status vaildation failed. Is this a bug or went something wrong with the wildcard cert? The cert itself is workling well.

Edit: I also got a host certificate with dns-01 and it also shows validation failed.

Regards,
Pingus
#3
17.1 Legacy Series / Let's Encrypt certificates not visible in haproxy
June 06, 2017, 09:19:55 AM
Hi

With 17.1.8 I created two new LE certificates. I successfully got them and they are visible under System->Trusts->Certificates but I am not able to add them to the haproxy frontend because they are not in the certificates drop down list.

Firewall restart didn't help. Removing the certificates and re-issuing didn't help.

I could add certificates with one of the version before.

What else can I do? Any other ideas?

Regards
Pingus
#4
German - Deutsch / Let's Encrypt und haproxy ab 17.1.1
February 11, 2017, 11:33:49 AM
Hallo miteinander

System 17.1.1, XenServer 7, Zotac Zbox CI323 nano, os_xen, os-acme-client und os-haproxy installiert

Ich habe auf 17.1.1 aktualisiert nachdem ich die ersten Versuche mit haproxy und Let's Encrypt gestartet habe (siehe auch: https://forum.opnsense.org/index.php?topic=4465.msg16989#msg16989)

Erste Frage: Gibt es bereits eine Doku für haproxy und Let's Encrypt ab 17.1.1?

Da ich noch ein haproxy Neuling bin hier ein paar generelle Fragen (verwende haproxy als reverse proxy):

Wenn ich mich richtig eingelesen habe, dann macht man 1x Frontend für http und 1x Frontend für https. Angenommen ich habe verschiedene interne Server, einen für webmail.example.com und einen für www.example.com. Ich erstelle dann zwei backend Server und füge beide dem einen Frontend zu. Wenn ich LB machen will, dann sind in einem backend mehrer Server eingetragen? Ist das soweit korrekt?

Was muss ich für den neuen acme_challenge_backend machen? Muss ich hier auch den backend Eintrag einem normalen *:80er frontend Eintrag hinzufügen oder braucht es da einen speziellen frontend Eintrag machen oder regelt das das Let's Encrypt Plugin? Falls nicht: Wie weiss der frontend Server das bei ausstellen eines Zertifikats jetzt Let's Encrypt Zeugs kommt?

Ich habe mal probehalber versucht ein Zertifikat auszustellen. Ich bekomme dann folgende Fehlermeldung:

An API exception occured. Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php:331 - Trying to get property of non-object (errno=8)

Und im Dashboard meldet es mir noch Fehler:

[11-Feb-2017 00:00:29 Europe/Zurich] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 176
[11-Feb-2017 00:00:29 Europe/Zurich] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 243
[11-Feb-2017 00:00:29 Europe/Zurich] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 123
[11-Feb-2017 10:13:35 Europe/Zurich] Exception: Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php:331 - Trying to get property of non-object (errno=8) in /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php:84
Stack trace:
#0 /usr/local/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php(331): OPNsense\Base\ApiControllerBase->APIErrorHandler(8, 'Trying to get p...', '/usr/local/opns...', 331, Array)
#1 [internal function]: OPNsense\AcmeClient\Api\SettingsController->fetchHAProxyIntegrationAction()
#2 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\AcmeClient\Api\SettingsController), 'fetchHAProxyInt...', Array)
#3 [internal function]: Phalcon\Dispatcher->_dispatch()
#4 [internal function]: Phalcon\Dispatcher->dispatch()
#5 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#6 {main}
[11-Feb-2017 10:14:10 Europe/Zurich] Exception: Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php:331 - Trying to get property of non-object (errno=8) in /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php:84
Stack trace:
#0 /usr/local/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php(331): OPNsense\Base\ApiControllerBase->APIErrorHandler(8, 'Trying to get p...', '/usr/local/opns...', 331, Array)
#1 [internal function]: OPNsense\AcmeClient\Api\SettingsController->fetchHAProxyIntegrationAction()
#2 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\AcmeClient\Api\SettingsController), 'fetchHAProxyInt...', Array)
#3 [internal function]: Phalcon\Dispatcher->_dispatch()
#4 [internal function]: Phalcon\Dispatcher->dispatch()
#5 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#6 {main}
[11-Feb-2017 10:17:20 Europe/Zurich] Exception: Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php:331 - Trying to get property of non-object (errno=8) in /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php:84
Stack trace:
#0 /usr/local/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php(331): OPNsense\Base\ApiControllerBase->APIErrorHandler(8, 'Trying to get p...', '/usr/local/opns...', 331, Array)
#1 [internal function]: OPNsense\AcmeClient\Api\SettingsController->fetchHAProxyIntegrationAction()
#2 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\AcmeClient\Api\SettingsController), 'fetchHAProxyInt...', Array)
#3 [internal function]: Phalcon\Dispatcher->_dispatch()
#4 [internal function]: Phalcon\Dispatcher->dispatch()
#5 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#6 {main}
[11-Feb-2017 11:29:31 Europe/Zurich] Exception: Error at /usr/local/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php:331 - Trying to get property of non-object (errno=8) in /usr/local/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php:84
Stack trace:
#0 /usr/local/opnsense/mvc/app/controllers/OPNsense/AcmeClient/Api/SettingsController.php(331): OPNsense\Base\ApiControllerBase->APIErrorHandler(8, 'Trying to get p...', '/usr/local/opns...', 331, Array)
#1 [internal function]: OPNsense\AcmeClient\Api\SettingsController->fetchHAProxyIntegrationAction()
#2 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\AcmeClient\Api\SettingsController), 'fetchHAProxyInt...', Array)
#3 [internal function]: Phalcon\Dispatcher->_dispatch()
#4 [internal function]: Phalcon\Dispatcher->dispatch()
#5 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#6 {main}

Vielen Dank für Eure Hilfe!
#5
17.1 Legacy Series / Let's Encrypt and haproxy
February 07, 2017, 02:29:03 PM
Hi

I'm tesing OPNsense with haproxy and Let's Encrypt but it will not issue a certificate because the path is not found (http based).

It is not fully clear to me what Let's Encrypt is doing in http based issuing. Do it stop any web services on the firewall itself and then start it's own webservice to provide the necessary web path? If so, does it also stop the haproxy or is this not necessary?

Or, does it need the web server the certificate is for? Makes no sense to me because OPNsense is not able to write into the backend webservers http directory.

Many thanks for the clarification.
#6
German - Deutsch / HAProxy und dynamische WAN Adresse
February 06, 2017, 02:42:56 PM
Hallo

Wie kann ich haproxy konigurieren, dass er bei Listen Adresses die dynamische IP des WAN Interfaces nimmt? Bei PFSense kann man das ja auswählen. Hoffe das geht, ansonsten wechsle ich dann doch zu pfsense (auch wegen OSPF) obwohl mir OPNsense doch besser gefallen würde.

Danke für alle Hinweise.

Edit: OPNsense 17.1-amd64, os-haproxy 1.11
Pages1