Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - wschlich

#1
Hi!

It seems that /usr/local/etc/nginx/nginx.conf is only rewritten/updated upon disabling+re-enabling the nginx service.

I added an HTTP server and a Location, but no server {} entry was visible in nginx.conf, even after re-starting the service.

Only after I disabled and re-enabled the service, the nginx.conf was rewritten/updated and contains the configured server {} entry.

I consider this a bug?

Cheers,
Wolfram
#2
Hi!

I have created the following setup:

1. Created "Root CA" using the OPNsense trust manager
2. Created "Server CA" as intermediate of Root CA using the OPNsense trust manager
3. Created "VPN CA" as intermediate of Root CA using the OPNsense trust manager
4. Generated a server certificate "Server Cert" signed by "Server CA" using the OPNsense trust manager
5. Created an OpenVPN server using the wizard with the following settings:
5.1. Server Certificate: "Server Cert"
5.2. Peer Certificate Authority: "VPN CA"
5.3. Certificate Depth: "Do Not Check"
5.4. Strict User/CN Matching: (x)
6. Created a user "vpnuser" with a client certificate issued by "VPN CA"
7. Created an OpenVPN client export for the "vpnuser"

Then, I when I try to connect from the client, the server complains that it cannot verify an issuer certificate:


Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 TLS Error: TLS handshake failed
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 TLS Error: TLS object -> incoming plaintext read error
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 TLS_ERROR: BIO read tls_read_plaintext error
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Feb 12 20:52:41 openvpn[16478]: CLIENT_IP:20435 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=xx, ST=xxx, L=xxx, O=xxx, emailAddress=xxx, CN=VPN CA


The strange workaround, according to two other existing threads in this forum (https://forum.opnsense.org/index.php?topic=9888.0 and https://forum.opnsense.org/index.php?topic=4830.0), is to manually append the "Root CA" certificate data at the end of the "VPN CA" certificate data in the OPNsense trust manager.

That should not be required! OPNsense should configure OpenVPN to use the entire local CA certificate chain.

Cheers,
Wolfram
#3
Hi!

When running the OPNsense VGA installer (OPNsense-19.1-OpenSSL-vga-amd64.img.bz2) on a Sophos XG115 Rev 2, I can see the console output on the VGA display until the line "Booting...".
From there on, all console output is only displayed on the serial port.

I thought the VGA version of OPNsense should be using VGA-only and the serial port not at all...?

Cheers,
Wolfram