Topics

1

23.1 Legacy Series / ACME LetsEncrypt + Cloudflare

« on: August 11, 2023, 01:58:09 am »

I cannot seem to be able to be able to get the ACME script Lets Encrypt DNS-01 method to work. 

Code: [Select]

2023-08-10T00:00:02-05:00 acme.sh [Thu Aug 10 00:00:02 CDT 2023] Error add txt for domain:_acme-challenge.mydomain.com
2023-08-10T00:00:02-05:00 acme.sh [Thu Aug 10 00:00:02 CDT 2023] invalid domain
2023-08-10T00:00:01-05:00 acme.sh [Thu Aug 10 00:00:01 CDT 2023] Adding txt value: 5Kp3S8Hg-------------------------h8cVZ_3CU0 for domain: _acme-challenge.mydomain.com
2023-08-10T00:00:01-05:00 acme.sh [Thu Aug 10 00:00:01 CDT 2023] Getting webroot for domain='*.mydomain.com'
2023-08-10T00:00:00-05:00 acme.sh [Thu Aug 10 00:00:00 CDT 2023] Getting domain auth token for each domain
2023-08-10T00:00:00-05:00 acme.sh [Thu Aug 10 00:00:00 CDT 2023] Single domain='*.mydomain.com'
2023-08-10T00:00:00-05:00 acme.sh [Thu Aug 10 00:00:00 CDT 2023] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
I don't know if I have entered my cloudflare credentials in the correct slots in the OPNSENSE config

I have mapped the credentials in my Cloudflaraccount as outlined in the attached image

I would like to know if I am mapping the credentials correctly.  Also there is a line in the ACME logs

Code: [Select]

2023-08-10T00:00:02-05:00 acme.sh [Thu Aug 10 00:00:02 CDT 2023] Please add '--debug' or '--log' to check more details.
How do I add this to get more detailed logs?

2

23.1 Legacy Series / ddclient and Dynu DNS

« on: July 15, 2023, 05:17:34 pm »

I am on my third DNS provider trying to find a provider that will work with both the new ddclient and also the new ACME client.
I am now working to get Dynu DNS after I was able to get NameCheap DYN DNS working but then found that NameCheap requires a history and more domains hosted than I need to enable my access to the API for use with ACME client.

I have an issue with DYNU setup in OPNSENSE as follows:
debug ddclient log:

Code: [Select]

2023-07-15T10:02:58-05:00 Notice ddclient[32333] 92754 - [meta sequenceId="7"] SUCCESS: wg.mydomain.com: skipped: IPv4 address was already set to 66.69.---.---.
2023-07-15T10:02:58-05:00 Notice ddclient[32333] 90378 - [meta sequenceId="6"] SUCCESS: synology.mydomain.com: skipped: IPv4 address was already set to 66.69.---.---.
2023-07-15T10:02:58-05:00 Notice ddclient[32333] 89244 - [meta sequenceId="5"] SUCCESS: plex.mydomain.com: skipped: IPv4 address was already set to 66.69.---.---.
2023-07-15T10:02:58-05:00 Notice ddclient[32333] 87399 - [meta sequenceId="4"] SUCCESS: ha.mydomain.com: skipped: IPv4 address was already set to 66.69.---.---.
2023-07-15T10:02:58-05:00 Notice ddclient[32333] 85050 - [meta sequenceId="3"] SUCCESS: fw.mydomain.com: skipped: IPv4 address was already set to 66.69.---.---.
2023-07-15T10:02:58-05:00 Notice ddclient[32333] 83060 - [meta sequenceId="2"] SUCCESS: dc.mydomain.com: skipped: IPv4 address was already set to 66.69.---.---.
2023-07-15T10:02:58-05:00 Notice ddclient[32333] 80525 - [meta sequenceId="1"] WARNING: 'if-skip' is deprecated and does nothing for IPv4
I dont know where OPENSENSE is finding that the IP it needs to update is already set.  All the DNS records that I have created at the other providers were changed to other IP addresses before I then deletes said accounts.
I also made sure the TTL for these records were set to 10 minutes then they were created while testing.
I have waited now 24 hours and it will is producing the same IP is already set message.

I have the ddclient logging set to debug but I am missing where the process is querying these A hosts for the current IP address.

Can anyone assist me to troubleshoot this?

3

18.7 Legacy Series / Lost access to web gui

« on: May 16, 2019, 04:00:36 pm »

We had our primary internet service and while attempting to get a backup circuit activated and connected, I lost access to the Webgui from outside and inside the network.  It it appears to have happened when I disabled the down WAN interface.

I was still able to get the network up and working with our new circuit after I completed the provider's circuit activation but still cannot gain access to the webgui.

I tried accessing the webgui from the new WAN2 interface (I had setup all the access rules before I realized that the circuit had not yet been activated)

The root password isn't working so I am going to have to wait until I can boot into single user mode so I can try to rollback the config to before I made the change but I need help.

• Where is the auto-created backups stored in the file system?
• How can I roll it back from the console so I can go back to before i disabled the interface? My last backup is over a year old)
• How can I identify why this happened?

This is not the first time this has occurred and I still cannot figure out how I can lock myself out of the Webgui.  I have the anti-lockout rules in place and active on ALL internal LAN segments

I have never seen a firewall that essential can break itself with no warning like this.  Is there a failsafe way to ensure this cannot occur in the future?

Once I get access to the filesystem, I can backup the change versions of the xml and try to provide more details of what change was made that killed this.

I would really like the ability to apply changes in RAM instead of writing to disk as a default.  This way if something breaks, a simple reboot will restore to the most recently saved config like most other routers.

4

General Discussion / Assigned the LAN interface that the Default Name fqdn in assigned too

« on: June 19, 2018, 11:37:17 pm »

My Default Hostname and domain is getting registered to the wrong internal NIC on my opnsense firewall.  How can I assign the default host name being registered to the correct NIC on the firewall?

5

General Discussion / Lost access to Web GUI

« on: June 15, 2018, 11:17:15 pm »

I lost access to the web GUI after an unknown change on our FW.  Is there a way to roll back to a system state prior to the change from the CONSOLE?