Topics

1

21.7 Legacy Series / 500 error in system_certmanager.php after update

« on: August 09, 2021, 06:07:12 pm »

Hi guys

I've updated today from 20.X to the latest 21.7 and the pages for trust in the web GUI are giving me a 500 error. It does that if I try to create a new certificate in OPN or if It ry to make it sign a CSR.

In lighttpd.log I see:

Aug  9 16:07:02 firewall lighttpd[38170]: (mod_fastcgi.c.419) unexpected end-of-file (perhaps the fastcgi process died):pid: 55793 socket: unix:/tmp/php-fastcgi.socket-1
Aug  9 16:07:02 firewal lighttpd[38170]: (gw_backend.c.2275) response not received, request sent: 2098 on socket: unix:/tmp/php-fastcgi.socket-1 for /system_certmanager.php?act=new, clo
sing connection
Aug  9 16:08:31 firewall lighttpd[38170]: (mod_fastcgi.c.419) unexpected end-of-file (perhaps the fastcgi process died):pid: 55793 socket: unix:/tmp/php-fastcgi.socket-1
Aug  9 16:08:31 firewall lighttpd[38170]: (gw_backend.c.2275) response not received, request sent: 2098 on socket: unix:/tmp/php-fastcgi.socket-1 for /system_certmanager.php?act=new, clo
sing connection
Aug  9 16:10:27 firewall lighttpd[38170]: (mod_fastcgi.c.419) unexpected end-of-file (perhaps the fastcgi process died):pid: 55793 socket: unix:/tmp/php-fastcgi.socket-1
Aug  9 16:10:27 firewall lighttpd[38170]: (gw_backend.c.2275) response not received, request sent: 2098 on socket: unix:/tmp/php-fastcgi.socket-1 for /system_certmanager.php?act=new, clo
sing connection

In the browser (tried both latest chrome and firefox, same error):


<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>500 Internal Server Error</title>
 </head>
 <body>
  <h1>500 Internal Server Error</h1>
 </body>
</html>


The version is:

Versions    OPNsense 21.7.1-amd64
FreeBSD 12.1-RELEASE-p19-HBSD
LibreSSL 3.3.3



I have another firewall in the exact same version and went there to create a cert and it created just fine, so I believe this has something to do with the particular data or "state" in this firewall.

The reason I had to go create a certificate jsut now is that I noticed with the new openvpn version it doesnt like certificates that have a space in the beginning of the CN, they stopped working after I updated OPNsense to 21.7 from 20.X but I dont think the presence of certs like that are causing the UI to have the error 500 because in my 2nd test firewall I can create certs before and after creating a certificate with a space in the beginning of the CN field.

What could I do to get more info on this? From the timestamp the other files in /var/log dont seem to relate to the webserver. Is there a "debug mode" or something?

As a workaround for now I downloaded the CA data and issued a certificate externally and it's working with openvpn

Thanks

2

General Discussion / 2 DHCP servers and 2 OPN servers: broadcast query

« on: June 26, 2019, 02:23:57 pm »

Hello community

I have a network setup in which I have 1 OPNSense as a NAT and another OPNSense as a router (no NAT) to another internal subnet. Like this:

internet --- OPN1-NAT--- SubnetC1 --- OPN2-NON_NAT --- SubnetC2

Both OPNSense have DHCP servers running in the internal LAN interface only (OPN1 should serve a range in subnetC1 and OPN2 serves a range in SubnetC2

The problem I have is that sometimes the machines in C1 gets and IP from C2 and vice versa.

Is there a way I can configure the filtering to avoid this from happening?

Thanks

3

18.1 Legacy Series / weird issue with opnsense unresponsive over vmware

« on: May 03, 2018, 11:01:11 am »

Hello opnsense community

I have had a weird issue twice with two different opnsense versions (17.7.8 and 18.1.6). I tried to search the issue in freebsd and I couldn’t finnd anything similar. So please bear with me

I have a VM with OPNsense over a VMWare ESX 5.5 (on an old Xeon machine, old enough to not have AES NI capabilities). This machine is configured as a firewall/NAT/openvpn with two interfaces and runs some additional services. The VMWare only runs two VMs and is not overloaded by any means (and when the issue happens I dont see anything weird in resource usage in the other VM). The OPNsense has plenty of resources (4GB of RAM, one vCPU, 40GB of disk space with less than 10% of disk space used).

Now here is the issue that it happened twice: one day with no warning connectivity starts to get very slow. I know this cold be said to be an external problem, but no indications that this is the case. It gets slow for people using any resource (openvpn, ssh, nat), I tried for example to copy logs to a machine in the LAN and also to a machine in the WAN side (internet) and the scp just slows to a halt. At the same time the graphs indicates high latency, I have disconnections and in the system graphs (CPU, mem), there are long sections without records (as if the machine was completely unresponsive for 5 to 10 minutes), this happened several times until I decided to reboot. So sometimes it simply gets completely unresponsive or when it's responsive all traffic is very slow.

In the ESX logs or esxtop nothing indicates an overload of resources or any other issue that could explain the unresponsiveness. In the dmesg logs it just shows reset of the WAN interface due to apinger not able to ping its gateway, but nothing indicacting why there is this slow down / unresponsiveness issue.

As I couldn’t copy the logs out of the machine I simply did a "cp -rf /var/log /var/log.$date" as I wanted to preserve them. After that I simply rebooted the VM and everything started working again., as if there was no issue in the beginning.

Yes, its an old ESX, the underlying hardware is reasonably old, but I just don’t have any explanation on why this happens, and months apart, in two different kernel major versions and why the issue stopped immediately after the reboot.

Has anybody seen this? Any thoughts? I might migrate this gateway to a bare metal for a few weeks just to have the ESX out of the equation but I don’t even know if I can justify that. I googled a bit "vmware unresponive" + "opnsense/pfsense/freebsd" and no joy

Thx