Topics

Hi All,

Firstly, I'd like to thank everybody for their sterling work on OPNsense, people like me would be much worse off without it, so thank you very much to all contributors.

I've been refining my OPNsense config for some considerable time and while it's now relatively complex, I have reached a very positive place with pretty much everyting I want working correctly.

I have been having a minor problem for some time, think it actually started back in the times 23.1 release which was around the time I first deployed IPv6 on my network. It's more of a niggle than a serious issue but the ability to replicate the fault fairly consistently does suggest a potential timing issue in the code at boot that might be responsible.

My system publishes IPv6 /56 from my ISP using track interface on my LAN network to a /64 internally, DHCPv6 sends my prefix from the ISP and they dont publish me an IP so an autoassigned one is set, but this is relatively normal and all traffic routes and works as expected.

The problem comes in that after boot up the system will be working and routing IPv6 correctly, then an unknown number of minutes later, for some reason will stop routing. When this happens, I'll go to the dashboard interface and restart the routing service manually and it'll start routing IPv6 again and until I reboot next time, it'll continue working as expected.

I would say the above occurs maybe 9/10 boots and occassionally for a reason I also cant define it simply continues to work as expected.

I'm hoping one of the experts here can help me get to the bottom of the root cause and fix and happy to collect logs, and test as needed since i run OPNsense in a VM with easy snapshot and rollback capability.

Many thanks

Gareth

Hi Guys,

On my up to date OPNsense 23.1.9-amd64 firewall, I've noticed that my ACME certificate renewals are both now showing as failed validation in the logs as below:

2023-06-12T14:32:53   acme.sh   [Mon Jun 12 14:32:53 BST 2023] Error add txt for domain:_acme-challenge.contoso.com
2023-06-12T14:32:53   acme.sh   [Mon Jun 12 14:32:53 BST 2023] invalid domain

I cant see much history in the logs but it seems to have showed the same error for the last few renewal attempts which happen at midnight automatically.

The ACME renewal process uses the Cloudflare DNS validation method and no config changes have been made at all. Until recently this has always worked very well for me without issues.

I did run an update this morning and noticed a new ACME script was brought down, so wondered if there has been any changes which might have impacted?

I also tried to force renew and noted that the extra text record never appears in Cloudflare DNS as expected, so it does appear to be some change, but it's difficult to say for sure.

I've got a snapshot and rollback capability so am going to try a few different things in testing, but thought it was first worth raising to see if it's just me.

Thanks for any help.

Gareth

Hi All,

I've just updated my OPNSense from 22.7.5>6 this morning and I'm now seeing an error around HAProxy being unable to start due to a CRL problem because I use client certificate authentication.

All certs are being issued by a local CA on the OPNSense firewall

I've already tried removing and recreating the CRL then re-adding to the HAProxy frontend, none of which has made any difference. for now to get HAProxy to start correctly I've had to remove the CRL from the public facing frontend, but this is less than ideal.

If I try and re-add it I see the pictured error when doing a test syntax from the HAProxy GUI, so it's definitely related to the CRL somehow, but I cant figure out whats actually wrong.

Coupled to this, the crash reporter is now also regularly reporting the below error, even though HAProxy is functional albeit with no CRL for any revoked certs:

[14-Oct-2022 08:29:49 Europe/London] PHP Fatal error:  Uncaught Error: Call to undefined function crl_update() in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php:74
Stack trace:
#0 {main}
  thrown in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php on line 74
[14-Oct-2022 08:30:30 Europe/London] PHP Fatal error:  Uncaught Error: Call to undefined function crl_update() in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php:74
Stack trace:
#0 {main}
  thrown in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php on line 74
[14-Oct-2022 08:30:58 Europe/London] PHP Fatal error:  Uncaught Error: Call to undefined function crl_update() in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php:74
Stack trace:
#0 {main}
  thrown in /usr/local/opnsense/scripts/OPNsense/HAProxy/exportCerts.php on line 74

I know there was some changes to CRL handling, but I thought this was only supposed to impact OpenVPN which seems to be working fine.

Any help in resolving would be very much appreciated guys.

Many thanks

Gareth

Hi Everybody,

Firstly thanks very much to everybody involved in making OPNSense the amazing product it is, I have had great luck with it so far, but have hit a wall I seem unable to get over and am hoping somebody can help.

I'm in the process of moving away from my old StartSSL certificates which have been painful for a while and have effectively worked out how to use LetsEncrypt and HAProxy to give me all the HTTP/HTTPS functionality I require.

The only problem I have leftover is to do with importing the certificates from the OPNSense firewall in an automated way to two mail servers in my environment, one of which is a mail scanning gateway and the other is an Exchange 2016 server. the reason for the certificate requirement is because I need to enable starttls receive functionality.

It ultimately would be far easier to use the LetsEncrypt instance on OPNSense to renew/maintain the certificates for my domain and automatically export and import them in to the servers as required every 60-90 days, but trying to automate this process is proving difficult.

Unfortunately everything I've tried so far doesn't seem to be working, which includes trying to automate a forms login for a user that only has access to the cert page and trying to find the certificates in a location I can script an SCP session to download from the firewall.

I realise of course I can just login to the system manually, click the button to export and then run the process to import them to my mail servers, but that sort of breaks the whole point of automating the certs in the first place :)

The API doesn't currently appear to allow access to the System > Trust > Certificate menu's so after days of trying and reading I'm, at the point of asking.

I'd be happy enough to create a cron job on the firewall itself which copies the certs out to another location automatically, which works around the issue of incoming security that the firewall is clearly very well hardened to protect against and for good reason, but my skills on this type of scripting are fairly limited.

Does anybody have any ideas?

Thanks in advance for any help

Gareth