Messages

106

21.1 Legacy Series / Various errors reported on console during startup

« on: February 11, 2021, 08:58:58 am »

For a while I've had some errors that pop up on the console each and every time I restart the firewall, so I am wondering if anyone can either tell me the cause or which area of the Github to create a new issue in.

Code: [Select]

chown: /var/mib_indexes: No such file or directory

Code: [Select]

Warning: "mod_compress" is DEPRECATED and has been replaced with "mod_deflate"

Code: [Select]

ngctl: send msg: No such file or directory
The actual messages are shown in the attached screen shot.

Code: [Select]

OPNsense 21.1.1-amd64
FreeBSD 12.1-RELEASE-p13-HBSD
OpenSSL 1.1.1i 8 Dec 2020


107

21.1 Legacy Series / Re: ERR_SSL_PROTOCOL_ERROR GUI

« on: February 06, 2021, 09:15:19 am »

I was able to upgrade from 20.7.8_4 to 21.1 without any issues this time, so for me clearing house on the all the CA and generated certificates for the old Let's Encrypt CAs sorted it out.

108

20.7 Legacy Series / Re: Update 20.7.6 to 20.7.7 Update ERR_SSL_PROTOCOL_ERROR

« on: February 06, 2021, 09:13:55 am »

I was able to upgrade from 20.7.8_4 to 21.1 without any issues this time, so for me clearing house on the all the CA and generated certificates for the old Let's Encrypt CAs sorted it out.

109

20.7 Legacy Series / Re: Update 20.7.6 to 20.7.7 Update ERR_SSL_PROTOCOL_ERROR

« on: January 26, 2021, 10:45:16 am »

is this going to be fixed someday?
after every update i keep getting this error ERR_SSL_PROTOCOL_ERROR and have to restore the

Code: [Select]

opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart

i am at 20.7.8 now but the error still appeared.

As I did you need to double check all the certificates are valid - for me the one being used by the OPNsense GUI was generated by Let's Encrypt but was still using the old CA/Intermediate CA. When I deleted it and forced it to be renewed by LE, it then showed as signed by "R3" the new CA and the error did not come back when updated back to the latest version. Although as I also wrote the upgrade did delete the first certificate I renewed and replaced it with a self-signed one, so I has to force renew it again a second time and re-assign it.

110

20.7 Legacy Series / Re: Update 20.7.6 to 20.7.7 Update ERR_SSL_PROTOCOL_ERROR

« on: January 23, 2021, 02:50:32 pm »

I had this happen to me again upgrading from 20.7.7 with the older 20.7.6 lighttpd, repeated errors about the firewall's GUI certificate. After the first reboot I had zero connectivity to the firewall nor through to the Internet, there was no access to a terminal even directly, so connecting a keyboard I hit ctrl-alt-del and this time I at least had connectivity but the web GUI was still broken.


Reverted lighttpd back to 20.7.6 and regained access. Looking back through this thread I read about the Let's Encrypt CAs and did a mass tidy up, deleted the old CAs leaving just the new R3. Regenerated the firewall's certificate, assigned it and restarted the GUI. All was well.


I then from the terminal re-ran updates to get the latest lighttpd back on - after restarting the GUI again my browser complained the certificate was not secure. The update had reset the configuration of the GUI back to the self-signed certificate but also deleted the new LE certificate so I could not add it back. Had to regenerate it once again, reassign the new certificate and restart the GUI service. Tested a restart and things still work so I really hope I've now seen the back of this issue for future updates.


Things of note:

• HAProxy refuses to start complaining that certain servers cannot be found, caused by DNS service being slow e.g. using unbound + dnscrypt-proxy, as some of my sites use the fqdn for the back-end server names. Manual start afterwards fixes issues.
• There's a warning from lighttpd that "mod_compress" is soon to be deprecated and will cause future versions of lighttpd to fail to start. I'd post the log entry but cannot find anything under "/var/log" containing it, I only have a photo I took from the console screen.

111

20.7 Legacy Series / Re: Update 20.7.6 to 20.7.7 Update ERR_SSL_PROTOCOL_ERROR

« on: January 04, 2021, 03:16:57 pm »

Does the 20.7.7_1 update fix this and what's the recommended way to update after having reverted just lighttpd?

112

20.7 Legacy Series / Re: Update 20.7.6 to 20.7.7 Update ERR_SSL_PROTOCOL_ERROR

« on: December 24, 2020, 01:08:21 pm »

Then just wait a week or so

I did that once before - ended up having to reinstall the whole firewall then restore settings from my offsite backup, and not easy to do when the only image you have on-site is a few releases back - you'll never hit everyone's problems no matter how long you delay it. Hardly friendly when it's your only means of Internet connectivity. Some kind of built-in full rollback should be a feature.

113

20.7 Legacy Series / Re: Update 20.7.6 to 20.7.7 Update ERR_SSL_PROTOCOL_ERROR

« on: December 22, 2020, 04:30:55 pm »

For rollback DNS is required, you should be able to to set DNS server in System : Settings : General and tick the checkbox to not use local unbound. Then it should work too.

Not when the web interface is broken.

114

20.7 Legacy Series / Help with rule to block incoming connections not on GeoIP alias

« on: December 21, 2020, 08:58:08 pm »

What rule(s) do I need that will block/redirect all incoming connections that are not in a GeoIP alias?


I have a GeoIP alias of the countries I want incoming connections to be allowed for, but everything else should be blocked. Better still, this traffic should ideally be redirected to a honeypot device in a DMZ.


Some services I do want to allow from anywhere e.g. Torrent traffic already NAT'ed, and outbound connections should not be restricted i.e. I should still be able to access websites in countries not on the list.


Is all this possible? I've been trying for months and either what I configure doesn't block anything or it blocks everything including the services I want to allow the traffic from.

115

20.7 Legacy Series / Re: Update 20.7.6 to 20.7.7 Update ERR_SSL_PROTOCOL_ERROR

« on: December 21, 2020, 08:27:29 pm »

I've had to revert lighttpd after updating to 20.7.7_1 and even worse I had tried a reboot when the error first happened. I lost Internet access because Unbound was also down and I had no DNS and only access via SSH. Had to hack a working DNS into resolv.conf before the revert would download and then a full reboot to get everything stable again.


Are their any plans for some kind of on-board rollback to an update so when faced with even worse, no Internet, then we can get back working? I don't have the luxury of stand-by devices or the ability to run VM versions with snapshots. Had my Internet been inaccessible I would have be royally screwed as my mobile access is next to nothing here, and mostly sub-3G which did fortunately work on this occasion to find this thread - without Internet trying to find help is a nightmare.

116

General Discussion / Re: What's the correct way to set up local zone reverse lookup with Unbound?

« on: December 07, 2020, 07:37:04 pm »

No worries, it's 19:30 here and doing some remote working before I go to sleep.

117

General Discussion / Re: What's the correct way to set up local zone reverse lookup with Unbound?

« on: December 07, 2020, 06:58:43 pm »

You will not see my full domain as I don't want published publicly on this forum, but I can assure you the full domain is being reported back on each test. I thought this time not to pixelize the whole domain to make it clearer it was being redacted.


And yes root@bart is my OpnSense firewall, it's the command-shell prompt. It's a dedicated physical machine.

118

General Discussion / Re: What's the correct way to set up local zone reverse lookup with Unbound?

« on: December 07, 2020, 06:27:02 pm »

I do have a rule but it's set to allow the IPs in the second screen shot, but as you can see from the first one I can perform lookups from the firewall to one of the DNS servers.


The two IPs 192.168.1.11 and 192.168.1.12 are the DNS servers on the two Windows domain controllers so Pi-Hole has nothing to do with the issue, and yes both servers are authoritative for my domain of course.

119

General Discussion / Re: What's the correct way to set up local zone reverse lookup with Unbound?

« on: December 07, 2020, 05:43:38 pm »

As requested

120

General Discussion / Re: What's the correct way to set up local zone reverse lookup with Unbound?

« on: December 03, 2020, 03:51:32 pm »

It still doesn't work for me. I did think it could be the custom options I have set in Unbound to direct external lookups to DNSCrypt-Proxy, but it never receives them and even when I add the overrides to it as well it doesn't work.