Messages

Duhhh, stupid me!

I copied a certificate and forgot to change the automation.

Sorry for the whistle, all working as expected.

[Here is what works:]

Well, I know old topic, old thread.

Anyway, after searching and googling for days I have to push this up hoping someone jumps on.

Here is what works:

From the cli of the opnsense:

#:/local/opnsense/scripts/OPNsense/AcmeClient # ./upload_sftp.php --log --host=192.168.xx.15 --user=xx test-connection
INFO: Logging to stdout enabled
INFO: No host key specified, using existing known_hosts entry for '192.168.xx.15'
INFO: SFTP: Connected to 192.168.xx.15.
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> ls -la
INFO: SFTP: sftp> put '/tmp/sftp-upload-khpkxO' 'sftp-upload-khpkxO'
INFO: SFTP: Uploading /tmp/sftp-upload-khpkxO to /home/xx/sftp-upload-khpkxO
INFO: SFTP: sftp> rm '/home/xx/sftp-upload-khpkxO'
INFO: SFTP: Removing /home/xx/sftp-upload-khpkxO
INFO: SFTP: sftp> exit
{
    "actions": [
        "connecting",
        "connected",
        "upload-testing",
        "upload-tested"
    ],
    "success": true,
    "remote": {
        "host": "192.168.xx.15",
        "port": 22,
        "user": "xx",
        "path": "/home/xx"
    }
}

and:

#:/usr/local/opnsense/scripts/OPNsense/AcmeClient # ./upload_sftp.php --log --certificates=mail.xx.de --host=192.168.xx.15 --user=xx
INFO: Logging to stdout enabled
INFO: No host key specified, using existing known_hosts entry for '192.168.xx.15'
INFO: SFTP: Connected to 192.168.xx.15.
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> cd '/home/xx/mail.xx.de'
INFO: SFTP: stat remote: No such file or directory
INFO: Creating remote directory: /home/xx/mail.xx.de
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> mkdir '/home/xx/mail.xx.de'
INFO: SFTP: sftp> cd '/home/xx/mail.xx.de'
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> ls -la
INFO: SFTP: sftp> put '/tmp/sftp-upload-f1fIwZ' 'ca.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-f1fIwZ to /home/xx/mail.xx.de/ca.pem
INFO: SFTP: sftp> put '/tmp/sftp-upload-6ytT6R' 'cert.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-6ytT6R to /home/xx/mail.xx.de/cert.pem
INFO: SFTP: sftp> put '/tmp/sftp-upload-PZO74I' 'fullchain.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-PZO74I to /home/xx/mail.xx.de/fullchain.pem
INFO: SFTP: sftp> put '/tmp/sftp-upload-SgMDcZ' 'key.pem'
INFO: SFTP: Uploading /tmp/sftp-upload-SgMDcZ to /home/xx/mail.xx.de/key.pem
INFO: SFTP: sftp> exit

Further:

On the target server:

ls -la mail.xx.de/
insgesamt 28
drwxr-xr-x 2 xx xx 4096 29. Dez 19:01 .
drwx------ 7 xx xx 4096 29. Dez 19:01 ..
-rw------- 1 xx xx 3750 29. Dez 19:01 ca.pem
-rw------- 1 xx xx 1537 29. Dez 19:01 cert.pem
-rw------- 1 xx xx 5287 29. Dez 19:01 fullchain.pem
-rw------- 1 xx xx  288 29. Dez 19:01 key.pem

All there - the let's encrypt cert was copied.

Question: why on heavens earth does this not work using the gui acme automation? What's wrong here?

I'm stuck. Any help is greatly appreciated. 

OPNsense 23.7.7_3-amd64
FreeBSD 13.2-RELEASE-p3
OpenSSL 1.1.1w 11 Sep 2023
ACME Client 3.19

I reset the acme plugin and created a new cert and a new automation. SFTP upload test is giving no errors.

But a manual run of an automation (ACME client --> Services: ACME Client: Certificates --> run automations causes in following error:

AcmeClient: automation not found: b2a9610b-7fb3-4554-bf4e-09eaa77c65eb

No matter after copying the automation in a new one, or deleting the automation and creating a new one. All new or copied automations always have the same ID b2a9610b-7fb3-4554-bf4e-09eaa77c65eb.

How to investigate? Any advice is appreciated.

Sorry for the whistle...

A reboot did it.

regards,
stefan

OPNsense 23.7.7_3 - up-to-date

For tests I installed the nginx and the acme plugin. I changed for the gui access the https port to http, and after uninstall back to https port as before.

After uninstalling the plugins the gui is not reachable. Nor http or https.

I've access to cli. Need help to find the right track back. Where to investigate? I assume there are orphaned dependencies left over which may interfere.

Any help is greatly appreciated.

stefan

Thank you Maurice, it's a little tricky, but I got it to work.

It's really - and ONLY - meant to use a WAN connection as a failover if the ISP is down for a few hours.

For the test I used a nano image on a USB flash drive on my laptop. Connecting via smartphone does work if blocking private networks on the WAN-interface is disabled. The phone passes an IP of the private range to the WAN interface. The firewall is up and if imported a backup from the real OPNsense everything on the LAN works as expected. After connecting the phone to the laptop and assigning the ue interface, I reloaded the services. I did this all on the console. Well - later I disabled zenarmor and also IDS in the web-gui ... At least the allowed clients in the LAN are able to reach the internet.

We have one static IP for the WAN. Behind the OPNsense is a Nethserver running our own email-server. If the static IP is not reachable, you'll not be able to send (usually the dynamic IP from the phone is blacklisted) or receive any email with the email server. If you can't wait receiving and sending email until your ISP has fixed the problem, a solution could be configuring temporarily an email relay on the server. And an email account at your webhoster space for a catchall account of your domain. You have to adjust the DNS records for your domain... and reverse it later as it was before. Or you could use a webmail portal to communicate and send your email.

I don't want to do this - as a business customer we do have a reaction time of 8 hours 7/24. We can hold this... So all this is meant to keep the LAN clients connected to the internet.

Thank's again for pointing me in the right direction.

regards,
stefan

Thank you for hopping on and your reply.

I'll give that a try and will report.

regards,
stefan

Sorry to push this up again.

Nobody using an android gateway in usb tethering mode?

I installed the new version of zenarmor and decided to remove totally everything. Still after rebooting there's in the WebGui the Zenarmor item to click on. By clicking on it all submenus open, but then is coming up "page not found". Of course, I uninstalled zenarmor. How to I get rid of the menu? Yes I reloaded the the webgui and emptied also the cache of the browser.

anybody?

Assuming my standard ISP connection is down.

I connect my android smartphone in USB tethering mode to my OPNSense hardware (not a VM). An ue interface is showing up, which can be configured.

Can anybody provide a setup for this scenario? I only want to setup a very standard firewall with the WAN interface on the tethered phone. What IP's have to be used? Probably static. What MRU? No need to configure failover.

Any help is appreciated.

Thank's in advance,
stefan

Thank's for helping. That'll be easy. I didn't know that editing the config in a life system is possible.

@Franco

What do you suggest to get rid of the error?

Hi Franco,

thank's for hopping on.

The result of the grep is "3".

regards,
stefan

OPNsense 23.1.4_1-amd64
FreeBSD 13.1-RELEASE-p7
OpenSSL 1.1.1t 7 Feb 2023

Box is defined as exposed host, sitting behind a fritzbox, ISP is Vodafone Germany.

Two single gateways configured:

Name    Interface    Protocol    Priority    Gateway    Monitor IP    RTT    RTTd    Loss    Status    Description    
      WAN_GWv4 (active)    WAN    IPv4    240 (upstream)    130.1.1.1    130.1.1.1    0.3 ms    0.0 ms    0.0 %    Online
   Interface WAN Gateway    
      WAN_DHCP6 (active)    WAN    IPv6    254          ~    ~    ~    Online
   Interface WAN_DHCP6 Gateway

The dashboard shows under services two dpinger instances:

dpinger    Gateway Monitor (WAN_GWv4)    
dpinger    Gateway Monitor (WAN_GWv4)

Has anybody a clue why?

I have a nearly identical box showing only one dpinger instance.

Thank's for any help to understand.

Nach einem update sehe ich im general log fehler, bei denen ich nicht weiss wo die Ursache liegt, und wie ich diese abstellen kann. Sind das überhaupt alles errors? Vor der OPNSense ist eine FritzBox im Bridge-Modus, ISP ist Vodafone mit einer statischen IP. In einer anderen Installation wurde durch ein Vodafone-Update die Konfiguration zerschossen. Die Konfiguration der Fritzbox kann ich erst am Freitag kontrollieren.

Ein Ausschnitt dazu:

2022-07-13T09:16:51   Error   opnsense   /interfaces.php: warning: ignoring missing default tunable request: net.inet.ip.fastforwarding   
2022-07-13T09:16:51   Error   opnsense   /interfaces.php: warning: ignoring missing default tunable request: debug.pfftpproxy   
2022-07-13T09:16:50   Error   opnsense   /interfaces.php: The WAN_DHCP6 monitor address is empty, skipping.   
2022-07-13T09:16:50   Error   opnsense   /interfaces.php: ROUTING: skipping IPv6 default route   
2022-07-13T09:16:50   Error   opnsense   /interfaces.php: ROUTING: IPv6 default gateway set to wan   
2022-07-13T09:16:50   Error   opnsense   /interfaces.php: ROUTING: keeping current default gateway 'x.x.x.x'   
2022-07-13T09:16:50   Error   opnsense   /interfaces.php: ROUTING: setting IPv4 default route to x.x.x.x   
2022-07-13T09:16:50   Error   opnsense   /interfaces.php: ROUTING: IPv4 default gateway set to wan   
2022-07-13T09:16:50   Error   opnsense   /interfaces.php: ROUTING: entering configure using defaults   
2022-07-13T09:16:48   Error   opnsense   /interfaces.php: warning: ignoring missing default tunable request: net.inet.ip.fastforwarding   
2022-07-13T09:16:48   Error   opnsense   /interfaces.php: warning: ignoring missing default tunable request: debug.pfftpproxy   
2022-07-13T09:16:48   Error   opnsense   /interfaces.php: ROUTING: skipping IPv6 default route   
2022-07-13T09:16:48   Error   opnsense   /interfaces.php: ROUTING: IPv6 default gateway set to wan   
2022-07-13T09:16:48   Error   opnsense   /interfaces.php: ROUTING: creating /tmp/re1_defaultgw using 'x.x.x.x'   
2022-07-13T09:16:48   Error   opnsense   /interfaces.php: ROUTING: removing /tmp/re1_defaultgw   
2022-07-13T09:16:48   Error   opnsense   /interfaces.php: ROUTING: setting IPv4 default route to x.x.x.x   
2022-07-13T09:16:48   Error   opnsense   /interfaces.php: ROUTING: IPv4 default gateway set to wan   
2022-07-13T09:16:48   Error   opnsense   /interfaces.php: ROUTING: entering configure using 'wan'   
2022-07-13T09:16:47   Error   opnsense   /interfaces.php: Accept router advertisements on interface re1   
2022-07-13T09:12:58   Error   opnsense   /system_gateways.php: ROUTING: keeping current default gateway 'x.x.x.x'

Auf einer opnsense unter 21.7.8 die nahezu identisch konfiguriert ist, tauchen diese Fehler nicht auf.

Wer kann mir hier weiter helfen? Vielen Dank vorab.

stefan