Messages

Thats just been a sample to anonymize my own domain  8)

Never had to add a trailing dot before...

+1

It seems, your (upstream-)domainserver has a wildcard-entry (*.mydomain.net) thats why. I removed this, and now it works.

btw. on some strange apps as citrix, this caused connection-problems.

found. My upstream DNS had a wildcard entry for my domain *.mydomain.local - seems the reason why. I removed it, now it works.

Since update to .11, it seems, that DNS-Queries append my Domain behind some queries. This matches to some adresses only, not for all.

Changing DNS-Servers on clients to another than the sense resolves the problem. Tried changing from unbound to dnsmasq, same result.

i removed my domain from everywhere i found it, but this doesnt help. so 192.168.1.1 returns instead of google.com -> google.com.mydomain.local

Strange...

i'll be changing to another country soon. But i would like to use eg.  my TV-Account also from there, which usually is blocked.

i look for a solution to get from abroad to the homecountry, where all my accounts are :)

Would this be feasable by tor or should i look for another solution? (imho i would prefer routing it on the firewall instead of having a vpn client eg on my chromecast...)

Thx,
Roger

Hi,

i made the Upgrade from 22.1.3. to 22.1.4_1 this morning. After several reboots, the following services do not start:

ACME Client
DDClient (dynamic DNS)

All i find in logs for DDClient is the info, that there is no adress, which in fact is there. Config was working fine until the update.

Where could i find logs to provide more info or is this known?

Regards,
Ruggerio


Edit:

- after entering a interface on ddclient, save and apply, ddclient worked.
- after changing something for and back on acme (e.g. wildcard or so), save and appy, acme worked.

Hello,

As i have a small APU4, i did not want to enable IPS, as it eats up bandwith. So i tried with IDS and enabled drop in the policy. With IDS i do not loose to much bandwith and it's better to know whats going on instead of getting surprised...

Nevertheless, all traffic is shown as allowed. I am aware of the difference of IDS (for monitoring only) and IPS (acitively acts without human intervention), so i was wondering, to change to drop, even if you choose IDS.

Thx,
Ruggerio

IMHO, you create your vlan and tag it, as mentionned and then try adding it by virtual ip. i am not experienced in that, but i might give you at least a hint.

hmmm...once again...

tried via Web-GUI, no fun

copied command from webgui into shell: ok

/usr/local/sbin/acme.sh --issue --syslog 7 --debug --server 'letsencrypt' --webroot /var/etc/acme-client/challenges --home '/var/etc/acme-client/home' --certpath '/var/etc/acme-client/certs/.../cert.pem' --keypath '/var/etc/acme-client/keys/.../private.key' --capath '/var/etc/acme-client/certs/.../chain.pem' --fullchainpath '/var/etc/acme-client/certs/.../fullchain.pem' --domain 'mydomain.com' --domain 'subdomain.mydomain.com' --domain 'also_subdomain.mydomain.com' --days '1' --keylength '4096' --accountconf '/var/etc/acme-client/accounts/..._prod/account.conf'

erm, i really am not 100% sure, what i did, but now it works.

I clicked in GUI on issue/renew-Button instead of the renewal-button directly, which is with the certificate.

Thanks!
Roger

not sure that it possible. "This firewall" as a "Redirect target IP"?

This is done, because my webserver is behind nginx, acting as a reverse proxy.

its possible if "Disable web GUI redirect rule" not set at System: Settings: Administration.

i already did this in my personal desperation  :)

i see, that opnsense's plugin tries to make a rdr rule from wan to localhost, using Port 80 -> 40583. Port 80 is already used for the https-server from nginx, which acts as reverse proxy. So, i tried also to stop nginx and then run acme-client, still no luck. ::)

i try to understand what this here is doing:

_CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L '

After that, i get the response, that the host is not resolveable. Might it be, that kindof header should be dumped into that file, which is needed for further action for acme?

Hello,

Since weeks i have a problem with the letsencrypt plugin on my sense.

I configured 2 http-Servers on it:

1 Webserver, reached via reverse proxy function on nginx
1 local webserver on nginx with a separate hostname, and an webroot containing just a index.html

The local webserver has the cross on enable letsencrypt plugin. Nevertheless, it does not work. I read, that le needs port 80 opened, so i tested this.

Result connecting to local webserver on port 443 gives back my dummy index.html
Result connecting to local webserver on port 80 gives ERR_EMPTY_RESPONSE

both ports (80/443) are enabled - but for both webservers, i just can connect to port 443. Port 80 btw. is opened on WAN-Port and redirected to "this firewall".

Might it be, that port 80 is still in use by lighttpd from the sense? I change it to a higher port und use just https (so configured in Web-GUI)

ACME results in hcocde 6, btw.

Thanks for any idea.
Roger

Hi together,

i wanted to have nextcloud-fpm using nginx from nginx. I installed a usual Webserver on opnsense and configured "position"




Everything seems work, except that the webpage is delivered unformatted. What did i miss?

Thx,
Ruggerio