Switch to openSSL failed - system borked

Started by chemlud, July 10, 2022, 12:30:55 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 10, 2022, 12:30:55 PM
Hy!

I was on LibreSSL 22.1.10 and wanted to switch to openSSL from GUI, but something failed:

Code Select
***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.1.10 (amd64/LibreSSL) at Sun Jul 10 10:49:15 CEST 2022
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (45 candidates): .......... done
Processing candidates (45 candidates): ...... done
The following 27 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
openssl: 1.1.1q,1

Installed packages to be REINSTALLED:
cpdup-1.22 (direct dependency changed: openssl)
curl-7.84.0 (direct dependency changed: openssl)
cyrus-sasl-2.1.28 (direct dependency changed: openssl)
cyrus-sasl-gssapi-2.1.28 (direct dependency changed: openssl)
hostapd-2.10_5 (direct dependency changed: openssl)
isc-dhcp44-server-4.4.2P1_1 (direct dependency changed: openssl)
krb5-1.20 (direct dependency changed: openssl)
ldns-1.8.1 (direct dependency changed: openssl)
libevent-2.1.12 (direct dependency changed: openssl)
libfido2-1.11.0 (direct dependency changed: openssl)
lighttpd-1.4.65 (direct dependency changed: openssl)
monit-5.32.0 (direct dependency changed: openssl)
mpd5-5.9_9 (direct dependency changed: openssl)
ntp-4.2.8p15_5 (direct dependency changed: openssl)
openldap24-client-2.4.59_4 (direct dependency changed: openssl)
openssh-portable-8.9.p1_4,1 (direct dependency changed: openssl)
openvpn-2.5.7 (direct dependency changed: openssl)
opnsense-update-22.1.9 (direct dependency changed: openssl)
php74-openssl-7.4.30 (direct dependency changed: openssl)
py39-cryptography-3.4.8 (direct dependency changed: openssl)
python39-3.9.13 (direct dependency changed: openssl)
squid-4.15 (direct dependency changed: openssl)
strongswan-5.9.6_2 (direct dependency changed: openssl)
syslog-ng-3.37.1 (direct dependency changed: openssl)
unbound-1.16.0 (direct dependency changed: openssl)
wpa_supplicant-2.10_6 (direct dependency changed: openssl)

Number of packages to be installed: 1
Number of packages to be reinstalled: 26

The process will require 14 MiB more space.
36 MiB to be downloaded.
[1/27] Fetching wpa_supplicant-2.10_6.pkg: .......... done
[2/27] Fetching unbound-1.16.0.pkg: .......... done
[3/27] Fetching syslog-ng-3.37.1.pkg: .......... done
[4/27] Fetching strongswan-5.9.6_2.pkg: .......... done
[5/27] Fetching squid-4.15.pkg: .......... done
[6/27] Fetching python39-3.9.13.pkg: .......... done
[7/27] Fetching py39-cryptography-3.4.8.pkg: .......... done
[8/27] Fetching php74-openssl-7.4.30.pkg: ........ done
[9/27] Fetching opnsense-update-22.1.9.pkg: ..... done
[10/27] Fetching openvpn-2.5.7.pkg: .......... done
[11/27] Fetching openssh-portable-8.9.p1_4,1.pkg: .......... done
[12/27] Fetching openldap24-client-2.4.59_4.pkg: .......... done
[13/27] Fetching ntp-4.2.8p15_5.pkg: .......... done
[14/27] Fetching mpd5-5.9_9.pkg: .......... done
[15/27] Fetching monit-5.32.0.pkg: .......... done
[16/27] Fetching lighttpd-1.4.65.pkg: .......... done
[17/27] Fetching libfido2-1.11.0.pkg: .......... done
[18/27] Fetching libevent-2.1.12.pkg: .......... done
[19/27] Fetching ldns-1.8.1.pkg: .......... done
[20/27] Fetching krb5-1.20.pkg: .......... done
[21/27] Fetching isc-dhcp44-server-4.4.2P1_1.pkg: .......... done
[22/27] Fetching hostapd-2.10_5.pkg: .......... done
[23/27] Fetching cyrus-sasl-gssapi-2.1.28.pkg: .... done
[24/27] Fetching cyrus-sasl-2.1.28.pkg: .......... done
[25/27] Fetching curl-7.84.0.pkg: .......... done
[26/27] Fetching cpdup-1.22.pkg: .... done
[27/27] Fetching openssl-1.1.1q,1.pkg: .......... done
Checking integrity... done (1 conflicting)
  - openssl-1.1.1q,1 conflicts with libressl-3.3.6 on /usr/local/bin/openssl
Checking integrity... done (0 conflicting)
Conflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 28 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
libressl: 3.3.6

New packages to be INSTALLED:
openssl: 1.1.1q,1

Installed packages to be REINSTALLED:
cpdup-1.22 (direct dependency changed: openssl)
curl-7.84.0 (direct dependency changed: openssl)
cyrus-sasl-2.1.28 (direct dependency changed: openssl)
cyrus-sasl-gssapi-2.1.28 (direct dependency changed: openssl)
hostapd-2.10_5 (direct dependency changed: openssl)
isc-dhcp44-server-4.4.2P1_1 (direct dependency changed: openssl)
krb5-1.20 (direct dependency changed: openssl)
ldns-1.8.1 (direct dependency changed: openssl)
libevent-2.1.12 (direct dependency changed: openssl)
libfido2-1.11.0 (direct dependency changed: openssl)
lighttpd-1.4.65 (direct dependency changed: openssl)
monit-5.32.0 (direct dependency changed: openssl)
mpd5-5.9_9 (direct dependency changed: openssl)
ntp-4.2.8p15_5 (direct dependency changed: openssl)
openldap24-client-2.4.59_4 (direct dependency changed: openssl)
openssh-portable-8.9.p1_4,1 (direct dependency changed: openssl)
openvpn-2.5.7 (direct dependency changed: openssl)
opnsense-update-22.1.9 (direct dependency changed: openssl)
php74-openssl-7.4.30 (direct dependency changed: openssl)
py39-cryptography-3.4.8 (direct dependency changed: openssl)
python39-3.9.13 (direct dependency changed: openssl)
squid-4.15 (direct dependency changed: openssl)
strongswan-5.9.6_2 (direct dependency changed: openssl)
syslog-ng-3.37.1 (direct dependency changed: openssl)
unbound-1.16.0 (direct dependency changed: openssl)
wpa_supplicant-2.10_6 (direct dependency changed: openssl)

Number of packages to be removed: 1
Number of packages to be installed: 1
Number of packages to be reinstalled: 26

The operation will free 5 MiB.
[1/28] Deinstalling libressl-3.3.6...
[1/28] Deleting files for libressl-3.3.6: .......... done
[2/28] Installing openssl-1.1.1q,1...
[2/28] Extracting openssl-1.1.1q,1: .......... done
[3/28] Reinstalling cyrus-sasl-2.1.28...
*** Updated user `cyrus'.
[3/28] Extracting cyrus-sasl-2.1.28: .......... done
ld-elf.so.1: Shared object "libcrypto.so.46" not found, required by "libsasl2.so.3"
WARNING: Users SASL passwords are in /usr/local/etc/sasldb2.db, keeping this file
[4/28] Reinstalling krb5-1.20...
[4/28] Extracting krb5-1.20: .......... done
[5/28] Reinstalling cyrus-sasl-gssapi-2.1.28...
[5/28] Extracting cyrus-sasl-gssapi-2.1.28: .......... done
[6/28] Reinstalling python39-3.9.13...
[6/28] Extracting python39-3.9.13: .......... done
[7/28] Reinstalling openldap24-client-2.4.59_4...
[7/28] Extracting openldap24-client-2.4.59_4: .......... done
[8/28] Reinstalling libfido2-1.11.0...
[8/28] Extracting libfido2-1.11.0: .......... done
[9/28] Reinstalling libevent-2.1.12...
[9/28] Extracting libevent-2.1.12: .......... done
[10/28] Reinstalling ldns-1.8.1...
[10/28] Extracting ldns-1.8.1: .......... done
[11/28] Reinstalling curl-7.84.0...
[11/28] Extracting curl-7.84.0: .......... done
[12/28] Reinstalling wpa_supplicant-2.10_6...
[12/28] Extracting wpa_supplicant-2.10_6: ....... done
[13/28] Reinstalling unbound-1.16.0...
===> Creating groups.
Using existing group 'unbound'.
===> Creating users
Using existing user 'unbound'.
[13/28] Extracting unbound-1.16.0: .......... done
[14/28] Reinstalling syslog-ng-3.37.1...
[14/28] Extracting syslog-ng-3.37.1: .......... done
[15/28] Reinstalling strongswan-5.9.6_2...
[15/28] Extracting strongswan-5.9.6_2: .......... done
[16/28] Reinstalling squid-4.15...
===> Creating groups.
Using existing group 'squid'.
===> Creating users
Using existing user 'squid'.
===> Creating homedir(s)
===> Pre-installation configuration for squid-4.15
[16/28] Extracting squid-4.15: .......... done
[17/28] Reinstalling py39-cryptography-3.4.8...
[17/28] Extracting py39-cryptography-3.4.8: .......... done
[18/28] Reinstalling php74-openssl-7.4.30...
[18/28] Extracting php74-openssl-7.4.30: ....... done
[19/28] Reinstalling opnsense-update-22.1.9...
[19/28] Extracting opnsense-update-22.1.9: .......... done
[20/28] Reinstalling openvpn-2.5.7...
===> Creating groups.
Using existing group 'openvpn'.
===> Creating users
Using existing user 'openvpn'.
[20/28] Extracting openvpn-2.5.7: .......... done
[21/28] Reinstalling openssh-portable-8.9.p1_4,1...
[21/28] Extracting openssh-portable-8.9.p1_4,1: .......... done
[22/28] Reinstalling ntp-4.2.8p15_5...
[22/28] Extracting ntp-4.2.8p15_5: .......... done
[23/28] Reinstalling mpd5-5.9_9...
[23/28] Extracting mpd5-5.9_9: .......... done
[24/28] Reinstalling monit-5.32.0...
[24/28] Extracting monit-5.32.0: ....... done
[25/28] Reinstalling lighttpd-1.4.65...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
[25/28] Extracting lighttpd-1.4.65: .......... done
[26/28] Reinstalling isc-dhcp44-server-4.4.2P1_1...
===> Creating groups.
Using existing group 'dhcpd'.
===> Creating users
Using existing user 'dhcpd'.
[26/28] Extracting isc-dhcp44-server-4.4.2P1_1: .......... done
[27/28] Reinstalling hostapd-2.10_5...
[27/28] Extracting hostapd-2.10_5: ....... done
[28/28] Reinstalling cpdup-1.22...
[28/28] Extracting cpdup-1.22: ..... done
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
=====
Message from strongswan-5.9.6_2:

--
The default strongSwan configuration interface have been updated to vici.
To use the stroke interface by default either compile the port without the vici option or
set 'strongswan_interface="stroke"' in your rc.conf file.
You may need to manually remove /usr/local/etc/squid/squid.conf if it is no longer needed.
=====
Message from php74-openssl-7.4.30:

--
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

Upstream Security Support ends on 2022-11-28.

It is scheduled to be removed on or after 2022-11-29.
=====
Message from openvpn-2.5.7:

--
Note that OpenVPN now configures a separate user and group "openvpn",
which should be used instead of the NFS user "nobody"
when an unprivileged user account is desired.

It is advisable to review existing configuration files and
to consider adding/changing user openvpn and group openvpn.
You may need to manually remove /usr/local/etc/ssh/sshd_config if it is no longer needed.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
The following package files will be deleted:
/var/cache/pkg/wpa_supplicant-2.10_6~e6514d9294.pkg
/var/cache/pkg/unbound-1.16.0~b0ce98a62f.pkg
/var/cache/pkg/wpa_supplicant-2.10_6.pkg
/var/cache/pkg/syslog-ng-3.37.1.pkg
/var/cache/pkg/unbound-1.16.0.pkg
/var/cache/pkg/syslog-ng-3.37.1~98768026d4.pkg
/var/cache/pkg/strongswan-5.9.6_2~6260112c56.pkg
/var/cache/pkg/squid-4.15~c27086003b.pkg
/var/cache/pkg/strongswan-5.9.6_2.pkg
/var/cache/pkg/python39-3.9.13.pkg
/var/cache/pkg/squid-4.15.pkg
/var/cache/pkg/python39-3.9.13~b5d0f3716f.pkg
/var/cache/pkg/py39-cryptography-3.4.8~6ddce83b0d.pkg
/var/cache/pkg/openvpn-2.5.7~01aca630fd.pkg
/var/cache/pkg/py39-cryptography-3.4.8.pkg
/var/cache/pkg/php74-openssl-7.4.30~9669450425.pkg
/var/cache/pkg/php74-openssl-7.4.30.pkg
/var/cache/pkg/opnsense-update-22.1.9~8c1dd641be.pkg
/var/cache/pkg/opnsense-update-22.1.9.pkg
/var/cache/pkg/openvpn-2.5.7.pkg
/var/cache/pkg/openssh-portable-8.9.p1_4,1~fdb7116663.pkg
/var/cache/pkg/ntp-4.2.8p15_5~719fdd4cdd.pkg
/var/cache/pkg/openssh-portable-8.9.p1_4,1.pkg
/var/cache/pkg/openldap24-client-2.4.59_4~ecb33470b6.pkg
/var/cache/pkg/openldap24-client-2.4.59_4.pkg
/var/cache/pkg/cyrus-sasl-2.1.28.pkg
/var/cache/pkg/ntp-4.2.8p15_5.pkg
/var/cache/pkg/mpd5-5.9_9~de33bbccee.pkg
/var/cache/pkg/mpd5-5.9_9.pkg
/var/cache/pkg/monit-5.32.0~a3aefc50bd.pkg
/var/cache/pkg/monit-5.32.0.pkg
/var/cache/pkg/lighttpd-1.4.65~3e4378e989.pkg
/var/cache/pkg/lighttpd-1.4.65.pkg
/var/cache/pkg/libfido2-1.11.0~f3c0e296a0.pkg
/var/cache/pkg/libfido2-1.11.0.pkg
/var/cache/pkg/libevent-2.1.12~fa7d00b681.pkg
/var/cache/pkg/libevent-2.1.12.pkg
/var/cache/pkg/ldns-1.8.1~aab843e76a.pkg
/var/cache/pkg/ldns-1.8.1.pkg
/var/cache/pkg/krb5-1.20~db1413ee8e.pkg
/var/cache/pkg/krb5-1.20.pkg
/var/cache/pkg/isc-dhcp44-server-4.4.2P1_1~5ce4420159.pkg
/var/cache/pkg/hostapd-2.10_5~883681eac4.pkg
/var/cache/pkg/isc-dhcp44-server-4.4.2P1_1.pkg
/var/cache/pkg/hostapd-2.10_5.pkg
/var/cache/pkg/cyrus-sasl-gssapi-2.1.28~d91ea901ff.pkg
/var/cache/pkg/cyrus-sasl-2.1.28~6c510e1dc7.pkg
/var/cache/pkg/cyrus-sasl-gssapi-2.1.28.pkg
/var/cache/pkg/curl-7.84.0~69faf323b5.pkg
/var/cache/pkg/curl-7.84.0.pkg
/var/cache/pkg/cpdup-1.22~60e1aeeb9f.pkg
/var/cache/pkg/cpdup-1.22.pkg
/var/cache/pkg/openssl-1.1.1q,1~9c143ff4ad.pkg
/var/cache/pkg/openssl-1.1.1q,1.pkg
The cleanup will free 36 MiB
Deleting files: ........


I waited 15 min, went in via serial and rebooted. Comes back, but
- tunnels work only in one direction
- "starting webGUI.... failed" (no acces to GUI)
etc pp

I tried

Code Select
opnsense-revert -r 22.1.9 opnsense

rebooted and afterwards updated from console again, reboot, same difference, starting webGUI fails and FW not fully functional.

Is there any way to validate all packages from serial and re-install if necessary?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
July 10, 2022, 02:57:59 PM #1
Tried the switch from GUI on a second system with 22.1.10, it sits now for 10 min at:

Code Select
***GOT REQUEST TO UPDATE***
Currently running OPNsense 22.1.10 (amd64/LibreSSL) at Sun Jul 10 14:48:42 CEST 2022
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (26 candidates): .......... done
Processing candidates (26 candidates): .......... done
The following 27 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
openssl: 1.1.1q,1

Installed packages to be REINSTALLED:
cpdup-1.22 (direct dependency changed: openssl)
curl-7.84.0 (direct dependency changed: openssl)
cyrus-sasl-2.1.28 (direct dependency changed: openssl)
cyrus-sasl-gssapi-2.1.28 (direct dependency changed: openssl)
hostapd-2.10_5 (direct dependency changed: openssl)
isc-dhcp44-server-4.4.2P1_1 (direct dependency changed: openssl)
krb5-1.20 (direct dependency changed: openssl)
ldns-1.8.1 (direct dependency changed: openssl)
libevent-2.1.12 (direct dependency changed: openssl)
libfido2-1.11.0 (direct dependency changed: openssl)
lighttpd-1.4.65 (direct dependency changed: openssl)
monit-5.32.0 (direct dependency changed: openssl)
mpd5-5.9_9 (direct dependency changed: openssl)
ntp-4.2.8p15_5 (direct dependency changed: openssl)
openldap24-client-2.4.59_4 (direct dependency changed: openssl)
openssh-portable-8.9.p1_4,1 (direct dependency changed: openssl)
openvpn-2.5.7 (direct dependency changed: openssl)
opnsense-update-22.1.9 (direct dependency changed: openssl)
php74-openssl-7.4.30 (direct dependency changed: openssl)
py39-cryptography-3.4.8 (direct dependency changed: openssl)
python39-3.9.13 (direct dependency changed: openssl)
squid-4.15 (direct dependency changed: openssl)
strongswan-5.9.6_2 (direct dependency changed: openssl)
syslog-ng-3.37.1 (direct dependency changed: openssl)
unbound-1.16.0 (direct dependency changed: openssl)
wpa_supplicant-2.10_6 (direct dependency changed: openssl)

Number of packages to be installed: 1
Number of packages to be reinstalled: 26

The process will require 14 MiB more space.
36 MiB to be downloaded.
[1/27] Fetching wpa_supplicant-2.10_6.pkg: .......... done
[2/27] Fetching unbound-1.16.0.pkg: .......... done
[3/27] Fetching syslog-ng-3.37.1.pkg: .......... done
[4/27] Fetching strongswan-5.9.6_2.pkg: .......... done
[5/27] Fetching squid-4.15.pkg: .......... done
[6/27] Fetching python39-3.9.13.pkg: .......... done
[7/27] Fetching py39-cryptography-3.4.8.pkg: .......... done
[8/27] Fetching php74-openssl-7.4.30.pkg: ........ done
[9/27] Fetching opnsense-update-22.1.9.pkg: ..... done
[10/27] Fetching openvpn-2.5.7.pkg: .......... done
[11/27] Fetching openssh-portable-8.9.p1_4,1.pkg: .......... done
[12/27] Fetching openldap24-client-2.4.59_4.pkg: .......... done
[13/27] Fetching ntp-4.2.8p15_5.pkg: .......... done
[14/27] Fetching mpd5-5.9_9.pkg: .......... done
[15/27] Fetching monit-5.32.0.pkg: .......... done
[16/27] Fetching lighttpd-1.4.65.pkg: .......... done
[17/27] Fetching libfido2-1.11.0.pkg: .......... done
[18/27] Fetching libevent-2.1.12.pkg: .......... done
[19/27] Fetching ldns-1.8.1.pkg: .......... done
[20/27] Fetching krb5-1.20.pkg: .......... done
[21/27] Fetching isc-dhcp44-server-4.4.2P1_1.pkg: .......... done
[22/27] Fetching hostapd-2.10_5.pkg: .......... done
[23/27] Fetching cyrus-sasl-gssapi-2.1.28.pkg: .... done
[24/27] Fetching cyrus-sasl-2.1.28.pkg: .......... done
[25/27] Fetching curl-7.84.0.pkg: .......... done
[26/27] Fetching cpdup-1.22.pkg: .... done
[27/27] Fetching openssl-1.1.1q,1.pkg: .......... done
Checking integrity... done (1 conflicting)
  - openssl-1.1.1q,1 conflicts with libressl-3.3.6 on /usr/local/bin/openssl
Checking integrity... done (0 conflicting)
Conflicts with the existing packages have been found.
One more solver iteration is needed to resolve them.
The following 28 package(s) will be affected (of 0 checked):

Installed packages to be REMOVED:
libressl: 3.3.6

New packages to be INSTALLED:
openssl: 1.1.1q,1

Installed packages to be REINSTALLED:
cpdup-1.22 (direct dependency changed: openssl)
curl-7.84.0 (direct dependency changed: openssl)
cyrus-sasl-2.1.28 (direct dependency changed: openssl)
cyrus-sasl-gssapi-2.1.28 (direct dependency changed: openssl)
hostapd-2.10_5 (direct dependency changed: openssl)
isc-dhcp44-server-4.4.2P1_1 (direct dependency changed: openssl)
krb5-1.20 (direct dependency changed: openssl)
ldns-1.8.1 (direct dependency changed: openssl)
libevent-2.1.12 (direct dependency changed: openssl)
libfido2-1.11.0 (direct dependency changed: openssl)
lighttpd-1.4.65 (direct dependency changed: openssl)
monit-5.32.0 (direct dependency changed: openssl)
mpd5-5.9_9 (direct dependency changed: openssl)
ntp-4.2.8p15_5 (direct dependency changed: openssl)
openldap24-client-2.4.59_4 (direct dependency changed: openssl)
openssh-portable-8.9.p1_4,1 (direct dependency changed: openssl)
openvpn-2.5.7 (direct dependency changed: openssl)
opnsense-update-22.1.9 (direct dependency changed: openssl)
php74-openssl-7.4.30 (direct dependency changed: openssl)
py39-cryptography-3.4.8 (direct dependency changed: openssl)
python39-3.9.13 (direct dependency changed: openssl)
squid-4.15 (direct dependency changed: openssl)
strongswan-5.9.6_2 (direct dependency changed: openssl)
syslog-ng-3.37.1 (direct dependency changed: openssl)
unbound-1.16.0 (direct dependency changed: openssl)
wpa_supplicant-2.10_6 (direct dependency changed: openssl)

Number of packages to be removed: 1
Number of packages to be installed: 1
Number of packages to be reinstalled: 26

The operation will free 5 MiB.
[1/28] Deinstalling libressl-3.3.6...
[1/28] Deleting files for libressl-3.3.6: .......... done
[2/28] Installing openssl-1.1.1q,1...
[2/28] Extracting openssl-1.1.1q,1: .......... done
[3/28] Reinstalling cyrus-sasl-2.1.28...
*** Updated user `cyrus'.
[3/28] Extracting cyrus-sasl-2.1.28: .......... done
ld-elf.so.1: Shared object "libcrypto.so.46" not found, required by "libsasl2.so.3"
WARNING: Users SASL passwords are in /usr/local/etc/sasldb2.db, keeping this file
[4/28] Reinstalling krb5-1.20...
[4/28] Extracting krb5-1.20: .......... done
[5/28] Reinstalling cyrus-sasl-gssapi-2.1.28...
[5/28] Extracting cyrus-sasl-gssapi-2.1.28: .......... done
[6/28] Reinstalling python39-3.9.13...
[6/28] Extracting python39-3.9.13: .......... done
[7/28] Reinstalling openldap24-client-2.4.59_4...
[7/28] Extracting openldap24-client-2.4.59_4: .......... done
[8/28] Reinstalling libfido2-1.11.0...
[8/28] Extracting libfido2-1.11.0: .......... done
[9/28] Reinstalling libevent-2.1.12...
[9/28] Extracting libevent-2.1.12: .......... done
[10/28] Reinstalling ldns-1.8.1...
[10/28] Extracting ldns-1.8.1: .......... done
[11/28] Reinstalling curl-7.84.0...
[11/28] Extracting curl-7.84.0: .......... done
[12/28] Reinstalling wpa_supplicant-2.10_6...
[12/28] Extracting wpa_supplicant-2.10_6: ....... done
[13/28] Reinstalling unbound-1.16.0...
===> Creating groups.
Using existing group 'unbound'.
===> Creating users
Using existing user 'unbound'.
[13/28] Extracting unbound-1.16.0: .......... done
[14/28] Reinstalling syslog-ng-3.37.1...
[14/28] Extracting syslog-ng-3.37.1: .......... done
[15/28] Reinstalling strongswan-5.9.6_2...
[15/28] Extracting strongswan-5.9.6_2: .......... done
[16/28] Reinstalling squid-4.15...
===> Creating groups.
Using existing group 'squid'.
===> Creating users
Using existing user 'squid'.
===> Creating homedir(s)
===> Pre-installation configuration for squid-4.15
[16/28] Extracting squid-4.15: .......... done
[17/28] Reinstalling py39-cryptography-3.4.8...
[17/28] Extracting py39-cryptography-3.4.8: .......... done
[18/28] Reinstalling php74-openssl-7.4.30...
[18/28] Extracting php74-openssl-7.4.30: ....... done
[19/28] Reinstalling opnsense-update-22.1.9...
[19/28] Extracting opnsense-update-22.1.9: .......... done
[20/28] Reinstalling openvpn-2.5.7...
===> Creating groups.
Using existing group 'openvpn'.
===> Creating users
Using existing user 'openvpn'.
[20/28] Extracting openvpn-2.5.7: .......... done
[21/28] Reinstalling openssh-portable-8.9.p1_4,1...
[21/28] Extracting openssh-portable-8.9.p1_4,1: .......... done
[22/28] Reinstalling ntp-4.2.8p15_5...
[22/28] Extracting ntp-4.2.8p15_5: .......... done
[23/28] Reinstalling mpd5-5.9_9...
[23/28] Extracting mpd5-5.9_9: .......... done
[24/28] Reinstalling monit-5.32.0...
[24/28] Extracting monit-5.32.0: ....... done
[25/28] Reinstalling lighttpd-1.4.65...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
[25/28] Extracting lighttpd-1.4.65: .......... done
[26/28] Reinstalling isc-dhcp44-server-4.4.2P1_1...
===> Creating groups.
Using existing group 'dhcpd'.
===> Creating users
Using existing user 'dhcpd'.
[26/28] Extracting isc-dhcp44-server-4.4.2P1_1: .......... done
[27/28] Reinstalling hostapd-2.10_5...
[27/28] Extracting hostapd-2.10_5: ....... done
[28/28] Reinstalling cpdup-1.22...
[28/28] Extracting cpdup-1.22: ..... done
You may need to manually remove /usr/local/etc/unbound/unbound.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/strongswan.d/charon-logging.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/strongswan.d/charon.conf if it is no longer needed.
=====
Message from strongswan-5.9.6_2:

--
The default strongSwan configuration interface have been updated to vici.
To use the stroke interface by default either compile the port without the vici option or
set 'strongswan_interface="stroke"' in your rc.conf file.
You may need to manually remove /usr/local/etc/squid/squid.conf if it is no longer needed.
=====
Message from php74-openssl-7.4.30:

--
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

Upstream Security Support ends on 2022-11-28.

It is scheduled to be removed on or after 2022-11-29.
=====
Message from openvpn-2.5.7:

--
Note that OpenVPN now configures a separate user and group "openvpn",
which should be used instead of the NFS user "nobody"
when an unprivileged user account is desired.

It is advisable to review existing configuration files and
to consider adding/changing user openvpn and group openvpn.
You may need to manually remove /usr/local/etc/ssh/ssh_config if it is no longer needed.
You may need to manually remove /usr/local/etc/ssh/sshd_config if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/lighttpd.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/modules.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/access_log.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/auth.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/cgi.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/dirlisting.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/evhost.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/mime.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/scgi.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/lighttpd/conf.d/webdav.conf if it is no longer needed.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: ...


Has this one failed, too? OMG...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
July 10, 2022, 03:03:54 PM #2
Apparently the second system is borke, too. I tried to upgrade from consoel, saying "nothing to do", but "start of webGUI... failed".

What's going on here?!?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
July 10, 2022, 03:08:00 PM #3
On reboot of the second system after switching to openssl "starting webGUI.... failed".
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
July 10, 2022, 03:16:46 PM #4
When I try to upgrade from console I get:

Code Select
0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: y

Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (0 candidates): . done
Processing candidates (0 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Nothing to do.
Checking all packages: .......... done
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0

>>> Missing package dependencies were detected.
>>> Found 2 issue(s) in the package database.

pkg-static: No packages available to install matching 'python37' have been founs
pkg-static: No packages available to install matching 'py37-setuptools' have bes
>>> Summary of actions performed:

python37 dependency failed to be fixed
py37-setuptools dependency failed to be fixed

>>> There are still missing dependencies.
>>> Try fixing them manually.

>>> Also make sure to check 'pkg updating' for known issues.
Nothing to do.
Nothing to do.
Starting web GUI...failed.
Generating RRD graphs...done.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
July 10, 2022, 03:25:50 PM #5
...and a manual reload of all service from console gives:

Code Select
  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option: 11

Writing firmware setting...done.
Writing trust files...done.
Configuring login behaviour...done.
Configuring CRON...done.
Setting timezone...done.
Setting hostname: OPN1218.famgb.home.arpa
Generating /etc/hosts...done.
Generating /etc/resolv.conf...done.
Configuring loopback interface...done.
Creating wireless clone interfaces...done.
Creating OpenVPN instances...done.
Configuring Dreck interface...done.
Configuring LAN interface...done.
Configuring Service interface...done.
Configuring WAN interface...em2: link state changed to DOWN
done.
Configuring iNET interface...done.
Creating IPsec VTI instances...done.
Setting up routes...done.
Configuring firewall.....em2: link state changed to UP
..done.
Starting DHCPv4 service...em2: link state changed to DOWN
done.
Configuring dynamic DNS clients...em2: link state changed to UP
done.
Starting NTP service...done.
Starting Unbound DNS...done.
Starting web GUI...failed.
Syncing OpenVPN settings...ovpns5: link state changed to DOWN
ovpns5: link state changed to UP
done.
Generating RRD graphs...done.
Stopping suricata.
Waiting for PIDS: 54631em1: link state changed to DOWN
em0: link state changed to DOWN
igb0: link state changed to DOWN
.
Stopping monit.
Waiting for PIDS: 21476.
Stopping flowd_aggregate...done
Stopping flowd.
Waiting for PIDS: 20 169.
[#] rm -f /var/run/wireguard/wg0wg0: link state changed to DOWN
.sock
em1: link state changed to UP
[#] ifconfig wg create name wg0
[!] Missing WireGuard kernel support (ifconfig: tun0: link state changed to UP
tun0: changing name to 'wg0'
SIOCIFCREATE2: Invalid argument). Falling back to slow userspace implementation.
[#] wireguard-go wg0
┌───────────────────────────────────────────────────                           ┐
│                                                      │
│   Running wireguard-go is not required because this  │
│   kernel has first class support for WireGuard. For  │
│   information on installing the kernel module,       │
│   please visit:                                      │
│         https://www.wireguard.com/install/           │
│                                                      │
└─────────────────────────────────────────────────────                         �
[#] wg setconf wg0 /dev/stdin
ovpns5: link state changed to DOWN
ovpns5: link state changed to UP
em0: link state changed to UP
igb0: link state changed to UP
[#] ifconfig wg0 inet 10.11.12.1/28 alias
[#] ifconfig wg0 mtu 1420
[#] ifconfig wg0 up
[#] route -q -n add -inet asrgergr/32 -interface wg0
[#] route -q -n add -inet wergwerg/29 -interface wg0
[#] route -q -n add -inet wergwergwer/25 -interface wg0
[#] route -q -n add -inet wgergwergwer/24 -interface wg0
[+] Backgrounding route monitor
Starting flowd.
Starting flowd_aggregate.
Starting monit.
Starting Monit 5.32.0 daemon with http interface at /var/run/monit.sock
Starting suricata.
10/7/2022 -- 15:18:42 - <Info> - Including configuration file installed_rules.y.
10/7/2022 -- 15:18:42 - <Info> - Configuration node 'rule-files' redefined.
10/7/2022 -- 15:18:42 - <Info> - Including configuration file custom.yaml.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
July 10, 2022, 05:35:00 PM #6
Looked for logs of lighttpd in /var/log/lighttpd, but there is no entry after starting the upgrade to openSSL (saying the service has been stopped is the last line in log, in system log I see

Code Select
...
<11>1 2022-07-10T14:49:16+02:00 OPN opnsense 18871 - [meta sequenceId="14"] /usr/local/etc/rc.restart_webgui: The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '255', the output was '2022-07-10 14:49:16: (mod_openssl.c.1986) SSL: SSL_CONF_cmd CipherString AEAD-CHACHA20-POLY1305-SHA256:!aNULL:!eNULL:!EXP: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match 2022-07-10 14:49:16: (server.c.1291) In'
<11>1 2022-07-10T15:02:21+02:00 OPN opnsense 49841 - [meta sequenceId="161"] /usr/local/etc/rc.restart_webgui: The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '255', the output was '2022-07-10 15:02:21: (mod_openssl.c.1986) SSL: SSL_CONF_cmd CipherString AEAD-CHACHA20-POLY1305-SHA256:!aNULL:!eNULL:!EXP: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match 2022-07-10 15:02:21: (server.c.1291) I'
...

CHACHA20Poly1305 is the only cipher allowed for accessing the webgui, why is this a problem here?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
July 10, 2022, 05:48:11 PM #7
How to change allowed ciphers from console to get a functional GUI back? Any ideas?
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
July 10, 2022, 06:24:06 PM #8
...editing /config/config.xml did the trick. what a pain...
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
July 11, 2022, 08:53:05 AM #9
So, system not borked, manual configuration of ciphers prevented GUI access? It's why I don't favour overrides of standard configurations that are supposed to work for everybody.


Cheers,
Franco
Print
Go Up Pages1
User actions