FIXED: Certificate Admin website changes no Access possible

Started by amichel, January 30, 2024, 08:04:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 30, 2024, 08:04:22 PM Last Edit: January 30, 2024, 11:36:34 PM by amichel
I have more certificates stored on my box. One as Webcertificate for the Admin Gui and another one for Haproxy to be used.
After boot without any change the Admin Website is using the certificate for my mail server mail.domain.com instead of opnsense.domain.com and I am logged out of the website.
Any Idea what to do here?

UPDATE:
I removed the wildcardcertificate and kept only the two certificates needed. Additionally I disabled HSTS in the admin website to at least have access to the box if the wrong certificate is presented.
Nothing works.
After a couple of minutes when I connect to the admin website I am presented with the mail.domain.com cert and then not being able to log on as hsts is presented. Which is enabled on HA proxy.  Looks like HAproxy is interfering here and hooks on the admin website.
UPDATE 2:
Looks like Benerages is right it has something to do with haproxy. Once I stop haproxy I can access the Webinterface.
January 30, 2024, 08:07:32 PM #1 Last Edit: January 30, 2024, 08:10:06 PM by Benerages
U might wanna check this out:

https://forum.opnsense.org/index.php?topic=38435.0

Hope a fix is coming soon.
January 30, 2024, 08:12:34 PM #2
thank you I read that but I did not thought that it will also affect the admin website.
January 30, 2024, 08:53:18 PM #3
Strange thing here is that after a reload of the services for some time the admin website works and then suddenly the cert is exchanged and access is impossible due to the HSTS settings. Only option at the moment is to apply an older config through the shell, then for some minutes it works with the correct certificate before starting again.
So far I reverted back to 23.7 and hope for a solution.
January 30, 2024, 10:55:52 PM #4
Workarounded:
After some digging I found a Workaround so far.
Because I have a dynamic IP I bound my haproxy public service on 0.0.0.0:443 which is the same port the Admin website is running. The admin website is only listening on the LAN interface and so far that configuration worked. Looks like there is a change/bug as already discussed, that configures HAProxy to listen on all interfaces blocking the configured port.
So the workaround so far is to reconfigure the admin interface to listen to another port.
This does not make me fully happy but it works.
January 30, 2024, 11:36:20 PM #5
Finally fixed it by implementing the recommendation to forward all Traffic to a dedicated VIP for the Haproxy as in
https://github.com/opnsense/plugins/issues/722
Print
Go Up Pages1
User actions