Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
FIXED: Certificate Admin website changes no Access possible
« previous
next »
Print
Pages: [
1
]
Author
Topic: FIXED: Certificate Admin website changes no Access possible (Read 1375 times)
amichel
Jr. Member
Posts: 87
Karma: 8
FIXED: Certificate Admin website changes no Access possible
«
on:
January 30, 2024, 08:04:22 pm »
I have more certificates stored on my box. One as Webcertificate for the Admin Gui and another one for Haproxy to be used.
After boot without any change the Admin Website is using the certificate for my mail server mail.domain.com instead of opnsense.domain.com and I am logged out of the website.
Any Idea what to do here?
UPDATE:
I removed the wildcardcertificate and kept only the two certificates needed. Additionally I disabled HSTS in the admin website to at least have access to the box if the wrong certificate is presented.
Nothing works.
After a couple of minutes when I connect to the admin website I am presented with the mail.domain.com cert and then not being able to log on as hsts is presented. Which is enabled on HA proxy. Looks like HAproxy is interfering here and hooks on the admin website.
UPDATE 2:
Looks like
Benerages
is right it has something to do with haproxy. Once I stop haproxy I can access the Webinterface.
«
Last Edit: January 30, 2024, 11:36:34 pm by amichel
»
Logged
Benerages
Newbie
Posts: 3
Karma: 1
Re: Certificates Shuffled for Admin Website HSTS
«
Reply #1 on:
January 30, 2024, 08:07:32 pm »
U might wanna check this out:
https://forum.opnsense.org/index.php?topic=38435.0
Hope a fix is coming soon.
«
Last Edit: January 30, 2024, 08:10:06 pm by Benerages
»
Logged
amichel
Jr. Member
Posts: 87
Karma: 8
Re: Certificates Shuffled for Admin Website HSTS
«
Reply #2 on:
January 30, 2024, 08:12:34 pm »
thank you I read that but I did not thought that it will also affect the admin website.
Logged
amichel
Jr. Member
Posts: 87
Karma: 8
Re: Certificates Shuffled for Admin Website HSTS
«
Reply #3 on:
January 30, 2024, 08:53:18 pm »
Strange thing here is that after a reload of the services for some time the admin website works and then suddenly the cert is exchanged and access is impossible due to the HSTS settings. Only option at the moment is to apply an older config through the shell, then for some minutes it works with the correct certificate before starting again.
So far I reverted back to 23.7 and hope for a solution.
Logged
amichel
Jr. Member
Posts: 87
Karma: 8
Re: Certificate Admin website changes no Access possible
«
Reply #4 on:
January 30, 2024, 10:55:52 pm »
Workarounded:
After some digging I found a Workaround so far.
Because I have a dynamic IP I bound my haproxy public service on 0.0.0.0:443 which is the same port the Admin website is running. The admin website is only listening on the LAN interface and so far that configuration worked. Looks like there is a change/bug as already discussed, that configures HAProxy to listen on all interfaces blocking the configured port.
So the workaround so far is to reconfigure the admin interface to listen to another port.
This does not make me fully happy but it works.
Logged
amichel
Jr. Member
Posts: 87
Karma: 8
Re: WORKAROUNDED: Certificate Admin website changes no Access possible
«
Reply #5 on:
January 30, 2024, 11:36:20 pm »
Finally fixed it by implementing the recommendation to forward all Traffic to a dedicated VIP for the Haproxy as in
https://github.com/opnsense/plugins/issues/722
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
24.1 Legacy Series
»
FIXED: Certificate Admin website changes no Access possible