Expired letsencrypt ssl cert locked out of GUI

[bullfrog_au]

Hi all,

I had set up SSL using the ACME plugin using letsencrypt, and all was working well. I did not need to access the GUI for months, and now that I do, it is returning

Code Select Expand

503 Service Unavailable
No server is available to handle this request.

The cert being shown to the browser has

Code Select Expand

Issued By
    Common Name (CN) R3
    Organization (O) Let's Encrypt
    Organizational Unit (OU) <Not Part Of Certificate>
Validity Period
    Issued On Friday, December 29, 2023 at 8:50:18 PM
    Expires On Thursday, March 28, 2024 at 8:50:17 PM
which is clearly long out of date.

From serching the forums it appears that the expired cert is tied to the 503 error.

I had a cron job set up to renew the cert which does not seem to have run.

Code Select Expand

<job uuid="611156f2-ca1a-4107-b788-bc046178280b">
<origin>AcmeClient</origin>
<enabled>1</enabled>
<minutes>0</minutes>
<hours>0</hours>
<days>*</days>
<months>*</months>
<weekdays>*</weekdays>
<who>root</who>
<command>acmeclient cron-auto-renew</command>
<parameters/>
<description>AcmeClient Cronjob for Certificate AutoRenewal</description>
</job>

I still have SSH, but only as an admin, not as root.

My problem is, how do I revert to either the default SSL or enable HTTP so I can access the GUI? I have been trying everything I can think of for several days with no success. Many of the suggestions I have found are not working due to the lack of root privileges available to me.

My backups all include the letsencrypt SSL config, so rolling back to them would not fix the issue.
I REALLY don't want to start from a clean install again!

[Monviech (Cedrik)]

Can the unprivileged admin user follow the option 2 TUI?

https://docs.opnsense.org/troubleshooting/webgui.html

And I think the configctl command doesn't need root either.

In the future, don't use Let's Encrypt certificates with the GUI, locking yourself out like this happens more often than you think.

Rather, Reverse Proxy the GUI for the Let's Encrypt certificate, that way you have it on 443 with the certificate, and on another port as backup with the self signed cert.:

https://docs.opnsense.org/manual/how-tos/caddy.html#reverse-proxy-the-opnsense-webui

[bullfrog_au]

Thankyou, your advice got me further than I had in several days on my own!
The shell menu wasn't available to the admin user, but I was able to reset the root user password as noted in the docs. This allowed me to log in a root and follow your suggestion below.

I got webGUI back on HTTP and removed the expired certs, but when I switch back to HTTPs and select the self signed cert, the browser is still being issued an old expired cert (completely the wrong cert too somehow). Network has a wildcard cert of

Code Select Expand

*.subdomain.domain.TLD
which was what the Opnsense was/should be using. There was also a second cert for a specific web exposed app

Code Select Expand

subdomain2.domain.TLD
which I have since deleted.

The Opnsense install is getting the correct IP (checked by ping), but is being issued the subdomain2 cert.
I have locked myself out over and over trying to get back to a HTTPS using the default self signed cert so I can take your advice and reverse proxy the GUI.

Is it possible to force the cert beyond just selecting it from 'System > Settings > Administration - SSL Certificate'?