Archive > 20.1 Legacy Series

WebUI not loading after SSL cert update

(1/2) > >>

evergreek:
Hello Guys.. have a bit of a problem.. Yesterday I updated the SSL certificate from the default one to the one for my domain .. on the webui config page.. now the UI is not loading.. I see the following error message on the logs..

root@OPNsense:/var/log # /usr/local/etc/rc.restart_webgui
Starting web GUI...failed.
Generating RRD graphs...done.
root@OPNsense:/var/log # /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
2020-07-07 09:19:54: (mod_openssl.c.513) SSL: couldn't read private key from '/var/etc/cert.pem'
2020-07-07 09:19:54: (server.c.1207) Initialization of plugins failed. Going down.

When I cat /var/etc/cert.pem

I see the following (keys removed)

root@OPNsense:/var/etc # more cert.pem
-----BEGIN CERTIFICATE-----
XXXXXXXX
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
XXXXXXXXXX
-----END PRIVATE KEY-----

looks like it cannot read the private key? Any way to revert this to the "default" ssl cert?

Gary7:
This may be a complete "shot-in-the-dark".
I looked at my default /var/etc/cert.pem file and there is a blank line between END CERTIFICATE and BEGIN PRIVATE KEY.
Possibly, a blank line is needed in order to correctly parse the file ?
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----

amichel:

--- Quote from: evergreek on July 07, 2020, 04:22:00 pm ---...
-----END PRIVATE KEY-----

looks like it cannot read the private key? Any way to revert this to the "default" ssl cert?

--- End quote ---
Can't you simply revert from the shell to a previous version ?
At least that should give you access to the gui even with a cert error. Then you can recreate the cert and before installing I would intermediately also configure the gui to listen on port 80

amichel

mgsteve:
Sorry to resurrect this thread, but I've just had the same problem on 20.7. It appears that if there are any errors in the certs (in my case a stray character at the end of the Cert) it causes lighttp to fail to start and you're left with a gui-less system.

This is far from ideal if the firewall is in a data center and you've got no remote access to the console. The code needs to run some sort of validation check on the cert to make sure its valid before you assign it to the GUI or put in some fallback code to restore the SSL to the old one if it fails to start.

franco:
https://redmine.lighttpd.net/projects/lighttpd/issues please report here. It seems simple and sane enough to fix it at the source.

This only happens with imported certificates?

You can always revert the config from the console and choose "restart all services" afterwards.


Cheers,
Franco

Navigation

[0] Message Index

[#] Next page

Go to full version