Update 20.7.6 to 20.7.7 Update ERR_SSL_PROTOCOL_ERROR

[franco]

As per lighttpd author: are you using TLS 1.0 or 1.1 to connect to the firewall? TLS 1.2 is the minimum for them by default now.


Cheers,
Franco

[Julien]

Then it looks like lighttpd is not going to fix that issue. I can't imagine that this is an issue that can't be fixed from the system (switching cert maybe?). Because it is working for a representative amount of users...


Cheers,
Franco

for me is working too in some boxes, but most of them are crashed

[vielhak]

I think the problem is that when you use Lets Encrypt Certificates via acme.sh the certificate in

Code Select Expand

ssl.pemfile = "/var/etc/cert.pem" (/var/etc/lighty-webConfigurator.conf)
is only the private key + certificate.
The intermediate certifcate is missing. If you put the intermediate certificate into

Code Select Expand

/var/etc/cert.pem and restart the lighthttp it is working for me.
e.g.

Code Select Expand

cd /var/etc/acme-client/home/<MYNAME>
cat fullchain.cer <MYNAME>.key > /var/etc/cert.pem
Restart lighthttpd

Perhaps it is this simple?

[franco]

The chain is properly appended, but only if the parent CA(s) are known to System: Trust: Authorities.


Cheers,
Franco

[franco]

Anyone using macOS, Big Sur in particular?

I'm seeing the issue on all browsers using TLS 1.3 while TLS 1.2 is fine. Wedging lighttpd a bit unbreaks this and the error is gone from all browsers, even after a reboot with all the lighttpd defaults.  :o


Cheers,
Franco

[vielhak]

The chain is properly appended, but only if the parent CA(s) are known to System: Trust: Authorities.

Hmmm...Let's Encrypt Authority X3 (Let's Encrypt) and R3 (Let's Encrypt) were/are in the trusted Authorities. But the full chain is not copied to the *pem file by the opnsense framework (only key+cert).

Perhaps we are looking at different problems with the same effect!?

If I take a self-signed cert for the webgui => no problem with firefox/chrome/edge (on Windows).
If I take the Lets Encrypt cert => ERR_SSL_PROTOCOL_ERROR in chrome+edge, SSL_ERROR_INTERNAL_ERROR_ALERT in firefox
If I add the intermediate directly in the *pem => No problems

tested TLS1.3, no problem with the fullchain

Code Select Expand

...
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=XXXXXXXXX
*  start date: Dec  7 22:01:20 2020 GMT
*  expire date: Mar  7 22:01:20 2021 GMT
...

[franco]

Isn't this what

ssl.ca-file = "/var/etc/ca.pem"

tries to configure?


Cheers,
Franco

[vielhak]

Ah... I was wrong... there is no intermediate ca from LetsEncrypt. But the opnsense  chooses the (wrong)

Common Name: Let's Encrypt Authority X3

as CA for the webgui but the CA is now

Common Name: R3

which is a new CA (Valid From: October 7, 2020)

If I put the right CA inside /var/etc/ca.pem it works, too.... I not sure why and how the opnsense chooses the CA which is put in /var/etc/ca.pem.

So, after deleting the old Lets Encrypt CA from the trust store and reissue a new certificate (force via lets encrypt plugin),  everything works automatically. For me it is ok now, perhaps this helps somebody out there. Thanks for your support!

[franco]

Right, that was part of the 20.7.6 changes that fixed the LE plugin, see

https://github.com/opnsense/changelog/blob/ccba9df41730889889bb7c596db7ca1a4e689eb8/doc/20.7/20.7.6#L9-L11


Cheers,
Franco

[bignick8t3]

Then it looks like lighttpd is not going to fix that issue. I can't imagine that this is an issue that can't be fixed from the system (switching cert maybe?). Because it is working for a representative amount of users...


Cheers,
Franco

I just updated both my backup and master, the master runs Let's Encrypt and I had to run:

Code Select Expand

opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart

This got the GUI working again but on updating lighttpd the error came back.

Is it a case of wait for further update or is there something I can do?

Thanks,

Nick

EDIT: Proper schoolboy error and completely missed the 2nd page ignore me please

[Julien]

Then it looks like lighttpd is not going to fix that issue. I can't imagine that this is an issue that can't be fixed from the system (switching cert maybe?). Because it is working for a representative amount of users...


Cheers,
Franco

I just updated both my backup and master, the master runs Let's Encrypt and I had to run:

Code Select Expand

opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart

This got the GUI working again but on updating lighttpd the error came back.

Is it a case of wait for further update or is there something I can do?

Thanks,

Nick

EDIT: Proper schoolboy error and completely missed the 2nd page ignore me please

I am just curious how to do so if you cannot access the gui

Code Select Expand

Please note that Let's Encrypt users need to reissue their certificates
manually after upgrading to this version to fix the embedded certificate chain
issue with the current signing CA switch going on.

[bignick8t3]

I had to run from the console or ssh if enabled:

Code Select Expand

opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart

That got me into the GUI where I then forced an update of my LE certificates.

I then ran an update in the usual manner to bring lighttpd back up to date.

Hope this helps

[Taomyn]

I had this happen to me again upgrading from 20.7.7 with the older 20.7.6 lighttpd, repeated errors about the firewall's GUI certificate. After the first reboot I had zero connectivity to the firewall nor through to the Internet, there was no access to a terminal even directly, so connecting a keyboard I hit ctrl-alt-del and this time I at least had connectivity but the web GUI was still broken.


Reverted lighttpd back to 20.7.6 and regained access. Looking back through this thread I read about the Let's Encrypt CAs and did a mass tidy up, deleted the old CAs leaving just the new R3. Regenerated the firewall's certificate, assigned it and restarted the GUI. All was well.


I then from the terminal re-ran updates to get the latest lighttpd back on - after restarting the GUI again my browser complained the certificate was not secure. The update had reset the configuration of the GUI back to the self-signed certificate but also deleted the new LE certificate so I could not add it back. Had to regenerate it once again, reassign the new certificate and restart the GUI service. Tested a restart and things still work so I really hope I've now seen the back of this issue for future updates.


Things of note:

   
• HAProxy refuses to start complaining that certain servers cannot be found, caused by DNS service being slow e.g. using unbound + dnscrypt-proxy, as some of my sites use the fqdn for the back-end server names. Manual start afterwards fixes issues.
• There's a warning from lighttpd that "mod_compress" is soon to be deprecated and will cause future versions of lighttpd to fail to start. I'd post the log entry but cannot find anything under "/var/log" containing it, I only have a photo I took from the console screen.

[Julien]

is this going to be fixed someday?
after every update i keep getting this error ERR_SSL_PROTOCOL_ERROR and have to restore the

Code Select Expand

opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart


i am at 20.7.8 now but the error still appeared.

[Taomyn]

is this going to be fixed someday?
after every update i keep getting this error ERR_SSL_PROTOCOL_ERROR and have to restore the

Code Select Expand

opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart


i am at 20.7.8 now but the error still appeared.

As I did you need to double check all the certificates are valid - for me the one being used by the OPNsense GUI was generated by Let's Encrypt but was still using the old CA/Intermediate CA. When I deleted it and forced it to be renewed by LE, it then showed as signed by "R3" the new CA and the error did not come back when updated back to the latest version. Although as I also wrote the upgrade did delete the first certificate I renewed and replaced it with a self-signed one, so I has to force renew it again a second time and re-assign it.