Update to 20.7.7 Broke HTTPS WebUI

[zuleboy]

After the update completed and the fw rebooted, I have been unable to connect to the webui (I do not have http enabled)

 lighttpd is logging the following:

Jan  5 14:36:01 fw lighttpd[47631]: (mod_openssl.c.1085) SSL: building cert chain for TLS server name mydomain.xyz : error:00000000:lib(0):func(0):reason(0)
Jan  5 14:36:01 fw lighttpd[47631]: (mod_openssl.c.3067) SSL: 1 error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error

attempts to connect to port 443 fail.
root@fw:/var/log # openssl s_client -connect localhost:443
CONNECTED(00000003)
4394476834816:error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert number 80
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 295 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
root@fw:/var/log #

Thank you!

[marjohn56]

Update again, you'll find there's a hotpatch.

[zuleboy]

Thanks for the reply. My installation doesn't seem to have any updates available right now.

I was able to fix the issue.

The root of the issue seems to have been related to let's encrypt switching their CA. I was able to download the new cert, manually edit the /config/config.xml and change my webgui -> protocol to http, run the /usr/local/etc/rc.restart_webgui, get in that way, and then load the new CA Certificate (which matched the cert that was automatically renewed) and switch the https back on.

This is what tipped me off: https://forum.opnsense.org/index.php?topic=20325.0

Cheers