[SOLVED] Can't access opnsense web GUI after broken(?) update (…)

[NUeB]

Hello,

while updating to OPNsense 20.7.7_1 through the web interface the update (or maybe just the browser, FF that is) got stuck in "updating…". After 15 Minutes or so I tried reloading the page and got an error:

Secure Connection Failed

An error occurred during a connection to 10.6.69.1. Peer reports it experienced an internal error.

Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

Learn more…

That error now persists. I can no longer access the firewall (an APU4D4) through the web interface.

I can connect via serial or ssh, everything looks good to me (having no clue where to look for the problem…). An update from console has nothing to to. Even after rebooting the firewakll the problem persists.

Besides that everything seems to work as usual. What shall I do to get the web GUI back?

[NUeB]

/var/log/lighthttpd.log looks like this:

Code: [Select]

Jan 11 19:20:59 sentinel lighttpd[82635]: (server.c.1508) server started (lighttpd/1.4.58)
Jan 11 19:20:59 sentinel lighttpd[82635]: (mod_deflate.c.546) DEPRECATED: compress.filetype replaced with deflate.mimetypes
Jan 11 19:20:59 sentinel lighttpd[82635]: (mod_deflate.c.559) DEPRECATED: compress.cache-dir replaced with deflate.cache-dir
Jan 11 19:21:10 sentinel lighttpd[82635]: (mod_openssl.c.1085) SSL: building cert chain for TLS server name (null): error:00000000:lib(0):func(0):reason(0)
Jan 11 19:21:10 sentinel lighttpd[82635]: (mod_openssl.c.3067) SSL: 1 error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error
Jan 11 19:21:12 sentinel lighttpd[82635]: (mod_openssl.c.1085) SSL: building cert chain for TLS server name (null): error:00000000:lib(0):func(0):reason(0)
Jan 11 19:21:12 sentinel lighttpd[82635]: (mod_openssl.c.3067) SSL: 1 error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error


[robgnu]

Hi,

if you use Let's encrypt for WebGUI try the following command:

> php /usr/local/opnsense/scripts/OPNsense/AcmeClient/lecert.php --mode issue --all --force

Restart lighttpd after command run. (Or reboot machine).

Robert

[NUeB]

if you use Let's encrypt (…)

Thanks, but I use self signed certificates only.

[NUeB]

Just found this thread: https://forum.opnsense.org/index.php?topic=20514.0

… with the helpful console command:

Code: [Select]

opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart
Works for me.

[NUeB]

I found out that an expired self signed certificate seemed to be causing the previous problems. So I created a new one and made a dumb mistake — looks like I chose wrong type, because FF now says:

Secure Connection Failed

An error occurred during a connection to 10.6.69.1. Certificate key usage inadequate for attempted operation.

Error code: SEC_ERROR_INADEQUATE_KEY_USAGE

I can still access the firewall via ssh.

Where is the opnsense configuration located in the filesystem? Where can I find the names of my self signed certificates, so that I can fix this manually?

[gpb]

If you're using a 3rd party A/V, you may need to disable it temporarily, that's what I had to do.

[franco]

Edit /conf/config.xml to remove the relevant "ssl-certref", e.g.

# grep -nr ssl-certref /conf/config.xml
264:      <ssl-certref>XXXXXXXXXXXX</ssl-certref>

(make sure this is the one under "webgui")

# vi /conf/config.xml
:264d

Then restart GUI to force a reissue:

# configctl webgui restart

With 21.1 going forward the following already works to simplify the process....

# configctl webgui restart renew


Cheers,
Franco

[NUeB]

Edit /conf/config.xml to remove the relevant "ssl-certref", e.g.

# grep -nr ssl-certref /conf/config.xml
264:      <ssl-certref>XXXXXXXXXXXX</ssl-certref>

Thanks a lot! 

[NUeB]

After installing a new self signed certificate, I can also again upgrade lighttpd to version 1.4.58 again.

Problem solved. Thanks for the support.

(Also: reminder set to renew the certificate before expiry…)

[franco]

Thanks for confirming. We will do necessary steps to make this easier in 21.1.x. The lighttpd behavioural change and release timing is unfortunate and hard to trace in these cases.


Cheers,
Franco

[gstrauss]

@Franco, lighttpd 1.4.56 migrates from old openssl interfaces (<= openssl 1.0.1) to newer openssl certificate callback interfaces, and lighttpd 1.4.56 tries to build the certificate chain when one is not provided.  The best solution is to provide the certificate chain:

Code: [Select]

    ssl.privkey= "/etc/lighttpd/certs/www.example.com/privkey.pem"
    ssl.pemfile= "/etc/lighttpd/certs/www.example.com/fullchain.pem"

I am a lighttpd developer and am looking into the "building cert chain" issue, which was only recently reported in https://redmine.lighttpd.net/boards/2/topics/9620

If you are aware of other issues with lighttpd, please post to https://redmine.lighttpd.net/boards/2/ so that lighttpd developers are aware of the issue, and you can link to forum.opnsense.org.

[franco]

Glenn,

Thanks for popping up here, really appreciate the help.

So no more ssl.ca-file, right?


Cheers,
Franco

[gstrauss]

> So no more ssl.ca-file, right?

Correct: if the full certificate chain is provided in ssl.pemfile, then ssl.ca-file is no longer needed for that purpose (building the certificate chain).

ssl.ca-file is still used for client certificate verification -- if that is enabled with ssl.verifyclient.* -- and might contain the certificates for the CA which issues the client certificates.