ERR_SSL_PROTOCOL_ERROR GUI

[Julien]

Hi guys,
after updating one box I lost access to the gui as to the ssh.
the error keep showing

Code Select Expand

ERR_SSL_PROTOCOL_ERROR
usually It was fixed with this command to reverse back

Code Select Expand

opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart
but it appear it failed to revert to 20.7.6 on 21.1

hope someone has a idea how to restore the gui.

thank you

[Fright]

self-signed cert?
try

Code Select Expand

configctl webgui restart renew

[vinz]

I had the same problem. Renewal of the self signed cert as pointed out by @Fright fixed it. Thank you.

In Firefox this error is shown as: SSL_ERROR_INTERNAL_ERROR_ALERT

Background:

In OPNsense 20.7.8 the lighttpd upgrade from 1.4.55_1 to 1.4.58 broke the web-gui.
The command opnsense-revert executed via serial console restored it:
    opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart
Thread: https://forum.opnsense.org/index.php?topic=20514.15

The upgrade to OPNsense 21.1 again broke the web-gui and the above command did not help.

The renewal of the self signed cert, as pointed out by @Fright fixed it permanently
    configctl webgui restart renew

[franco]

It's not like we haven't been listening. There is something wrong with the certificate and nobody can help troubleshooting this remotely. In 21.1 you can actually recover by manually creating a new valid self-signed certificate as pointed out here by avid readers.

https://github.com/opnsense/changelog/blob/61a2138a8ca2a12acabe80a6903e4aa6facc4368/doc/21.1/21.1#L46

Just fix your certs please. It isn't rocket science.


Cheers,
Franco

[Julien]

Hi Franco,

this appear to happen when you are using lets encrypt.
i cannot seems to find the cause.

anyway guys the soltuion as next.

if you are locked out and cannot access the webgui, log in with ssh and go to shell
run the below command

Code Select Expand

configctl webgui restart renew

if everything is okay youll be able to access the gui.

if you have updated yet and using letsencrypt

go to your leftsencrypt and force your exisiting ssl to renew its should be R3 ssl check screenshot.
i noticed certificates that been assigned during december is the cause.
i have 5 boxes who been broke, the 5 boxes has the ssl of last december after following the guide mentioned above, got it sorted out.

[Fright]

this also can happen if at the time of OPN loading the clock on OPN is significantly out of sync (happens on hyper-v with clock-sync disabled) and the browser session starts immediately after loading (or was established before loading). then after synchronizing the clock and a change in time on the OPN, the browser will fall into this error. restarting the GUI in this case helps

[Taomyn]

I was able to upgrade from 20.7.8_4 to 21.1 without any issues this time, so for me clearing house on the all the CA and generated certificates for the old Let's Encrypt CAs sorted it out.

[darkcube]

It's not like we haven't been listening. There is something wrong with the certificate and nobody can help troubleshooting this remotely. In 21.1 you can actually recover by manually creating a new valid self-signed certificate as pointed out here by avid readers.

https://github.com/opnsense/changelog/blob/61a2138a8ca2a12acabe80a6903e4aa6facc4368/doc/21.1/21.1#L46

Just fix your certs please. It isn't rocket science.

Hi Franco,

I seem to be experiencing the same issue after an upgrade to 21.1, and the "configctl webgui restart renew" from CLI doesn't help, the web GUI is still inaccessible.

When I attempt to downgrade with "opnsense-revert -r 20.7.6 lighttpd && configctl webgui restart" it fails with "Fetching lighttpd.txz: .. failed".

Any ideas as to why the self-signed cert renewal fails?

[liceo]

I got the same error on the browser, but it was neither related to the certs nor to the upgrade: A simple reboot has caused the problem. After i set the time sync on the hypervisor to "on" (I'm using Hyper-V) the problem seems to be gone...