Aliasses no longer editable in web GUI after upgrade from 20.7.8_4 to 21.1

Started by gdur, March 12, 2021, 03:02:20 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
March 12, 2021, 03:02:20 PM Last Edit: March 12, 2021, 03:05:22 PM by gdur
I've upgraded my system this morning to version 21.1 and just discovered that aliases are no longer editable.
As a work around I've made the needed changes in config.xml and pushed the apply button in the web interface. Still need to find out if that works as the change involves to allow access concerning a specific external IP address.

In addition:
Adding a new alias doesn't work either...
March 12, 2021, 03:47:58 PM #1
21.1?
no longer editable how?
March 12, 2021, 06:31:53 PM #2
Just like I said. Clicking the edit pencil in the GUI nothing happens. Same for clicking the + sign to add a new one.
March 12, 2021, 06:39:55 PM #3
Just like I said. Clicking the edit pencil in the GUI nothing happens. Same for clicking the + sign to add a new one.

I'm using Firefox 52.6.0 as this is the only browser to provide access. All other "newer" browsers complain as follows:
Quote
Secure Connection Failed
An error occurred during a connection to opnsense.koxkampseweg10.com. A required TLS feature is missing.
Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
Not sure if this is related. I'm using a Letsencrypt cert and Firefox is just accepting it as expected but other browsers don't.
March 12, 2021, 07:34:55 PM #4
I'm pretty sure this was fixed over a month ago in 21.1.1:

https://github.com/opnsense/changelog/blob/882c3cdfc94c29d9d320f7f318366bc6d2a27665/community/21.1/21.1.1#L34


Cheers,
Franco
March 12, 2021, 08:07:15 PM #5
QuoteI'm using a Letsencrypt cert
QuoteMOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING
"OCSP Must Staple" enabled on LE cert?
March 13, 2021, 08:18:07 AM #6
@ Franco: Don't understand what you mean. I can't find anything related to this issue at "https://github.com/opnsense/changelog/blob/882c3cdfc94c29d9d320f7f318366bc6d2a27665/community/21.1/21.1.1#L34
"

@ Fright: Where can I find this option? Not available in the LE settings page...

But thanks for your support.
March 13, 2021, 08:35:57 AM #7 Last Edit: March 13, 2021, 10:05:18 AM by Fright
QuoteI can't find anything related to this issue at
need to see dev console errors from your browser.
but there was a compatibility issues with replaceAll() method.
https://forum.opnsense.org/index.php?topic=21199.0
and it was fixed on 21.1.1.
and this fix is mentioned exactly where @franco indicated
QuoteWhere can I find this option? Not available in the LE settings page
Services: Let's Encrypt: Certificates
edit Cert -> "Security Settings"
March 13, 2021, 10:26:18 AM #8
Quoteedit Cert -> "Security Settings"
edit Cert ->
Thanks for that but "OCSP Must Staple" was already enabled so that cannot be the issue...
March 13, 2021, 10:59:57 AM #9
this is the issue
I could be wrong (I hope @franco will correct me) but I have not found evidence that the GUI currently supports stapling. therefore to use modern browsers, you need to either disable the stapling requirements in the browser (if they allow it. FF seems still allows it) or change\make\assign the certificate without OCSP Staple
https://www.thesslstore.com/blog/ocsp-ocsp-stapling-ocsp-must-staple/
https://support.mozilla.org/en-US/questions/1149911
March 13, 2021, 05:15:43 PM #10
Hello Fright,
I've decided to first upgrade to the latest version, so now I'm on 21.1.3. That at least solved the UI problems encountered earlier.
With respect to LE I can confirm that ocsp_must_staple is responsible because I can get access or not  by toggling security.ssl.enable_ocsp_must_staple from true to false in the browser settings. However, "OCSP Must Staple" is enabled in the LE cert settings but even forcing a cert renewal doesn't solve the issue. Any idea what to look for?
Thank you!
March 13, 2021, 05:33:37 PM #11 Last Edit: March 13, 2021, 05:51:48 PM by Fright
sorry, I didn't quite understand
you need to uncheck the "OCSP Must Staple" box manually and then force the renewal.
is this what you did? was the renewal successful?
March 13, 2021, 06:04:45 PM #12
Hi Fright,

Aha, I first did misunderstood but have now unchecked the "OCSP Must Staple" box but that results in another error in recent browsers (Edge, Firefox). It says "A potential DNS Rebind attack has been detected". SO what now?
March 13, 2021, 06:22:23 PM #13
need to know the DNS settings and the details of accessing the opnsense, but the easiest way is to open the GUI via IP and disable this protection: System: Settings: Administration - > Disable DNS rebinding checks
March 13, 2021, 10:30:59 PM #14
Thanks for your efforts but "Disable DNS rebinding checks" was already unchecked...
Print
Go Up Pages1 2
User actions