Aliasses no longer editable in web GUI after upgrade from 20.7.8_4 to 21.1

[gdur]

I've upgraded my system this morning to version 21.1 and just discovered that aliases are no longer editable.
As a work around I've made the needed changes in config.xml and pushed the apply button in the web interface. Still need to find out if that works as the change involves to allow access concerning a specific external IP address.

In addition:
Adding a new alias doesn't work either...

[Fright]

21.1?
no longer editable how?

[gdur]

Just like I said. Clicking the edit pencil in the GUI nothing happens. Same for clicking the + sign to add a new one.

[gdur]

Just like I said. Clicking the edit pencil in the GUI nothing happens. Same for clicking the + sign to add a new one.

I'm using Firefox 52.6.0 as this is the only browser to provide access. All other "newer" browsers complain as follows:

Secure Connection Failed
An error occurred during a connection to opnsense.koxkampseweg10.com. A required TLS feature is missing.
Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

Not sure if this is related. I'm using a Letsencrypt cert and Firefox is just accepting it as expected but other browsers don't.

[franco]

I'm pretty sure this was fixed over a month ago in 21.1.1:

https://github.com/opnsense/changelog/blob/882c3cdfc94c29d9d320f7f318366bc6d2a27665/community/21.1/21.1.1#L34


Cheers,
Franco

[Fright]

I'm using a Letsencrypt cert

MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

"OCSP Must Staple" enabled on LE cert?

[gdur]

@ Franco: Don't understand what you mean. I can't find anything related to this issue at "https://github.com/opnsense/changelog/blob/882c3cdfc94c29d9d320f7f318366bc6d2a27665/community/21.1/21.1.1#L34
"

@ Fright: Where can I find this option? Not available in the LE settings page...

But thanks for your support.

[Fright]

I can't find anything related to this issue at

need to see dev console errors from your browser.
but there was a compatibility issues with replaceAll() method.
https://forum.opnsense.org/index.php?topic=21199.0
and it was fixed on 21.1.1.
and this fix is mentioned exactly where @franco indicated

Where can I find this option? Not available in the LE settings page

Services: Let's Encrypt: Certificates
edit Cert -> "Security Settings"

[gdur]

edit Cert -> "Security Settings"

edit Cert ->
Thanks for that but "OCSP Must Staple" was already enabled so that cannot be the issue...

[Fright]

this is the issue
I could be wrong (I hope @franco will correct me) but I have not found evidence that the GUI currently supports stapling. therefore to use modern browsers, you need to either disable the stapling requirements in the browser (if they allow it. FF seems still allows it) or change\make\assign the certificate without OCSP Staple
https://www.thesslstore.com/blog/ocsp-ocsp-stapling-ocsp-must-staple/
https://support.mozilla.org/en-US/questions/1149911

[gdur]

Hello Fright,
I've decided to first upgrade to the latest version, so now I'm on 21.1.3. That at least solved the UI problems encountered earlier.
With respect to LE I can confirm that ocsp_must_staple is responsible because I can get access or not  by toggling security.ssl.enable_ocsp_must_staple from true to false in the browser settings. However, "OCSP Must Staple" is enabled in the LE cert settings but even forcing a cert renewal doesn't solve the issue. Any idea what to look for?
Thank you!

[Fright]

sorry, I didn't quite understand
you need to uncheck the "OCSP Must Staple" box manually and then force the renewal.
is this what you did? was the renewal successful?

[gdur]

Hi Fright,

Aha, I first did misunderstood but have now unchecked the "OCSP Must Staple" box but that results in another error in recent browsers (Edge, Firefox). It says "A potential DNS Rebind attack has been detected". SO what now?

[Fright]

need to know the DNS settings and the details of accessing the opnsense, but the easiest way is to open the GUI via IP and disable this protection: System: Settings: Administration - > Disable DNS rebinding checks

[gdur]

Thanks for your efforts but "Disable DNS rebinding checks" was already unchecked...