[SOLVED] webgui broken after upgrade to 21.1.4

Started by gu6884, March 30, 2021, 10:35:22 PM

Previous topic - Next topic
Print
Go Down Pages1 2 3
User actions
March 30, 2021, 10:35:22 PM Last Edit: April 07, 2021, 10:03:51 PM by gu6884
Hi,

since I've updated, no webgui anymore. Using self-signed certificate
Chrome says "ERR_SSL_PROTOCOL_ERROR"
Tried with Safari as well, but no luck.

Note that with curl it works
Code Select

curl -k https://10.100.1.1


when I try to display the webgui in a browser I get this in /var/log/lighttpd.log
Code Select

Mar 30 22:23:35 router lighttpd[26522]: (mod_openssl.c.3042) SSL: 5 error:0201502D:system library:ioctl:Operation not supported
Mar 30 22:23:35 router lighttpd[26522]: (mod_openssl.c.3042) SSL: 5 error:0201502D:system library:ioctl:Operation not supported
Mar 30 22:23:35 router lighttpd[26522]: (mod_openssl.c.3042) SSL: 5 error:1427D044:SSL routines:construct_stateless_ticket:internal error
Mar 30 22:23:35 router lighttpd[26522]: (mod_openssl.c.3042) SSL: 5 error:0201502D:system library:ioctl:Operation not supported
Mar 30 22:23:35 router lighttpd[26522]: (mod_openssl.c.3059) SSL: -1 5 45 Operation not supported


Checked different threads already. Running this did not help
Code Select
configctl webgui restart renew

Did the system check in the console too, but nothing reported
Code Select

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: h

>>> Check installed kernel version
Version 21.1.4 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.1.4 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: ..................................................................... done



Any idea what else to do?
Thanks
March 31, 2021, 12:29:53 AM #1
I have the same issue,  webui did hang after wireguard removal message in update log
March 31, 2021, 10:00:22 AM #2 Last Edit: March 31, 2021, 11:09:42 AM by cranky
Can you try to reconfigure the lan and wan via console? I think it asks you to regenerate a cert when you do,maybe that will help?
I personally didn't have any issues, but I'm not using wire guard.
March 31, 2021, 11:36:20 AM #3
I had the same kind of issue after upgrade in version 21.1.3
I guess this is due to https hardening.

I rolled back to my last snaptop and define by default the https certificate generated by Opnsense.
You can also try to activate temporary the http mode, regenerate your certificates.

Cheers
March 31, 2021, 02:06:52 PM #4
Factory reset fixed the issue for me.
March 31, 2021, 03:35:21 PM #5
Same here. I'm using my self-signed local CA and local certificates.
After upgrade to 21.1.4 completely lost access to Web UI.

Chrome:
Code Select
ERR_SSL_PROTOCOL_ERROR

Firefox:
Just does not load the page

The command
Code Select
configctl webgui restart renew just makes Chrome to warn me about new certificate and then again the same error.

curl -vk https://10.51.51.1:
Code Select

*   Trying 10.51.51.1:443...
* TCP_NODELAY set
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 10.51.51.1 (10.51.51.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [1881 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [520 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=opnrouter.intdomain.local; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  start date: Mar 31 12:40:52 2021 GMT
*  expire date: May  2 12:40:52 2022 GMT
*  issuer: CN=opnrouter.intdomain.local; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x5571c874bea0)
} [5 bytes data]
> GET / HTTP/2
> Host: 10.51.51.1
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS alert, internal error (592):
{ [2 bytes data]
* OpenSSL SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_ZERO_RETURN, errno 0
* Failed sending HTTP2 data
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host 10.51.51.1 left intact
curl: (56) OpenSSL SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error, errno 0

ssh and console works, I can see mentioned errors in /var/log/lighttpd.log
Code Select
Mar 31 15:51:03 opnrouter lighttpd[19466]: (mod_openssl.c.3042) SSL: 5 error:0201502D:system library:ioctl:Operation not supported
Mar 31 15:51:03 opnrouter lighttpd[19466]: (mod_openssl.c.3042) SSL: 5 error:0201502D:system library:ioctl:Operation not supported
Mar 31 15:51:03 opnrouter lighttpd[19466]: (mod_openssl.c.3042) SSL: 5 error:1427D044:SSL routines:construct_stateless_ticket:internal error
Mar 31 15:51:03 opnrouter lighttpd[19466]: (mod_openssl.c.3042) SSL: 5 error:0201502D:system library:ioctl:Operation not supported
Mar 31 15:51:03 opnrouter lighttpd[19466]: (mod_openssl.c.3059) SSL: -1 5 45 Operation not supported

Additional (related?) repeated errors in console and in /var/log/system.log:
Code Select
Mar 31 16:02:36 opnrouter kernel: Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
Mar 31 16:02:36 opnrouter kernel: Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
Mar 31 16:02:36 opnrouter kernel: Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via /dev/crypto
Mar 31 16:02:36 opnrouter kernel: Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via /dev/crypto
Mar 31 16:02:36 opnrouter kernel: Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto
March 31, 2021, 03:52:40 PM #6
I've tried the next command as workaround:
Code Select
opnsense-revert -r 21.1.3 openssl
and it brings back Web UI.

Errors in /var/log/system.log and /var/log/lighttpd.log went away.

But it's clearly a workaround only.
March 31, 2021, 04:35:04 PM #7
Same problem in here.
WebGui broken

Cheers Robert
March 31, 2021, 05:06:13 PM #8
if you don't need to use /dev/crypto you can try to delete
<cryptodev_enable> string in config.xml and restart opn
March 31, 2021, 06:13:04 PM #9
Quote from: Fright on March 31, 2021, 05:06:13 PM
if you don't need to use /dev/crypto you can try to delete
<cryptodev_enable> string in config.xml and restart opn

I (temporary) solved the problem by
Code Select
opnsense-revert -r 21.1.3 openssl
March 31, 2021, 07:57:03 PM #10
Hello,

Here we are this morning, update 21.1.4 brought me into the circle of certificate issues.

NO IT DIDN'T AS SIMPLE AS AFIRMED BY FRANCO.
We would not be several to be in the galley.

Until now I knew that there had been an update because I no longer had Internet access. Restarting my device fixed the problem and I noticed that there had been an update.

After reading the threads and trying to resolve in SSH mode, which I gleaned, I am unsuccessful.

# curl -k https://192.168.66.66:48443
empty reply from server
curl: (56) OpenSSL SSL_read: error: 14094438: SSL routines: ssl3_read_bytes: tlsv1 alert internal error, errno 0
# configctl webgui restart renew
okay

Browser //192.168.66.66:48443
ERR_SSL_PROTOCOL_ERROR

I put a back-up machine back into service

Assigning LAN and WAN via the console does not change anything.

Magnificent simplicity.

Regards,
French mother tongue
Depuis 2017
X7SPA-HF, Intel(R) ATOM(TM) D525, 4Go RAM, 120Go, 2 Lan 24.1.2_1
APU4c, 4Go RAM, 120Go, 4 Lan 24.1.10_8
APU3a, 2Go RAM, 60Go, 3 Lan 24.1.2_1
APU2c, 2Go RAM, 60Go, 3 Lan 23.7.1_3
BIOS A JOUR (v4.19.0.1).
March 31, 2021, 08:44:33 PM #11
> NO IT DIDN'T AS SIMPLE AS AFIRMED BY FRANCO.

So maybe it's a different issue? Let's settle down a bit. The workaround is out there:

# opnsense-revert -r 21.1.3 openssl


Cheers,
Franco
April 01, 2021, 10:12:21 AM #12
still think can be related:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254643

may be due to the KTLS for freebsd was merged from master? 1.1.1 does not contain KTLS
April 01, 2021, 10:34:14 AM #13
I had similar issues already with 21.1.3 and they are still present in 21.1.4.

The behavior is always the same. After I reboot the OPNsense the Web UI initially works but will eventually stop including unbound.

Luckily SSH is still working and the interfaces are reachable via IP. After I restart all services through the console everything is working as expected once again.
April 01, 2021, 10:35:21 AM #14
@sToRmInG
not the same issue if gui restart helps
Print
Go Up Pages1 2 3
User actions