[SOLVED] webgui broken after upgrade to 21.1.4

[gu6884]

Hi,

since I've updated, no webgui anymore. Using self-signed certificate
Chrome says "ERR_SSL_PROTOCOL_ERROR"
Tried with Safari as well, but no luck.

Note that with curl it works

Code: [Select]

curl -k https://10.100.1.1

when I try to display the webgui in a browser I get this in /var/log/lighttpd.log

Code: [Select]

Mar 30 22:23:35 router lighttpd[26522]: (mod_openssl.c.3042) SSL: 5 error:0201502D:system library:ioctl:Operation not supported
Mar 30 22:23:35 router lighttpd[26522]: (mod_openssl.c.3042) SSL: 5 error:0201502D:system library:ioctl:Operation not supported
Mar 30 22:23:35 router lighttpd[26522]: (mod_openssl.c.3042) SSL: 5 error:1427D044:SSL routines:construct_stateless_ticket:internal error
Mar 30 22:23:35 router lighttpd[26522]: (mod_openssl.c.3042) SSL: 5 error:0201502D:system library:ioctl:Operation not supported
Mar 30 22:23:35 router lighttpd[26522]: (mod_openssl.c.3059) SSL: -1 5 45 Operation not supported

Checked different threads already. Running this did not help

Code: [Select]

configctl webgui restart renew
Did the system check in the console too, but nothing reported

Code: [Select]

Enter an option: 12

Fetching change log information, please wait... done

This will automatically fetch all available updates and apply them.

Proceed with this action? [y/N]: h

>>> Check installed kernel version
Version 21.1.4 is correct.
>>> Check for missing or altered kernel files
No problems detected.
>>> Check installed base version
Version 21.1.4 is correct.
>>> Check for missing or altered base files
No problems detected.
>>> Check for missing package dependencies
Checking all packages: .......... done
>>> Check for missing or altered package files
Checking all packages: .......... done
>>> Check for core packages consistency
Core package "opnsense" has 67 dependencies to check.
Checking packages: ..................................................................... done


Any idea what else to do?
Thanks

[kursu]

I have the same issue,  webui did hang after wireguard removal message in update log

[cranky]

Can you try to reconfigure the lan and wan via console? I think it asks you to regenerate a cert when you do,maybe that will help?
I personally didn't have any issues, but I'm not using wire guard.

[Weff]

I had the same kind of issue after upgrade in version 21.1.3
I guess this is due to https hardening.

I rolled back to my last snaptop and define by default the https certificate generated by Opnsense.
You can also try to activate temporary the http mode, regenerate your certificates.

Cheers

[kursu]

Factory reset fixed the issue for me.

[karlson2k]

Same here. I'm using my self-signed local CA and local certificates.
After upgrade to 21.1.4 completely lost access to Web UI.

Chrome:

Code: [Select]

ERR_SSL_PROTOCOL_ERROR
Firefox:
Just does not load the page

The command

Code: [Select]

configctl webgui restart renew just makes Chrome to warn me about new certificate and then again the same error.

curl -vk https://10.51.51.1:

Code: [Select]

*   Trying 10.51.51.1:443...
* TCP_NODELAY set
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connected to 10.51.51.1 (10.51.51.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [1881 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [520 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=opnrouter.intdomain.local; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  start date: Mar 31 12:40:52 2021 GMT
*  expire date: May  2 12:40:52 2022 GMT
*  issuer: CN=opnrouter.intdomain.local; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x5571c874bea0)
} [5 bytes data]
> GET / HTTP/2
> Host: 10.51.51.1
> user-agent: curl/7.68.0
> accept: */*
>
{ [5 bytes data]
* TLSv1.3 (IN), TLS alert, internal error (592):
{ [2 bytes data]
* OpenSSL SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_ZERO_RETURN, errno 0
* Failed sending HTTP2 data
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host 10.51.51.1 left intact
curl: (56) OpenSSL SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error, errno 0
ssh and console works, I can see mentioned errors in /var/log/lighttpd.log

Code: [Select]

Mar 31 15:51:03 opnrouter lighttpd[19466]: (mod_openssl.c.3042) SSL: 5 error:0201502D:system library:ioctl:Operation not supported
Mar 31 15:51:03 opnrouter lighttpd[19466]: (mod_openssl.c.3042) SSL: 5 error:0201502D:system library:ioctl:Operation not supported
Mar 31 15:51:03 opnrouter lighttpd[19466]: (mod_openssl.c.3042) SSL: 5 error:1427D044:SSL routines:construct_stateless_ticket:internal error
Mar 31 15:51:03 opnrouter lighttpd[19466]: (mod_openssl.c.3042) SSL: 5 error:0201502D:system library:ioctl:Operation not supported
Mar 31 15:51:03 opnrouter lighttpd[19466]: (mod_openssl.c.3059) SSL: -1 5 45 Operation not supported
Additional (related?) repeated errors in console and in /var/log/system.log:

Code: [Select]

Mar 31 16:02:36 opnrouter kernel: Deprecated code (to be removed in FreeBSD 13): DES cipher via /dev/crypto
Mar 31 16:02:36 opnrouter kernel: Deprecated code (to be removed in FreeBSD 13): 3DES cipher via /dev/crypto
Mar 31 16:02:36 opnrouter kernel: Deprecated code (to be removed in FreeBSD 13): Blowfish cipher via /dev/crypto
Mar 31 16:02:36 opnrouter kernel: Deprecated code (to be removed in FreeBSD 13): CAST128 cipher via /dev/crypto
Mar 31 16:02:36 opnrouter kernel: Deprecated code (to be removed in FreeBSD 13): ARC4 cipher via /dev/crypto

[karlson2k]

I've tried the next command as workaround:

Code: [Select]

opnsense-revert -r 21.1.3 openssland it brings back Web UI.

Errors in /var/log/system.log and /var/log/lighttpd.log went away.

But it's clearly a workaround only.

[no_Legend]

Same problem in here.
WebGui broken

Cheers Robert

[Fright]

if you don't need to use /dev/crypto you can try to delete
<cryptodev_enable> string in config.xml and restart opn

[karlson2k]

if you don't need to use /dev/crypto you can try to delete
<cryptodev_enable> string in config.xml and restart opn

I (temporary) solved the problem by

Code: [Select]

opnsense-revert -r 21.1.3 openssl

[Darkopnsense]

Hello,

Here we are this morning, update 21.1.4 brought me into the circle of certificate issues.

NO IT DIDN'T AS SIMPLE AS AFIRMED BY FRANCO.
We would not be several to be in the galley.

Until now I knew that there had been an update because I no longer had Internet access. Restarting my device fixed the problem and I noticed that there had been an update.

After reading the threads and trying to resolve in SSH mode, which I gleaned, I am unsuccessful.

# curl -k https://192.168.66.66:48443
empty reply from server
curl: (56) OpenSSL SSL_read: error: 14094438: SSL routines: ssl3_read_bytes: tlsv1 alert internal error, errno 0
# configctl webgui restart renew
okay

Browser //192.168.66.66:48443
ERR_SSL_PROTOCOL_ERROR

I put a back-up machine back into service

Assigning LAN and WAN via the console does not change anything.

Magnificent simplicity.

Regards,
French mother tongue

[franco]

> NO IT DIDN'T AS SIMPLE AS AFIRMED BY FRANCO.

So maybe it's a different issue? Let's settle down a bit. The workaround is out there:

# opnsense-revert -r 21.1.3 openssl


Cheers,
Franco

[Fright]

still think can be related:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=254643

may be due to the KTLS for freebsd was merged from master? 1.1.1 does not contain KTLS

[sToRmInG]

I had similar issues already with 21.1.3 and they are still present in 21.1.4.

The behavior is always the same. After I reboot the OPNsense the Web UI initially works but will eventually stop including unbound.

Luckily SSH is still working and the interfaces are reachable via IP. After I restart all services through the console everything is working as expected once again.

[Fright]

@sToRmInG
not the same issue if gui restart helps