[SOLVED] NGinx tries to load individual certificate despite wildcard certificate

[psychofaktory]

Hello,

I have created a new HTTP server via the Nginx plugin. In the same way as many others before.
However, now I get the following error message for the newly created server after restarting the nginx service:

Code: [Select]

cannot load certificate "/usr/local/etc/nginx/key/subdomain.mydomain.tld.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/etc/nginx/key/subdomain.mydomain.tld.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
The wildcard certificate (*.mydomain.tld) created via the ACME client was selected as the TLS certificate (as with the other HTTP servers).
The check mark for "Enable Let's Encrypt Plugin Support" is not set.

Where is the error and how can I force the use of the wildcard certificate?

[Fright]

Hi
i don't think it has anything to do with the certificate type (the setup script doesn't check the certificate contents). maybe there are errors in the backend log?
Or the "HTTPS Listen Address" is empty?

[psychofaktory]

maybe there are errors in the backend log?

Where can I find this log?

Or the "HTTPS Listen Address" is empty?

No, its exactly the same configuration as in all other HTTP-servers which are working.


Edit:
No entry in the backend log of OPNsense -> System -> Logs.

[Fright]

hm. any messages (except "php_fpm already running?") if you run

Code: [Select]

/usr/local/opnsense/scripts/nginx/setup.php?

[psychofaktory]

hm. any messages (except "php_fpm already running?") if you run

Code: [Select]

/usr/local/opnsense/scripts/nginx/setup.php?

No.
Just "php_fpm allready running? (pid=56775)."

[psychofaktory]

Found the error.

I had added the line "add_header 'Access-Control-Allow-Origin' '*';" for a previously created HTTP server in the nginx configuration via the xxxxxxxx-xxxx-xxxx-xxxxxxxx_post/*.conf.
This apparently led to the described error for all subsequently created HTTP servers.

After I removed the *.conf, the error disappeared.

[psychofaktory]

OK, I guess I spoke too soon.

When I then wanted to create another HTTP server (same setting, only different upstream and different subdomain), the error occurred again.

[Fright]

Hi
i think i found some..and its a little regression at https://github.com/opnsense/plugins/commit/9f80395a3bfbc0a09c6d65d3cb0e9a66217e03e5
while trying to figure out how to solve it nifty, I see a temporary workaround for that by manually running '/usr/local/opnsense/scripts/nginx/setup.php' after adding the server with a new name and certificate and clicking the Apply button. In this case the certificate files will be in the right place and you will need to hit Apply again

[franco]

Huh, why... is setup.php not called correctly? Which OPNsense version is this?


Cheers,
Franco

[Fright]

@franco Hi)
 im testing on 22.7.6
/usr/local/etc/rc.d/nginx  contains "reload_precmd="nginx_checkconfig" which is called before _setup. so we have at Apply hit:
-templates reloaded (with new server certs references in nginx.conf)
-nginx fails config check (certs files not ready yet because setup.php is not yet started)
-setup not started because config check return error

[Fright]

@franco
how dirty is that syntax for /etc/rc.conf.d/nginx :

Code: [Select]

reload_precmd="/usr/local/opnsense/scripts/nginx/setup.php; nginx_checkconfig"
restart_precmd="/usr/local/opnsense/scripts/nginx/setup.php; nginx_checkconfig"
nginx_enable="YES"
for cases like this?

[franco]

It's supposed to call setup.php on start/reload/restart by default. Is nginx rc script fudging these actions somehow?


Cheers,
Franco

[Fright]

if i understand this right at https://github.com/opnsense/src/blob/a72dccaa7d6ced2a547c5d7f7a739e0a494ee333/libexec/rc/rc.subr#L1185
_precmd is executed before _setup. and if _precmd fails (like in this case) _setup will not run.
or can we switch _setup/_precmd order?

nginx rc:
https://github.com/freebsd/freebsd-ports/blob/main/www/nginx/files/nginx.in

[franco]

Yikes ok, nginx_checkconfig as precmd stops start/reload

In that case we need to switch indeed. Commit in a bit.


Thanks,
Franco

[Fright]

Thanks !!