[SOLVED] NGinx tries to load individual certificate despite wildcard certificate

Started by psychofaktory, October 13, 2022, 01:31:58 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
October 13, 2022, 01:31:58 PM Last Edit: October 17, 2022, 05:21:49 PM by psychofaktory
Hello,

I have created a new HTTP server via the Nginx plugin. In the same way as many others before.
However, now I get the following error message for the newly created server after restarting the nginx service:
Code Select
cannot load certificate "/usr/local/etc/nginx/key/subdomain.mydomain.tld.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/etc/nginx/key/subdomain.mydomain.tld.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

The wildcard certificate (*.mydomain.tld) created via the ACME client was selected as the TLS certificate (as with the other HTTP servers).
The check mark for "Enable Let's Encrypt Plugin Support" is not set.

Where is the error and how can I force the use of the wildcard certificate?
October 13, 2022, 04:45:29 PM #1
Hi
i don't think it has anything to do with the certificate type (the setup script doesn't check the certificate contents). maybe there are errors in the backend log?
Or the "HTTPS Listen Address" is empty?
October 13, 2022, 08:17:40 PM #2 Last Edit: October 13, 2022, 08:31:25 PM by psychofaktory
Quote from: Fright on October 13, 2022, 04:45:29 PM
maybe there are errors in the backend log?
Where can I find this log?

Quote from: Fright on October 13, 2022, 04:45:29 PM
Or the "HTTPS Listen Address" is empty?
No, its exactly the same configuration as in all other HTTP-servers which are working.


Edit:
No entry in the backend log of OPNsense -> System -> Logs.
October 14, 2022, 09:16:40 PM #3
hm. any messages (except "php_fpm already running?") if you run
Code Select
/usr/local/opnsense/scripts/nginx/setup.php
?
October 15, 2022, 10:47:00 AM #4
Quote from: Fright on October 14, 2022, 09:16:40 PM
hm. any messages (except "php_fpm already running?") if you run
Code Select
/usr/local/opnsense/scripts/nginx/setup.php
?

No.
Just "php_fpm allready running? (pid=56775)."
October 15, 2022, 11:03:29 AM #5
Found the error.

I had added the line "add_header 'Access-Control-Allow-Origin' '*';" for a previously created HTTP server in the nginx configuration via the xxxxxxxx-xxxx-xxxx-xxxxxxxx_post/*.conf.
This apparently led to the described error for all subsequently created HTTP servers.

After I removed the *.conf, the error disappeared.
October 15, 2022, 11:10:57 AM #6
OK, I guess I spoke too soon.

When I then wanted to create another HTTP server (same setting, only different upstream and different subdomain), the error occurred again.
October 17, 2022, 01:21:55 PM #7 Last Edit: October 17, 2022, 01:23:37 PM by Fright
Hi
i think i found some..and its a little regression at https://github.com/opnsense/plugins/commit/9f80395a3bfbc0a09c6d65d3cb0e9a66217e03e5
while trying to figure out how to solve it nifty, I see a temporary workaround for that by manually running '/usr/local/opnsense/scripts/nginx/setup.php' after adding the server with a new name and certificate and clicking the Apply button. In this case the certificate files will be in the right place and you will need to hit Apply again
October 17, 2022, 01:33:50 PM #8
Huh, why... is setup.php not called correctly? Which OPNsense version is this?


Cheers,
Franco
October 17, 2022, 01:39:06 PM #9 Last Edit: October 17, 2022, 01:58:26 PM by Fright
@franco Hi)
im testing on 22.7.6
/usr/local/etc/rc.d/nginx  contains "reload_precmd="nginx_checkconfig" which is called before _setup. so we have at Apply hit:
-templates reloaded (with new server certs references in nginx.conf)
-nginx fails config check (certs files not ready yet because setup.php is not yet started)
-setup not started because config check return error
October 17, 2022, 01:52:25 PM #10
@franco
how dirty is that syntax for /etc/rc.conf.d/nginx :
Code Select

reload_precmd="/usr/local/opnsense/scripts/nginx/setup.php; nginx_checkconfig"
restart_precmd="/usr/local/opnsense/scripts/nginx/setup.php; nginx_checkconfig"
nginx_enable="YES"

for cases like this?
October 17, 2022, 02:07:16 PM #11
It's supposed to call setup.php on start/reload/restart by default. Is nginx rc script fudging these actions somehow?


Cheers,
Franco
October 17, 2022, 02:11:56 PM #12 Last Edit: October 17, 2022, 02:14:50 PM by Fright
if i understand this right at https://github.com/opnsense/src/blob/a72dccaa7d6ced2a547c5d7f7a739e0a494ee333/libexec/rc/rc.subr#L1185
_precmd is executed before _setup. and if _precmd fails (like in this case) _setup will not run.
or can we switch _setup/_precmd order?

nginx rc:
https://github.com/freebsd/freebsd-ports/blob/main/www/nginx/files/nginx.in
October 17, 2022, 02:17:55 PM #13
Yikes ok, nginx_checkconfig as precmd stops start/reload :(

In that case we need to switch indeed. Commit in a bit.


Thanks,
Franco
October 17, 2022, 02:20:05 PM #14
Thanks !!  :)
Print
Go Up Pages1 2
User actions