CA is lost after update
-
Hmm, and nothing in the open-vm-tools package would touch the CAs.
I'll keep digging at the OpenVPN client export package and see if I can see any scenario where it might do something unusual.
-
OK, another try:
I manually installed the OpenVPN Client Export Utility package again (this is after the restore earlier after manually removing it and then restoring config file without it included, which worked), and it installed and worked, CA still there. Then I downloaded a new backup file including the OpenVPN Client Export Utility package, and immediately restored it without making any changes. Now, the CA is gone, AND the package failed to reinstall and is not listed in the Installed Packages any longer, even though it was installed before I restored and is listed in the config file I restored. Here's the config history list:
1/18/11 12:11:01 : Installed Open-VM-Tools package. Current 1/18/11 12:06:46 : made unknown change 1/18/11 12:06:43 : Removed Open-VM-Tools package. 1/18/11 12:06:42 : made unknown change 1/18/11 12:01:47 : made unknown change 1/18/11 11:57:11 admin: Installed OpenVPN Client Export Utility package. 1/18/11 11:57:02 admin: /pkg_mgr_install.php made unknown change 1/18/11 11:57:01 admin: Creating restore point before package installation.First you can see where I installed the OpenVPN Client Export Utility package manually, and then when I restored it at 12:01 that's when the <ca>section disappears, between these two:
1/18/11 12:01:47 : made unknown change 1/18/11 11:57:11 admin: Installed OpenVPN Client Export Utility package.I downloaded a new backup, and can see that the <package>entry for OpenVPN Client Export Utility is gone, and there is no <ca>section, and like I said the Export Utility is now uninstalled, NOT listed in the Package Manager, when it was before the restore.
I do see in the config file that there are some leftover old settings from mod_security and ha_proxy inside <installedpackages>but those packages themselves have not been installed on this VM in the past, this config was restored to a fresh install since then.</installedpackages></ca></package></ca>
-
Very interesting.
And to make it even more interesting, nothing in the OpenVPN client export code makes a write to the config.
I still need to see if I can track down what is causing the ": made unknown change" entries.
-
Let me know if remote web or SSH access to this box would be helpful in tracking down the issue. Are there logs I'm not seeing you could look at?
-
Nah what you've posted so far may be enough.
I have just checked in a bunch of things that, while they may not fix it, may at least improve the situation in terms of logging. Hopefully the next snap will behave a bit better.
-
That is strange โฆ
did update
2.0-BETA5 (amd64)
from built on Wed Jan 12 23:13:34 EST 2011
to built on Tue Jan 18 13:16:28 EST 2011CA is NOT lost
earlier tried
2.0 BETA5 AMD64
From: Wed Jan 12 23:13:34 EST 2011
To new version: Mon Jan 17 23:09:19 EST 2011and CA was lost
-
I checked in some changes to the OpenVPN Client Export package this afternoon. It's possible the fix was there and not what is coming from the snapshot being built now.
-
I left both packages installed and upgraded one of the two boxes today to the latest snapshot a few hours ago, and it did NOT delete the CA this time! Both packages remain installed. Will upgrade the other as I have time; been a bit busy today. I did set up pfSense as the new firewall at our main office today though, not just my office, and I'm deploying pfSense on two NetGate boxes to customers in the next two days as well :-)
-
me too successfully upgraded without loosing CA to
2.0-BETA5 (amd64)
built on Wed Jan 19 20:58:29 EST 2011 -
CA is lost when updated
2.0-BETA5 (amd64)
from built on Wed Jan 19 20:58:29 EST 2011
to built on Thu Jan 20 01:23:56 EST 2011 -
Nothing changed that would have affected that between those buildsโฆ
Anything in the system log? What does the config history show for the last few config revisions?
-
Hi,
my CA is lost, too.
Updated from:
2.0-BETA5 (i386) built on Sun Jan 23 02:03:12 EST 2011
to:
2.0-BETA5 (i386) built on Sun Jan 23 10:30:03 EST 2011Just have "OpenVPN Client Export utility" installed.
I read this earlier posts but didn't fully understand all.
If you need some files/configs please let me know step by step what should I have to do to help you. -
If you go to Diagnostics > Backup/Restore on the config history tab, if you do a diff between the config from before the update, and the current config, is the only difference the missing CA?
-
I've gone over the package code again and reviewed any place in the system that modifies the CA and came up empty yet again.
I tried several times in a row on a VM and an ALIX to reproduce it and still have never lost a CA when it upgradesโฆ
-
If you go to Diagnostics > Backup/Restore on the config history tab, if you do a diff between the config from before the update, and the current config, is the only difference the missing CA?
Sorry, I don't know how to use this feature :(
1/23/11 21:07:02 (system): Installed OpenVPN Client Export Utility package. Current 1/23/11 21:06:40 (system): Intermediate config write during package install for OpenVPN Client Export Utility. Revert to this configuration Remove this backup Download this backup 1/23/11 21:06:37 (system): Removed OpenVPN Client Export Utility package. Revert to this configuration Remove this backup Download this backup 1/23/11 20:57:41 admin: /system_advanced_admin.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:56:38 admin: /firewall_nat.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:56:36 admin: /firewall_nat_edit.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:43:20 admin: /system_usermanager_settings.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:38:15 admin: Deleted CRL Test-Liste. Revert to this configuration Remove this backup Download this backup 1/23/11 20:32:04 admin: Deleted Certificate pfsense webGUI from CRL Test-Liste Revert to this configuration Remove this backup Download this backup 1/23/11 20:32:02 admin: Deleted Certificate Remote-User-VPN from CRL Test-Liste Revert to this configuration Remove this backup Download this backup 1/23/11 20:31:39 admin: Revoked cert Remote-User-VPN in CRL Test-Liste. Revert to this configuration Remove this backup Download this backup 1/23/11 20:31:32 admin: Revoked cert pfsense webGUI in CRL Test-Liste. Revert to this configuration Remove this backup Download this backup 1/23/11 20:31:04 admin: Saved CRL Test-Liste Revert to this configuration Remove this backup Download this backup 1/23/11 20:22:28 admin: /firewall_rules_edit.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:22:20 admin: /firewall_rules_edit.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:21:57 admin: /firewall_rules_edit.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:21:33 admin: /firewall_rules_edit.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:19:30 admin: /system_certmanager.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:19:16 admin: /system_usermanager.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:18:44 admin: /vpn_openvpn_server.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:13:16 admin: /system_certmanager.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:09:28 admin: /system_certmanager.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:08:50 admin: /system_camanager.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:08:10 admin: /system_camanager.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:08:07 admin: /system_camanager.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:07:57 admin: /system_certmanager.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:07:34 admin: /system_usermanager.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:07:12 admin: /vpn_openvpn_server.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:06:51 admin: /firewall_rules.php made unknown change Revert to this configuration Remove this backup Download this backup 1/23/11 20:06:44 admin: /firewall_rules.php made unknown change Revert to this configuration Remove this backup Download this backup ย 1/23/11 20:03:21 admin: /vpn_openvpn_server.php made unknown change -
Doesn't tell me much, really. To use the diff feature, select the "old" config in the first column of radio buttons, and the "new" config in the second column. Then press the diff button and it will show what changed between those two configuration files.
So in your case, click the radio selector (circle button) in the first colmn next to "1/23/11 20:57:41" and click the topmost radio selector in the second column, then press 'diff'.
-
Configuration diff from 1/23/11 20:57:41 to 1/23/11 21:07:02 --- /conf/backup/config-1295812661.xml 2011-01-23 21:06:37.000000000 +0100 +++ /conf/config.xml 2011-01-23 21:07:02.000000000 +0100 @@ -1655,9 +1655,9 @@ <traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config> <revision>- <time>1295812661</time> - - <username>admin</username> + <time>1295813222</time> + + <username>(system)</username></revision> <openvpn><openvpn-server>@@ -1695,6 +1695,7 @@ <wins_server1>172.16.0.1</wins_server1> <wins_server2><nbdd_server1>+ <dev_mode>tun</dev_mode></nbdd_server1></wins_server2></openvpn-server></openvpn> <l7shaper>@@ -1888,13 +1889,6 @@ <ovpnallow>on</ovpnallow> - <ca>- <refid>4d3c7cc0e8548</refid> - - <crt>(deleted)</crt> - <prv>(deleted)</prv> - <serial>2</serial> -</ca> <cert><refid>4d3c7ce6de525</refid></cert></l7shaper>Hope this was correct ;-) Thanks for taking time!
-
I removed your cert data from that post since it really shouldn't be public, I just needed to know if the only thing missing was the CA, and that seems to be the case. Though I'm not sure why that extra setting popped up in the openvpn config for the tun device between those steps, since you didn't change any of the openvpn config, just the package (and it only reads, doesn't write)
-
I did an firmwareupdate on another box but without OpenVPN Client Export Utility and without OpenVPN configured.
I created a TEST-CA - then did the update - and the TEST-CA is still there:
Configuration diff from 1/23/11 23:01:34 to 1/23/11 23:51:10 --- /conf/backup/config-1295820094.xml 2011-01-23 23:31:35.000000000 +0100 +++ /conf/config.xml 2011-01-23 23:51:10.000000000 +0100 @@ -804,7 +804,7 @@ <traffic_graphs-config>WAN_graph-config:show,LAN_graph-config:show,refreshInterval=1</traffic_graphs-config> <revision>- <time>1295820094</time> + <time>1295823070</time> <username>(system)</username></revision> @@ -1104,4 +1104,11 @@ <crt>XXXxxxXXX</crt> <prv>XXXxxxXXX</prv> + <ca>+ <refid>4d3caeb37ade1</refid> + + <crt>XXXxxxXXX</crt> + <prv>XXXxxxXXX</prv> + <serial>0</serial> +</ca>Installed packages:
Cron
Lightsquid
squid2 -
So on that other box, if you install the client exporter and/or configure openvpn, I wonder if it gets lost.
Nothing I do (install the package, configure openvpn, etc) has lost a CA for me yet.
