CA is lost after update
-
Doesn't tell me much, really. To use the diff feature, select the "old" config in the first column of radio buttons, and the "new" config in the second column. Then press the diff button and it will show what changed between those two configuration files.
So in your case, click the radio selector (circle button) in the first colmn next to "1/23/11 20:57:41" and click the topmost radio selector in the second column, then press 'diff'.
-
Configuration diff from 1/23/11 20:57:41 to 1/23/11 21:07:02 --- /conf/backup/config-1295812661.xml 2011-01-23 21:06:37.000000000 +0100 +++ /conf/config.xml 2011-01-23 21:07:02.000000000 +0100 @@ -1655,9 +1655,9 @@ <traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config> <revision>- <time>1295812661</time> - - <username>admin</username> + <time>1295813222</time> + + <username>(system)</username></revision> <openvpn><openvpn-server>@@ -1695,6 +1695,7 @@ <wins_server1>172.16.0.1</wins_server1> <wins_server2><nbdd_server1>+ <dev_mode>tun</dev_mode></nbdd_server1></wins_server2></openvpn-server></openvpn> <l7shaper>@@ -1888,13 +1889,6 @@ <ovpnallow>on</ovpnallow> - <ca>- <refid>4d3c7cc0e8548</refid> - - <crt>(deleted)</crt> - <prv>(deleted)</prv> - <serial>2</serial> -</ca> <cert><refid>4d3c7ce6de525</refid></cert></l7shaper>Hope this was correct ;-) Thanks for taking time!
-
I removed your cert data from that post since it really shouldn't be public, I just needed to know if the only thing missing was the CA, and that seems to be the case. Though I'm not sure why that extra setting popped up in the openvpn config for the tun device between those steps, since you didn't change any of the openvpn config, just the package (and it only reads, doesn't write)
-
I did an firmwareupdate on another box but without OpenVPN Client Export Utility and without OpenVPN configured.
I created a TEST-CA - then did the update - and the TEST-CA is still there:
Configuration diff from 1/23/11 23:01:34 to 1/23/11 23:51:10 --- /conf/backup/config-1295820094.xml 2011-01-23 23:31:35.000000000 +0100 +++ /conf/config.xml 2011-01-23 23:51:10.000000000 +0100 @@ -804,7 +804,7 @@ <traffic_graphs-config>WAN_graph-config:show,LAN_graph-config:show,refreshInterval=1</traffic_graphs-config> <revision>- <time>1295820094</time> + <time>1295823070</time> <username>(system)</username></revision> @@ -1104,4 +1104,11 @@ <crt>XXXxxxXXX</crt> <prv>XXXxxxXXX</prv> + <ca>+ <refid>4d3caeb37ade1</refid> + + <crt>XXXxxxXXX</crt> + <prv>XXXxxxXXX</prv> + <serial>0</serial> +</ca>Installed packages:
Cron
Lightsquid
squid2 -
So on that other box, if you install the client exporter and/or configure openvpn, I wonder if it gets lost.
Nothing I do (install the package, configure openvpn, etc) has lost a CA for me yet.
-
Hello again,
today I created a new CA on my first pfsense box, where I have OpenVPN and the OpenVPN Export Utility installed.
What I did:
Created a CA
Restarted the box - CA still exists
updated from:
2.0-BETA5 (i386) built on Sun Jan 23 10:30:03 EST 2011
to:
2.0-BETA5 (i386) built on Mon Jan 24 07:08:15 EST 2011CA still exists!
This is the config history diff:
Configuration diff from 1/23/11 21:07:02 to 1/24/11 18:12:36 --- /conf/backup/config-1295813222.xml 2011-01-24 11:04:23.000000000 +0100 +++ /conf/config.xml 2011-01-24 18:12:36.000000000 +0100 @@ -1655,7 +1655,7 @@ <traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config> <revision>- <time>1295813222</time> + <time>1295889156</time> <username>(system)</username></revision> @@ -1903,4 +1903,11 @@ <crt>XXXxxxXXX</crt> <prv>XXXxxxXXX</prv> + <ca>+ <refid>4d3db071b0917</refid> + + <crt>XXXxxxXXX</crt> + <prv>XXXxxxXXX</prv> + <serial>0</serial> +</ca>I have got another box, where I could do a test. Any special things I should do - any ideas ?
-
Restore your config from the one that had the CA disappear, then install the OpenVPN export package, and then run and update. See if it disappears there.
If it does, then something else in your config is triggering it, though I have no idea what it might be.
-
Couldn't make a cross change with the config files because of different configurations on my two boxes, but on the secon box, where no OpenVPN Server or OpenVPON Export utility was installed I created a CA and then did an Update and everything seems to be fine. CA is still there.
Don't know why but now it's okay.
-
Next Update. next loss of CA :(
Configuration diff from 1/25/11 08:36:41 to 1/25/11 08:47:56 --- /conf/backup/config-1295941001.xml 2011-01-25 08:37:17.000000000 +0100 +++ /conf/backup/config-1295941676.xml 2011-01-25 09:31:11.000000000 +0100 @@ -173,8 +173,8 @@ <time-update-interval><timeservers>0.pfsense.pool.ntp.org</timeservers> <webgui>- <protocol>http</protocol> - <ssl-certref>4d3c7ce6de525</ssl-certref> + <protocol>https</protocol> + <ssl-certref>4d3e7dac18276</ssl-certref> <port><nodnsrebindcheck><nohttpreferercheck>@@ -1618,9 +1618,9 @@ <traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config> <revision>- <time>1295941001</time> - - <username>admin</username> + <time>1295941676</time> + + <username>(system)</username></revision> <openvpn><l7shaper>@@ -1816,17 +1816,17 @@ <cert>- <refid>4d3c7ce6de525</refid> + <refid>4d3e7dac18276</refid> - <caref>4d3c7cc0e8548</caref> - <crt>XXXxxxXXX</crt> - <prv>XXXxxxXXX</prv> + <caref>4d3e7d889b803</caref> + <crt>XXXxxxXXX</crt> + <prv>XXXxxxXXX</prv> +</cert> + <cert>+ <refid>4d3e7dcd508d4</refid> + + <caref>4d3e7d889b803</caref> + <crt>XXXxxxXXX</crt> + <prv>XXXxxxXXX</prv></cert> - <ca>- <refid>4d3e7d889b803</refid> - - <crt>XXXxxxXXX</crt> - <prv>XXXxxxXXX</prv> - <serial>0</serial> -</ca></l7shaper></openvpn></nohttpreferercheck></nodnsrebindcheck></port></webgui></time-update-interval> -
Looks like there were a lot of other cert changes in that diff… a different WebGUI cert, different CAs, etc. Not sure what you did between one place and another there.
-
before the update I deleted all left certificates. Then Created a new CA: HPA-CA and 2 certificates pfsense webGUI and VPM-Remote-User. Then did the firmware update and after this the CA get lost.
Fact is, there wasn't a difference to the other config diffs (in my eyes). Perhaps I will do a complete new installation of my pfsense box with the actual snapshot.
-
Mine situation is the same as Nachtfalke. Same packages. Also tried recreating CA. It got lost again after second update.
-
HA :)
deleted packages Open-VM-Tools and OpenVPN Client Export Utility.
Updated. CA is still there
reinstalled OpenVPN Client Export Utility then Open-VM-Tools
CA is still there
-
Yeah it seems to be something about the combination of reinstalling the OpenVPN Client Export package only during the firmware upgrade cycle that kills it.
Still no idea why…
EDIT: It's really quite puzzling because nothing in the package modifies the CA, only reads, and it doesn't do either one when installing or uninstalling.
Can someone who is able to reproduce this remove the client export package and try a couple updates without it installed? Maybe I'm barking up the wrong tree.
-
Tried in situation when only one of those packages installed. In either way CA is lost.
-
How about with no packages installed?
-
Yes I already wrote. It is OK. CA is not lost when updating with NO package installed
-
When the packages reinstall there are several config writes, can someone do a diff from before the upgrade to each of those and see at exactly which step the CA disappears?
-
tried updating when only one package "The Country Block" is installed. CA disappeared.
here goes diff
Diagnostics: Configuration History Configuration diff from 1/25/11 19:22:59 to 1/25/11 19:31:24 --- /conf/backup/config-1295976179.xml 2011-01-25 19:23:00.000000000 +0200 +++ /conf/backup/config-1295976684.xml 2011-01-25 19:33:21.000000000 +0200 @@ -794,9 +794,9 @@ <sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence> <revision>- <time>1295976179</time> - - <username>admin</username> + <time>1295976684</time> + + <username>(system)</username></revision> <openvpn><openvpn-server>@@ -827,6 +827,7 @@ <netbios_enable><netbios_ntype>0</netbios_ntype> <netbios_scope>+ <dev_mode>tun</dev_mode></netbios_scope></netbios_enable></openvpn-server></openvpn> <l7shaper>@@ -855,7 +856,6 @@ <service>- <tab><menu> <menu> <name>Country Block</name> @@ -878,15 +878,13 @@ <maintainer>tom@tomschaefer.org</maintainer> <configurationfile>countryblock.xml</configurationfile> + <tab>+ <text>Settings</text> + <url>/packages/countryblock/countryblock.php</url> + <active>+</active></tab> <dhcrelay>- <ca>- <refid>4d2efa305ac2a</refid> - - <crt>(deleted)</crt> - <prv>(deleted)</prv> - <serial>2</serial> -</ca> <ppps><gateways></gateways></ppps></dhcrelay> </menu> </menu></tab></service></l7shaper> -
So if you do a diff to the config labeled "intermediate config write" does it have the CA in it? or is it lost then?
