CA is lost after update

Nachtfalke

Configuration diff from 1/23/11 20:57:41 to 1/23/11 21:07:02
--- /conf/backup/config-1295812661.xml 2011-01-23 21:06:37.000000000 +0100
+++ /conf/config.xml 2011-01-23 21:07:02.000000000 +0100
@@ -1655,9 +1655,9 @@
<traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config>

 <revision>- <time>1295812661</time>
- 
- <username>admin</username>
+ <time>1295813222</time>
+ 
+ <username>(system)</username></revision> 
 <openvpn><openvpn-server>@@ -1695,6 +1695,7 @@
<wins_server1>172.16.0.1</wins_server1>
 <wins_server2><nbdd_server1>+ <dev_mode>tun</dev_mode></nbdd_server1></wins_server2></openvpn-server></openvpn> 
 <l7shaper>@@ -1888,13 +1889,6 @@
<ovpnallow>on</ovpnallow>

- <ca>- <refid>4d3c7cc0e8548</refid>
- 
- <crt>(deleted)</crt>
- <prv>(deleted)</prv>
- <serial>2</serial>
-</ca> 
 <cert><refid>4d3c7ce6de525</refid></cert></l7shaper> 

Hope this was correct ;-) Thanks for taking time!

jimp

I removed your cert data from that post since it really shouldn't be public, I just needed to know if the only thing missing was the CA, and that seems to be the case. Though I'm not sure why that extra setting popped up in the openvpn config for the tun device between those steps, since you didn't change any of the openvpn config, just the package (and it only reads, doesn't write)

Nachtfalke

I did an firmwareupdate on another box but without OpenVPN Client Export Utility and without OpenVPN configured.

I created a TEST-CA - then did the update - and the TEST-CA is still there:

Configuration diff from 1/23/11 23:01:34 to 1/23/11 23:51:10
--- /conf/backup/config-1295820094.xml 2011-01-23 23:31:35.000000000 +0100
+++ /conf/config.xml 2011-01-23 23:51:10.000000000 +0100
@@ -804,7 +804,7 @@
<traffic_graphs-config>WAN_graph-config:show,LAN_graph-config:show,refreshInterval=1</traffic_graphs-config>

 <revision>- <time>1295820094</time>
+ <time>1295823070</time>

<username>(system)</username></revision> 
@@ -1104,4 +1104,11 @@
<crt>XXXxxxXXX</crt>
<prv>XXXxxxXXX</prv>

+ <ca>+ <refid>4d3caeb37ade1</refid>
+ 
+ <crt>XXXxxxXXX</crt>
+ <prv>XXXxxxXXX</prv>
+ <serial>0</serial>
+</ca> 

Installed packages:
Cron
Lightsquid
squid2

jimp

So on that other box, if you install the client exporter and/or configure openvpn, I wonder if it gets lost.

Nothing I do (install the package, configure openvpn, etc) has lost a CA for me yet.

Nachtfalke

Hello again,

today I created a new CA on my first pfsense box, where I have OpenVPN and the OpenVPN Export Utility installed.

What I did:
Created a CA
Restarted the box - CA still exists
updated from:
2.0-BETA5 (i386) built on Sun Jan 23 10:30:03 EST 2011
to:
2.0-BETA5 (i386) built on Mon Jan 24 07:08:15 EST 2011

CA still exists!

This is the config history diff:

Configuration diff from 1/23/11 21:07:02 to 1/24/11 18:12:36
--- /conf/backup/config-1295813222.xml 2011-01-24 11:04:23.000000000 +0100
+++ /conf/config.xml 2011-01-24 18:12:36.000000000 +0100
@@ -1655,7 +1655,7 @@
<traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config>

 <revision>- <time>1295813222</time>
+ <time>1295889156</time>

<username>(system)</username></revision> 
@@ -1903,4 +1903,11 @@
<crt>XXXxxxXXX</crt>
<prv>XXXxxxXXX</prv>

+ <ca>+ <refid>4d3db071b0917</refid>
+ 
+ <crt>XXXxxxXXX</crt>
+ <prv>XXXxxxXXX</prv>
+ <serial>0</serial>
+</ca> 

I have got another box, where I could do a test. Any special things I should do - any ideas ?

jimp

Restore your config from the one that had the CA disappear, then install the OpenVPN export package, and then run and update. See if it disappears there.

If it does, then something else in your config is triggering it, though I have no idea what it might be.

Nachtfalke

Couldn't make a cross change with the config files because of different configurations on my two boxes, but on the secon box, where no OpenVPN Server or OpenVPON Export utility was installed I created a CA and then did an Update and everything seems to be fine. CA is still there.

Don't know why but now it's okay.

Nachtfalke

Next Update. next loss of CA :(

Configuration diff from 1/25/11 08:36:41 to 1/25/11 08:47:56
--- /conf/backup/config-1295941001.xml 2011-01-25 08:37:17.000000000 +0100
+++ /conf/backup/config-1295941676.xml 2011-01-25 09:31:11.000000000 +0100
@@ -173,8 +173,8 @@
 <time-update-interval><timeservers>0.pfsense.pool.ntp.org</timeservers>
 <webgui>- <protocol>http</protocol>
- <ssl-certref>4d3c7ce6de525</ssl-certref>
+ <protocol>https</protocol>
+ <ssl-certref>4d3e7dac18276</ssl-certref>
 <port><nodnsrebindcheck><nohttpreferercheck>@@ -1618,9 +1618,9 @@
<traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config>

 <revision>- <time>1295941001</time>
- 
- <username>admin</username>
+ <time>1295941676</time>
+ 
+ <username>(system)</username></revision> 
 <openvpn><l7shaper>@@ -1816,17 +1816,17 @@

 <cert>- <refid>4d3c7ce6de525</refid>
+ <refid>4d3e7dac18276</refid>

- <caref>4d3c7cc0e8548</caref>
- <crt>XXXxxxXXX</crt>
- <prv>XXXxxxXXX</prv>
+ <caref>4d3e7d889b803</caref>
+ <crt>XXXxxxXXX</crt>
+ <prv>XXXxxxXXX</prv>
+</cert> 
+ <cert>+ <refid>4d3e7dcd508d4</refid>
+ 
+ <caref>4d3e7d889b803</caref>
+ <crt>XXXxxxXXX</crt>
+ <prv>XXXxxxXXX</prv></cert> 
- <ca>- <refid>4d3e7d889b803</refid>
- 
- <crt>XXXxxxXXX</crt>
- <prv>XXXxxxXXX</prv>
- <serial>0</serial>
-</ca></l7shaper></openvpn></nohttpreferercheck></nodnsrebindcheck></port></webgui></time-update-interval> 

jimp

Looks like there were a lot of other cert changes in that diff… a different WebGUI cert, different CAs, etc. Not sure what you did between one place and another there.

Nachtfalke

before the update I deleted all left certificates. Then Created a new CA: HPA-CA and 2 certificates pfsense webGUI and VPM-Remote-User. Then did the firmware update and after this the CA get lost.

Fact is, there wasn't a difference to the other config diffs (in my eyes). Perhaps I will do a complete new installation of my pfsense box with the actual snapshot.

myka

Mine situation is the same as Nachtfalke. Same packages. Also tried recreating CA. It got lost again after second update.

myka

HA :)

deleted packages Open-VM-Tools and OpenVPN Client Export Utility.

Updated. CA is still there

reinstalled OpenVPN Client Export Utility then Open-VM-Tools

CA is still there

jimp

Yeah it seems to be something about the combination of reinstalling the OpenVPN Client Export package only during the firmware upgrade cycle that kills it.

Still no idea why…

EDIT: It's really quite puzzling because nothing in the package modifies the CA, only reads, and it doesn't do either one when installing or uninstalling.

Can someone who is able to reproduce this remove the client export package and try a couple updates without it installed? Maybe I'm barking up the wrong tree.

myka

Tried in situation when only one of those packages installed. In either way CA is lost.

jimp

How about with no packages installed?

myka

Yes I already wrote. It is OK. CA is not lost when updating with NO package installed

jimp

When the packages reinstall there are several config writes, can someone do a diff from before the upgrade to each of those and see at exactly which step the CA disappears?

myka

tried updating when only one package "The Country Block" is installed. CA disappeared.

here goes diff

Diagnostics: Configuration History

Configuration diff from 1/25/11 19:22:59 to 1/25/11 19:31:24
--- /conf/backup/config-1295976179.xml 2011-01-25 19:23:00.000000000 +0200
+++ /conf/backup/config-1295976684.xml 2011-01-25 19:33:21.000000000 +0200
@@ -794,9 +794,9 @@
<sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence>

 <revision>- <time>1295976179</time>
- 
- <username>admin</username>
+ <time>1295976684</time>
+ 
+ <username>(system)</username></revision> 
 <openvpn><openvpn-server>@@ -827,6 +827,7 @@
 <netbios_enable><netbios_ntype>0</netbios_ntype>
 <netbios_scope>+ <dev_mode>tun</dev_mode></netbios_scope></netbios_enable></openvpn-server></openvpn> 
 <l7shaper>@@ -855,7 +856,6 @@

 <service>- <tab><menu>

<menu>
<name>Country Block</name>
@@ -878,15 +878,13 @@
<maintainer>tom@tomschaefer.org</maintainer>
<configurationfile>countryblock.xml</configurationfile>

+ <tab>+ <text>Settings</text>
+ <url>/packages/countryblock/countryblock.php</url>
+ <active>+</active></tab> 

 <dhcrelay>- <ca>- <refid>4d2efa305ac2a</refid>
- 
- <crt>(deleted)</crt>
- <prv>(deleted)</prv>
- <serial>2</serial>
-</ca> 
 <ppps><gateways></gateways></ppps></dhcrelay> </menu>

</menu></tab></service></l7shaper> 

jimp

So if you do a diff to the config labeled "intermediate config write" does it have the CA in it? or is it lost then?

myka

CA is lost after first (system): Intermediate config write during package removal for Country Block.

Diagnostics: Configuration History

Configuration diff from 1/25/11 19:23:00 to 1/25/11 19:31:04
--- /conf/backup/config-1295976180.xml 2011-01-25 19:31:04.000000000 +0200
+++ /conf/backup/config-1295976664.xml 2011-01-25 19:31:05.000000000 +0200
@@ -636,7 +636,8 @@
 <descr>- <shaper>+ <shaper>+</shaper> 
 <ipsec><preferoldsa></preferoldsa></ipsec> 
@@ -794,9 +795,9 @@
<sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence>

 <revision>- <time>1295976180</time>
- 
- <username>admin</username>
+ <time>1295976664</time>
+ 
+ <username>(system)</username></revision> 
 <openvpn><openvpn-server>@@ -827,12 +828,14 @@
 <netbios_enable><netbios_ntype>0</netbios_ntype>
 <netbios_scope>+ <dev_mode>tun</dev_mode></netbios_scope></netbios_enable></openvpn-server></openvpn> 
 <l7shaper><container></container></l7shaper> 
- <dnshaper>+ <dnshaper>+</dnshaper> 
 <cert><refid>4d2efa914085f</refid>

@@ -855,15 +858,7 @@

 <service>- <tab><menu>
- 

<menu>
- <name>Country Block</name>
- <tooltiptext>Country Block settings</tooltiptext>
- Firewall
- <configfile>countryblock.xml</configfile>
- <url>/packages/countryblock/countryblock.php</url>
- </menu>

 <package><name>Country Block</name>
 <website>@@ -877,16 +872,10 @@
<required_version>1.2.2</required_version>
<maintainer>tom@tomschaefer.org</maintainer>
<configurationfile>countryblock.xml</configurationfile>
+ <depends_on_package></depends_on_package></website></package> 

 <dhcrelay>- <ca>- <refid>4d2efa305ac2a</refid>
- 
- <crt>(deleted)</crt>
- <prv>(deleted)</prv>
- <serial>2</serial>
-</ca> 
 <ppps><gateways>I see some strange lines in console:

One moment please, reinstalling package...

Trying to fech package info... Done.
tar: Error opening archive: Failed to open '/tmp/pkg_libs.tgz'
Backing up libraries...
Removing package...