CA is lost after update
-
Couldn't make a cross change with the config files because of different configurations on my two boxes, but on the secon box, where no OpenVPN Server or OpenVPON Export utility was installed I created a CA and then did an Update and everything seems to be fine. CA is still there.
Don't know why but now it's okay.
-
Next Update. next loss of CA :(
Configuration diff from 1/25/11 08:36:41 to 1/25/11 08:47:56 --- /conf/backup/config-1295941001.xml 2011-01-25 08:37:17.000000000 +0100 +++ /conf/backup/config-1295941676.xml 2011-01-25 09:31:11.000000000 +0100 @@ -173,8 +173,8 @@ <time-update-interval><timeservers>0.pfsense.pool.ntp.org</timeservers> <webgui>- <protocol>http</protocol> - <ssl-certref>4d3c7ce6de525</ssl-certref> + <protocol>https</protocol> + <ssl-certref>4d3e7dac18276</ssl-certref> <port><nodnsrebindcheck><nohttpreferercheck>@@ -1618,9 +1618,9 @@ <traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config> <revision>- <time>1295941001</time> - - <username>admin</username> + <time>1295941676</time> + + <username>(system)</username></revision> <openvpn><l7shaper>@@ -1816,17 +1816,17 @@ <cert>- <refid>4d3c7ce6de525</refid> + <refid>4d3e7dac18276</refid> - <caref>4d3c7cc0e8548</caref> - <crt>XXXxxxXXX</crt> - <prv>XXXxxxXXX</prv> + <caref>4d3e7d889b803</caref> + <crt>XXXxxxXXX</crt> + <prv>XXXxxxXXX</prv> +</cert> + <cert>+ <refid>4d3e7dcd508d4</refid> + + <caref>4d3e7d889b803</caref> + <crt>XXXxxxXXX</crt> + <prv>XXXxxxXXX</prv></cert> - <ca>- <refid>4d3e7d889b803</refid> - - <crt>XXXxxxXXX</crt> - <prv>XXXxxxXXX</prv> - <serial>0</serial> -</ca></l7shaper></openvpn></nohttpreferercheck></nodnsrebindcheck></port></webgui></time-update-interval> -
Looks like there were a lot of other cert changes in that diff… a different WebGUI cert, different CAs, etc. Not sure what you did between one place and another there.
-
before the update I deleted all left certificates. Then Created a new CA: HPA-CA and 2 certificates pfsense webGUI and VPM-Remote-User. Then did the firmware update and after this the CA get lost.
Fact is, there wasn't a difference to the other config diffs (in my eyes). Perhaps I will do a complete new installation of my pfsense box with the actual snapshot.
-
Mine situation is the same as Nachtfalke. Same packages. Also tried recreating CA. It got lost again after second update.
-
HA :)
deleted packages Open-VM-Tools and OpenVPN Client Export Utility.
Updated. CA is still there
reinstalled OpenVPN Client Export Utility then Open-VM-Tools
CA is still there
-
Yeah it seems to be something about the combination of reinstalling the OpenVPN Client Export package only during the firmware upgrade cycle that kills it.
Still no idea why…
EDIT: It's really quite puzzling because nothing in the package modifies the CA, only reads, and it doesn't do either one when installing or uninstalling.
Can someone who is able to reproduce this remove the client export package and try a couple updates without it installed? Maybe I'm barking up the wrong tree.
-
Tried in situation when only one of those packages installed. In either way CA is lost.
-
How about with no packages installed?
-
Yes I already wrote. It is OK. CA is not lost when updating with NO package installed
-
When the packages reinstall there are several config writes, can someone do a diff from before the upgrade to each of those and see at exactly which step the CA disappears?
-
tried updating when only one package "The Country Block" is installed. CA disappeared.
here goes diff
Diagnostics: Configuration History Configuration diff from 1/25/11 19:22:59 to 1/25/11 19:31:24 --- /conf/backup/config-1295976179.xml 2011-01-25 19:23:00.000000000 +0200 +++ /conf/backup/config-1295976684.xml 2011-01-25 19:33:21.000000000 +0200 @@ -794,9 +794,9 @@ <sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence> <revision>- <time>1295976179</time> - - <username>admin</username> + <time>1295976684</time> + + <username>(system)</username></revision> <openvpn><openvpn-server>@@ -827,6 +827,7 @@ <netbios_enable><netbios_ntype>0</netbios_ntype> <netbios_scope>+ <dev_mode>tun</dev_mode></netbios_scope></netbios_enable></openvpn-server></openvpn> <l7shaper>@@ -855,7 +856,6 @@ <service>- <tab><menu> <menu> <name>Country Block</name> @@ -878,15 +878,13 @@ <maintainer>tom@tomschaefer.org</maintainer> <configurationfile>countryblock.xml</configurationfile> + <tab>+ <text>Settings</text> + <url>/packages/countryblock/countryblock.php</url> + <active>+</active></tab> <dhcrelay>- <ca>- <refid>4d2efa305ac2a</refid> - - <crt>(deleted)</crt> - <prv>(deleted)</prv> - <serial>2</serial> -</ca> <ppps><gateways></gateways></ppps></dhcrelay> </menu> </menu></tab></service></l7shaper> -
So if you do a diff to the config labeled "intermediate config write" does it have the CA in it? or is it lost then?
-
CA is lost after first (system): Intermediate config write during package removal for Country Block.
Diagnostics: Configuration History Configuration diff from 1/25/11 19:23:00 to 1/25/11 19:31:04 --- /conf/backup/config-1295976180.xml 2011-01-25 19:31:04.000000000 +0200 +++ /conf/backup/config-1295976664.xml 2011-01-25 19:31:05.000000000 +0200 @@ -636,7 +636,8 @@ <descr>- <shaper>+ <shaper>+</shaper> <ipsec><preferoldsa></preferoldsa></ipsec> @@ -794,9 +795,9 @@ <sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence> <revision>- <time>1295976180</time> - - <username>admin</username> + <time>1295976664</time> + + <username>(system)</username></revision> <openvpn><openvpn-server>@@ -827,12 +828,14 @@ <netbios_enable><netbios_ntype>0</netbios_ntype> <netbios_scope>+ <dev_mode>tun</dev_mode></netbios_scope></netbios_enable></openvpn-server></openvpn> <l7shaper><container></container></l7shaper> - <dnshaper>+ <dnshaper>+</dnshaper> <cert><refid>4d2efa914085f</refid> @@ -855,15 +858,7 @@ <service>- <tab><menu> - <menu> - <name>Country Block</name> - <tooltiptext>Country Block settings</tooltiptext> - Firewall - <configfile>countryblock.xml</configfile> - <url>/packages/countryblock/countryblock.php</url> - </menu> <package><name>Country Block</name> <website>@@ -877,16 +872,10 @@ <required_version>1.2.2</required_version> <maintainer>tom@tomschaefer.org</maintainer> <configurationfile>countryblock.xml</configurationfile> + <depends_on_package></depends_on_package></website></package> <dhcrelay>- <ca>- <refid>4d2efa305ac2a</refid> - - <crt>(deleted)</crt> - <prv>(deleted)</prv> - <serial>2</serial> -</ca> <ppps><gateways>I see some strange lines in console:One moment please, reinstalling package...
Trying to fech package info... Done.
tar: Error opening archive: Failed to open '/tmp/pkg_libs.tgz'
Backing up libraries...
Removing package... -
CA is lost after first (system): Intermediate config write during package removal for Country Block.
Diagnostics: Configuration History Configuration diff from 1/25/11 19:23:00 to 1/25/11 19:31:04 --- /conf/backup/config-1295976180.xml 2011-01-25 19:31:04.000000000 +0200 +++ /conf/backup/config-1295976664.xml 2011-01-25 19:31:05.000000000 +0200 @@ -636,7 +636,8 @@ <descr>- <shaper>+ <shaper>+</shaper> <ipsec><preferoldsa></preferoldsa></ipsec> @@ -794,9 +795,9 @@ <sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence> <revision>- <time>1295976180</time> - - <username>admin</username> + <time>1295976664</time> + + <username>(system)</username></revision> <openvpn><openvpn-server>@@ -827,12 +828,14 @@ <netbios_enable><netbios_ntype>0</netbios_ntype> <netbios_scope>+ <dev_mode>tun</dev_mode></netbios_scope></netbios_enable></openvpn-server></openvpn> <l7shaper><container></container></l7shaper> - <dnshaper>+ <dnshaper>+</dnshaper> <cert><refid>4d2efa914085f</refid> @@ -855,15 +858,7 @@ <service>- <tab><menu> - <menu> - <name>Country Block</name> - <tooltiptext>Country Block settings</tooltiptext> - Firewall - <configfile>countryblock.xml</configfile> - <url>/packages/countryblock/countryblock.php</url> - </menu> <package><name>Country Block</name> <website>@@ -877,16 +872,10 @@ <required_version>1.2.2</required_version> <maintainer>tom@tomschaefer.org</maintainer> <configurationfile>countryblock.xml</configurationfile> + <depends_on_package></depends_on_package></website></package> <dhcrelay>- <ca>- <refid>4d2efa305ac2a</refid> - - <crt>(deleted)</crt> - <prv>(deleted)</prv> - <serial>2</serial> -</ca> <ppps><gateways></gateways></ppps></dhcrelay> </menu></tab></service></cert></dnshaper></shaper></descr>So those two config entries that you did a diff between were right next to each other in the list? Interesting… And did you do that from the GUI or during an upgrade?
-
those lines are one after another and update done from GUI
-
ok, got it. One more question: Were you reinstalling the package or deleting it? (which button did you click? X? pkg? xml?)
-
On the systems where you can reproduce this problem, were they fresh installs of 2.0 or upgraded from 1.2.3?
-
ok, got it. One more question: Were you reinstalling the package or deleting it? (which button did you click? X? pkg? xml?)
this line "(system): Intermediate config write during package removal for Country Block." is written when update ir done. Then reinstall of packages is done automatically. When I successfully updated I did manual remove pressing X then update from GUI and then manual install of packages. This way CA was NOT lost.
The system is fresh installed 2.0 and aprox 10 updates from GUI after. -
Same issue here (I opened bug 1231 about this today), and I've got just the OpenVPN Exporter installed. I explicitly backed up my config, upgraded to the absolute latest build (as of this posting), and found the CA missing.
Before the next daily release / upgrade I'll try removing the OpenVPN package and see what the result is. As a test I tried removing and installing the OpenVPN Exporter, but that didn't cause the same result.
