CA is lost after update

jimp

@myka:

CA is lost after first (system): Intermediate config write during package removal for Country Block.

Diagnostics: Configuration History

Configuration diff from 1/25/11 19:23:00 to 1/25/11 19:31:04
--- /conf/backup/config-1295976180.xml 2011-01-25 19:31:04.000000000 +0200
+++ /conf/backup/config-1295976664.xml 2011-01-25 19:31:05.000000000 +0200
@@ -636,7 +636,8 @@
 <descr>- <shaper>+ <shaper>+</shaper> 
 <ipsec><preferoldsa></preferoldsa></ipsec> 
@@ -794,9 +795,9 @@
<sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence>

 <revision>- <time>1295976180</time>
- 
- <username>admin</username>
+ <time>1295976664</time>
+ 
+ <username>(system)</username></revision> 
 <openvpn><openvpn-server>@@ -827,12 +828,14 @@
 <netbios_enable><netbios_ntype>0</netbios_ntype>
 <netbios_scope>+ <dev_mode>tun</dev_mode></netbios_scope></netbios_enable></openvpn-server></openvpn> 
 <l7shaper><container></container></l7shaper> 
- <dnshaper>+ <dnshaper>+</dnshaper> 
 <cert><refid>4d2efa914085f</refid>

@@ -855,15 +858,7 @@

 <service>- <tab><menu>
- 

<menu>
- <name>Country Block</name>
- <tooltiptext>Country Block settings</tooltiptext>
- Firewall
- <configfile>countryblock.xml</configfile>
- <url>/packages/countryblock/countryblock.php</url>
- </menu>

 <package><name>Country Block</name>
 <website>@@ -877,16 +872,10 @@
<required_version>1.2.2</required_version>
<maintainer>tom@tomschaefer.org</maintainer>
<configurationfile>countryblock.xml</configurationfile>
+ <depends_on_package></depends_on_package></website></package> 

 <dhcrelay>- <ca>- <refid>4d2efa305ac2a</refid>
- 
- <crt>(deleted)</crt>
- <prv>(deleted)</prv>
- <serial>2</serial>
-</ca> 
 <ppps><gateways></gateways></ppps></dhcrelay> </menu></tab></service></cert></dnshaper></shaper></descr> 

So those two config entries that you did a diff between were right next to each other in the list? Interesting… And did you do that from the GUI or during an upgrade?

myka

those lines are one after another and update done from GUI

jimp

ok, got it. One more question: Were you reinstalling the package or deleting it? (which button did you click? X? pkg? xml?)

jimp

On the systems where you can reproduce this problem, were they fresh installs of 2.0 or upgraded from 1.2.3?

myka

@jimp:

ok, got it. One more question: Were you reinstalling the package or deleting it? (which button did you click? X? pkg? xml?)

this line "(system): Intermediate config write during package removal for Country Block." is written when update ir done. Then reinstall of packages is done automatically. When I successfully updated I did manual remove pressing X then update from GUI and then manual install of packages. This way CA was NOT lost.
The system is fresh installed 2.0 and aprox 10 updates from GUI after.

c0nsumer

Same issue here (I opened bug 1231 about this today), and I've got just the OpenVPN Exporter installed. I explicitly backed up my config, upgraded to the absolute latest build (as of this posting), and found the CA missing.

Before the next daily release / upgrade I'll try removing the OpenVPN package and see what the result is. As a test I tried removing and installing the OpenVPN Exporter, but that didn't cause the same result.

Nachtfalke

Like myka said in some posts before, I didn't lose my CA if I uninstall OpenVPN Export Utility before an update. Strange …

Nachtfalke

Hi again,

before the last snapshot updates I deleted alway the OpenVPN Export Utility, updated pfsense and then my CA was still there. Today I deinstalled OpenVPN Utility again, but installed Unbound package (didn't configure something) and then did a firmware update and …. CA disappeared.

Perhaps with the new debugging system in the new snapshot someone can find this strange behaviour.

jimp

That was expected. It isn't tied to the OpenVPN client export package, but having any package installed.

It's something with the package reinstall routine that happens at bootup. Though what, exactly, remains mysterious.

jimp

I made a commit that I suspect might make at least some difference, though I won't know for sure until the new snapshots are up.

dszp

On the system that was giving me the most trouble, I haven't updated in a few days. The CA was still gone from the last time I'd had the issue (I didn't reimport it). I created a new internal CA, left the two packages (OpenVPN Export and VMware Tools) installed, and rebooted. The CA I created stayed there as did both packages, after the upgrade/reboot. I'll try again in a day or two :-)

myka

@David:

On the system that was giving me the most trouble, I haven't updated in a few days. The CA was still gone from the last time I'd had the issue (I didn't reimport it). I created a new internal CA, left the two packages (OpenVPN Export and VMware Tools) installed, and rebooted. The CA I created stayed there as did both packages, after the upgrade/reboot. I'll try again in a day or two :-)

The same I also tried. Then I lost CA in the update after.

jimp

Has anyone tried an update to a snapshot from today, and still lost their CA? Or are you talking about things you did yesterday or before?

dszp

I upgraded this morning to the latest snapshot on the problem system, then upgraded again as by the time the upgrade was done the newer snapshot was ready :-) Currently on:

2.0-BETA5 (i386)
built on Fri Jan 28 05:30:15 EST 2011

And both upgrades didn't kill the CA, where they have before on this machine (this is one of the ones I sent you the config and diffs from, Jim, the pf.la…. box where it happened every time I restored configs, not just upgrades).

jimp

OK, if it happens again, let me know.

Nachtfalke

Hi,

now using 2.0-BETA5 (i386) built on Sat Jan 29 01:09:59 EST 2011 on two boxes.

box1: OpenVPN Utility installed. The last two updates were okay with no CA lost.
box2: OpenVPN Utility, cron, squid, lightsquid installed. The last two updates were okay with no CA lost, too.

Seems to be fine now. Thanks :-)

dszp

I updated from the snapshot from two days ago to the current one about 8pm EST on 1/29 (Sat) evening. This time, OpenVPN Client Export is gone and the CA is gone, which I had just created from scratch. I have configs from just before and after the upgrade. I'm restoring the config from before the upgrade now (it includes the packages, so we'll see how it goes). I did load the GUI just after the upgrade and got the "please wait, reinstalling packages" screen. Does the issue only happen when I view the reinstall in process? I don't know, just thinking out loud. I don't think so though. Sadly I didn't save the output of the reinstall progress screen but I doubt it's terribly relevant. VMware Tools was installed and is still installed.

OK restore from backup done. This time, VMware Tools and OpenVPN Client Export Utility are both installed, BUT the CA is still gone. It was there just after package install…I loaded the Cert Manager page while the package reinstall was happening. It wouldn't load until the package install was complete, and as soon as it was done it immediately loaded, showing the "Package install in progress" thing at the top but then the CA was there in the list. However, when I reloaded the page within a minute, the "reinstalling packages" warning at the top was still there (odd, as it had completed already supposedly) but the CA was gone. A little while later now, reloading still shows no CA, but the warning message goes away.

So, it appears to be removing the CA in between the package reinstall progress thing says "complete" (which it did...after the reboot I clicked the pfSense logo and watched the package reinstall progress, which said complete then the CA was still there when the second tab with Cert Manager immediately finished loading), and when that warning goes away (since it was still there but the CA was gone, then the warning disappeared on the next reload a bit later). I'm not sure what happens in the code in that timeframe.

myka

Updated from Built On: Tue Jan 25 07:56:16 EST 2011
To New version: Sat Jan 29 18:46:16 EST 2011

CA is lost

installed packages:Open-VM-Tools and OpenVPN Client Export Utility

jimp

For those of you still losing the CA, can you go into the config history as described earlier in this thread and do a diff between each revision and find the one that loses the CA again? I suspect the step is the same but I'm hoping after the changes I made that something is slightly different. (Be sure to edit out the CA's crt/key fields before posting the diff here)

dszp

OK I updated from a snapshot earlier yesterday to the latest snapshot (also dated yesterday, Jan 29th). I watched the package reinstall progress. After it says All Packages Reinstalled, I viewed the Cert Manager, and the CA is still there. However, every page in the GUI now has the "Packages are currently being reinstalled in the background. Do not make changes in the GUI until this is complete." message at the top upon page load, even after I hit Close and then reload. It doesn't matter which page I go to, and everything looks normal otherwise except if I go to the Packages page, then I see the same message but instead of packages I see "Please wait while packages are reinstalled in the background."

This is continuing even 15 minutes after All Packages Reinstalled showed up in the reinstall status page after the reboot.

The config history starting at the bottom with the entry made after clicking Upgrade:

	 1/30/11 16:06:16	 admin: Installed OpenVPN Client Export Utility package.	Current
		 1/30/11 16:05:54	 admin: Intermediate config write during package install for OpenVPN Client Export Utility.	 	 	 
		 1/30/11 16:05:50	 admin: Removed OpenVPN Client Export Utility package.	 	 	 
		 1/30/11 16:05:49	 admin: Intermediate config write during package removal for OpenVPN Client Export Utility.	 	 	 
		 1/30/11 16:05:42	 admin: Installed Open-VM-Tools package.	 	 	 
		 1/30/11 16:00:56	 admin: Intermediate config write during package install for Open-VM-Tools.	 	 	 
		 1/30/11 16:00:52	 admin: Removed Open-VM-Tools package.	 	 	 
		 1/30/11 16:00:51	 admin: Intermediate config write during package removal for Open-VM-Tools.	 	 	 
		 1/30/11 15:58:43	 admin: Creating restore point before package installation.

There aren't really many changes if I Diff from top to bottom of the entries above in one fell swoop:

Configuration diff from 1/30/11 15:58:43 to 1/30/11 16:06:16
--- /conf/backup/config-1296421123.xml	2011-01-30 16:00:51.000000000 -0500
+++ /conf/config.xml	2011-01-30 16:06:16.000000000 -0500
@@ -1743,8 +1743,8 @@
 		<sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:show,gmirror_status-container:col1:close,installed_packages-container:col1:show,interface_statistics-container:col1:show,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:show,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:show,traffic_graphs-container:col2:show,openvpn-container:col2:none</sequence>

 	 <revision>-		<time>1296421123</time>
-		
+		<time>1296421576</time>
+		
 		<username>admin</username></revision> 
 	 <openvpn>@@ -1993,6 +1993,8 @@
 			<config_file>http://www.pfsense.com/packages/config/openvpn-client-export/openvpn-client-export.xml</config_file>
 			<configurationfile>openvpn-client-export.xml</configurationfile>

+		

<menu>
+		 <service><tab><name>Client Export</name>
 			<tabgroup>OpenVPN</tabgroup>

So now it's just…stuck. Though it's working :-) The OpenVPN Client Export tab shows up under VPN->OpenVPN, and I assume VMware Tools is installed as well (no reason to doubt but I haven't checked. It installs before OpenVPn Client Export though and generally doesn't disappear even when OpenVPN Export does). Both packages were installed before the upgrade.

After trouble yesterday, I edited the backup file I had, removed the <installedpackages> section entirely, and restored to that version (after manually uninstalling all packages from the Package Manager page). Then I installed both the VMware Tools and OpenVPN Client Export packages manually after it rebooted, and the CA was intact. Removing <installedpackages> got rid of old config options from haproxy and such that were left over from a while ago, and those have not returned. I did nothing since that restore/package reinstall except to run the auto-upgrade procedure with the results above.</installedpackages></installedpackages></tab></service></menu></openvpn>