PfBlockerNG 2.1.1_5 / Pfsense 2.4
-
No other services using those ports
Using the restart command gives me:
2016-12-20 21:00:48: (network.c.603) SSL: couldn't read X509 certificate from '/var/unbound/dnsbl_cert.pem'
-
Does /var/unbound/dnsbl_cert.pem exist?
-
Yup, its there.
-
and it looks like a certificate with
-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -
Looks like this:
–---BEGIN PRIVATE KEY-----
.....
-----END PRIVATE KEY-----
-
Delete the file and do a Force Update to see if this fixes it.
-
I've confirmed that it was deleted, Force Updated and confirmed that it get recreated.
Recreates the same type of format of key with just Begin and End Private Key.
Comes up with the same couldnt read x509 certificate error as before when trying to restart
-
Can you try to use the pem from another 2.3.2 system an test with it.
-
Progress!!
Yup, that let me start the service and its showing up green now, but I'm not seeing any packets being blocked though.
****Disregard that, I see some packet drops, its working. Sweet, thank you.
-
Try http://10.10.10.1
-
Blank page and the browser title bar says 10.10.10.1 (1x1)
That correct?
-
Yes
-
Thanks again, Ron. Is this easily resolved for a permanent fix?
2.1.1_6?
-
Can't tell,
maybe we will get a patch, or another release, or back to 2.1.1_4, only BBcan177 can tell.But now we know where the problem is.
-
Can't tell,
maybe we will get a patch, or another release, or back to 2.1.1_4, only BBcan177 can tell.But now we know where the problem is.
Testing a patch now… Will update in a day or so...
-
PM sent, code changes seem to fix the problem perfectly.
-
Just wanted to chime in for the people trying to get this to work before the patch and wanted a code solution.
I at least solved this by modifying pfblockerng.inc to use a created config file. Modification were around ln 937 of pfblockerng.inc in /usr/local/pkg/pfblockerng:
before
–--------------------exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");after
–--------------------exec("echo '[req]' > request.cfg"); exec("echo 'default_bits=3072' >> request.cfg"); exec("echo 'default_md=sha256' >> request.cfg"); exec("echo 'prompt=no' >> request.cfg"); exec("echo 'distinguished_name=req_distinguished_name' >> request.cfg"); exec("echo '' >> request.cfg"); exec("echo '[req_distinguished_name]' >> request.cfg"); exec("echo 'commonName=unbound' >> request.cfg"); exec("/usr/bin/openssl req -new -x509 -config request.cfg -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes"); exec("rm -f request.cfg");I'm sure your patch does this far more gracefully however
-
I failed to post the manual fix by BBcan177 because I thought the patch would have been out relatively quickly but just realized it has been over 2 weeks since the last correspondence involving this. The following is the instructions BBcan177 gave me to test that worked perfectly.
- Backup file:
cp /usr/local/pkg/pfblockerng/pfblockerng.inc /tmp/pfblockerng.inc.bk
- Edit:
/usr/local/pkg/pfblockerng/pfblockerng.inc and remove line 937
exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");
Here is what Line 937 looks like:
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L937- Then at line 937 add the following code:
$dn = array ( 'countryName' => 'CA',
'stateOrProvinceName' => 'ST_DNSBL',
'localityName' => 'LN_DNSBL',
'organizationName' => 'ON_DNSBL',
'organizationalUnitName'=> 'OU_DNSBL',
'commonName' => 'CN_DNSBL',
'emailAddress' => 'dnsbl@dnsbl.com'
);$pkey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $pkey);
$cert = openssl_csr_sign($csr, NULL, $pkey, 3650);openssl_pkey_export($pkey, $privatekey);
openssl_x509_export($cert, $publickey);
@file_put_contents("{$pfb['dnsbl_cert']}", "{$privatekey}{$publickey}", LOCK_EX);The final changes should look like this:
// Create DNSBL SSL certificate
if (!file_exists ("{$pfb['dnsbl_cert']}")) {
$log = "\nNew DNSBL cert created";
pfb_logger("{$log}", 1);//exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");
$dn = array ( 'countryName' => 'CA',
'stateOrProvinceName' => 'ST_DNSBL',
'localityName' => 'LN_DNSBL',
'organizationName' => 'ON_DNSBL',
'organizationalUnitName'=> 'OU_DNSBL',
'commonName' => 'CN_DNSBL',
'emailAddress' => 'dnsbl@dnsbl.com'
);$pkey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $pkey);
$cert = openssl_csr_sign($csr, NULL, $pkey, 3650);openssl_pkey_export($pkey, $privatekey);
openssl_x509_export($cert, $publickey);
@file_put_contents("{$pfb['dnsbl_cert']}", "{$privatekey}{$publickey}", LOCK_EX);
}- Delete the old PEM file
rm /var/unbound/dnsbl_cert.pem
-
Goto Update Tab and run a "Force Update" which should rebuild the PEM file
-
Check to see if the service is running and that the DNBSL Logs are still working (Alerts Tab)
-
Manually try to restart the DNSBL Service to see if its working as expected
/usr/local/etc/rc.d/dnsbl.sh restart
-
Thank you this has now worked for me
Which I have also added to the page https://www.facebook.com/groups/pfsense.official/ to help others…
