form 2.4.3 upgrade 2.4.4rc20180904 can't open gateway GUI

yon 0

@gertjan

yes, you are smart. i delete these ipv6 dns ip just can open webGUI, but why 2.4.43 can work and 2.4.4 down?

and show system Crash Reporter how i submit it ?

Gertjan

@yon-0 said in form 2.4.3 upgrade 2.4.4rc20180904 can't open gateway GUI:

i delete these ipv6 dns ip just can open webGUI, but why 2.4.43 can work and 2.4.4 down?

Because 2.4.4 includes a newer "nginx" and/or pfSense exposes an option now that can handle OSCP Stapling for the GUI (and captive portal).
The integration was done without testing IPv6 resolver addresses (otherwise the author would have found the loss of the GUI right away ).

No need to send over the crash report. The bug has been identified.
I'lll put it on my todo list - prepare a Issue on redmine here.

Gertjan

This is what I'm running right now :

Instead of the present ( pfSense 2.4.4 Release - /etc/inc/system.inc - appr line 1460 - function system_generate_nginx_config() ) :

		if (($config['system']['webgui']['ocsp-staple'] == true) or
		    (cert_get_ocspstaple($cert_temp['crt']) == true)) {
			$nginx_config .= "\t\tssl_stapling on;\n";
			$nginx_config .= "\t\tssl_stapling_verify on;\n";
			$nginx_config .= "\t\tresolver " . implode(" ", get_dns_nameservers()) . " valid=300s;\n";
			$nginx_config .= "\t\tresolver_timeout 5s;\n";
		}

I use :

		if (($config['system']['webgui']['ocsp-staple'] == true) or
		    (cert_get_ocspstaple($cert_temp['crt']) == true)) {

			$nginx_resolver_list ='';
			$dns_nameservers_array = array();
			$dns_nameservers_array = get_dns_nameservers();
			foreach ($dns_nameservers_array as $dns_nameserver) {
				if (is_ipaddrv6($dns_nameserver))
					$nginx_resolver_list .= '[' . $dns_nameserver . '] ';
				else
					$nginx_resolver_list .= $dns_nameserver .' ';
			}

			$nginx_config .= "\t\tssl_stapling on;\n";
			$nginx_config .= "\t\tssl_stapling_verify on;\n";

			$nginx_config .= "\t\tresolver " . $nginx_resolver . " valid=300s;\n";
			$nginx_config .= "\t\tresolver_timeout 5s;\n";
		}

The DNS server list obtained by get_dns_nameservers() is concatenate and separated by a space,
and IPv6 addresses are surrounded with brackets [].
Like this

resolver 127.0.0.1 [::1]  valid=300s;

nginx is happy now and doesn't blow out of the water when DNS IP's are IPv6.

yon 0

@gertjan said in form 2.4.3 upgrade 2.4.4rc20180904 can't open gateway GUI:

Instead of the present ( pfSense 2.4.4 Release - /etc/inc/system.inc - appr line 1460 - function system_generate_nginx_config() ) :

YES, this is had fix in PF2.4.4 ?

Gertjan

@yon-0 said in form 2.4.3 upgrade 2.4.4rc20180904 can't open gateway GUI:

@gertjan said in form 2.4.3 upgrade 2.4.4rc20180904 can't open gateway GUI:

Instead of the present ( pfSense 2.4.4 Release - /etc/inc/system.inc - appr line 1460 - function system_generate_nginx_config() ) :

YES, this is had fix in PF2.4.4 ?

My "fix" should be applied for 2.4.4 Release, nothing else.
Didn't redmine it yet,and as said here Pfsense Bug report, where to send?, I like to have some reactions back, like, why not, yours, after you used the patch.
The bug-squash team has raised DEFCON 1 lately, they have bigger bugs to nail right now.

Anyway, these are my DNS servers right now :

which means : the two local hosts (I'm NOT sending anything else my request - I'm just using the Resolver, as simple as possible) .

Note : I did not test with DNS servers like 2001:19f0:7402:d:5400:00ff:fe2a:7fb6 and 2001:41d0:8:be92::1 : you tell me if it works ;)

yon 0

@gertjan

i done.

Gertjan

Update.

Keep in mind to re patch : 2.4.4-p1 doesn't like IPv6 as DNS server addresses :
Setting up something like this and the GUI will fail to start :

yon 0

yes, now i have to renew do it. thanks!

yon 0

why they still has no fix it?

Gertjan

You saw yourself the interesting part : https://forum.netgate.com/topic/138330/pfsense-2-4-4-release-p1-is-now-available/15

I'll have a look at it tomorrow.

edit : I guess I found it :
@jimp isn't using Stapling :

if (($config['system']['webgui']['ocsp-staple'] == true) or

So this bunch of code :

			$nginx_config .= "\t\tssl_stapling on;\n";
			$nginx_config .= "\t\tssl_stapling_verify on;\n";
			$nginx_config .= "\t\tresolver " . $nginx_resolver . " valid=300s;\n";
			$nginx_config .= "\t\tresolver_timeout 5s;\n";

never gets executed so the issue goes unnoticed for most people.
If he did, he will find this thread interesting - all the details are here(above)

@yon-0 don't worry, consider this : you are running an even better "2.4.4-p1" version ;)

Gertjan

Done : https://redmine.pfsense.org/issues/9160
@yon-0 : ok to you ?

yon 0

@gertjan said in form 2.4.3 upgrade 2.4.4rc20180904 can't open gateway GUI:

Done : https://redmine.pfsense.org/issues/9160
@yon-0 : ok to you ?

Very good, I think this question can only be reported clearly by your, because I don't understand code programming.

Gertjan

Jimp has applied a solution. See it here https://redmine.pfsense.org/projects/pfsense/repository/revisions/4c6e3de40f56a1bd8d978a9dd4677d0ab025b8cb