PfBlockerNG 2.1.1_5 / Pfsense 2.4
-
Just wanted to chime in for the people trying to get this to work before the patch and wanted a code solution.
I at least solved this by modifying pfblockerng.inc to use a created config file. Modification were around ln 937 of pfblockerng.inc in /usr/local/pkg/pfblockerng:
before
–--------------------exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");
after
–--------------------exec("echo '[req]' > request.cfg"); exec("echo 'default_bits=3072' >> request.cfg"); exec("echo 'default_md=sha256' >> request.cfg"); exec("echo 'prompt=no' >> request.cfg"); exec("echo 'distinguished_name=req_distinguished_name' >> request.cfg"); exec("echo '' >> request.cfg"); exec("echo '[req_distinguished_name]' >> request.cfg"); exec("echo 'commonName=unbound' >> request.cfg"); exec("/usr/bin/openssl req -new -x509 -config request.cfg -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes"); exec("rm -f request.cfg");
I'm sure your patch does this far more gracefully however
-
I failed to post the manual fix by BBcan177 because I thought the patch would have been out relatively quickly but just realized it has been over 2 weeks since the last correspondence involving this. The following is the instructions BBcan177 gave me to test that worked perfectly.
- Backup file:
cp /usr/local/pkg/pfblockerng/pfblockerng.inc /tmp/pfblockerng.inc.bk
- Edit:
/usr/local/pkg/pfblockerng/pfblockerng.inc and remove line 937
exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");
Here is what Line 937 looks like:
https://github.com/pfsense/FreeBSD-ports/blob/devel/net/pfSense-pkg-pfBlockerNG/files/usr/local/pkg/pfblockerng/pfblockerng.inc#L937- Then at line 937 add the following code:
$dn = array ( 'countryName' => 'CA',
'stateOrProvinceName' => 'ST_DNSBL',
'localityName' => 'LN_DNSBL',
'organizationName' => 'ON_DNSBL',
'organizationalUnitName'=> 'OU_DNSBL',
'commonName' => 'CN_DNSBL',
'emailAddress' => 'dnsbl@dnsbl.com'
);$pkey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $pkey);
$cert = openssl_csr_sign($csr, NULL, $pkey, 3650);openssl_pkey_export($pkey, $privatekey);
openssl_x509_export($cert, $publickey);
@file_put_contents("{$pfb['dnsbl_cert']}", "{$privatekey}{$publickey}", LOCK_EX);The final changes should look like this:
// Create DNSBL SSL certificate
if (!file_exists ("{$pfb['dnsbl_cert']}")) {
$log = "\nNew DNSBL cert created";
pfb_logger("{$log}", 1);//exec("/usr/bin/openssl req -new -x509 -keyout {$pfb['dnsbl_cert']} -out {$pfb['dnsbl_cert']} -days 3650 -nodes");
$dn = array ( 'countryName' => 'CA',
'stateOrProvinceName' => 'ST_DNSBL',
'localityName' => 'LN_DNSBL',
'organizationName' => 'ON_DNSBL',
'organizationalUnitName'=> 'OU_DNSBL',
'commonName' => 'CN_DNSBL',
'emailAddress' => 'dnsbl@dnsbl.com'
);$pkey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $pkey);
$cert = openssl_csr_sign($csr, NULL, $pkey, 3650);openssl_pkey_export($pkey, $privatekey);
openssl_x509_export($cert, $publickey);
@file_put_contents("{$pfb['dnsbl_cert']}", "{$privatekey}{$publickey}", LOCK_EX);
}- Delete the old PEM file
rm /var/unbound/dnsbl_cert.pem
-
Goto Update Tab and run a "Force Update" which should rebuild the PEM file
-
Check to see if the service is running and that the DNBSL Logs are still working (Alerts Tab)
-
Manually try to restart the DNSBL Service to see if its working as expected
/usr/local/etc/rc.d/dnsbl.sh restart
-
Thank you this has now worked for me
Which I have also added to the page https://www.facebook.com/groups/pfsense.official/ to help others…