form 2.4.3 upgrade 2.4.4rc20180904 can't open gateway GUI

Gertjan

Ok, found something.

When asking for certicate, you checked

OCSP Must Staple
Add the OCSP Must Staple extension to the certificate.

This produces in 2.4.4 some extra config lines for nginx :

@yon-0 said in form 2.4.3 upgrade 2.4.4rc20180904 can't open gateway GUI:

  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 202.141.162.123 2001:19f0:7402:d:5400:00ff:fe2a:7fb6 1.1.1.1 2001:41d0:8:be92::1 valid=300s;
  resolver_timeout 5s;

I just asked also for a stapled certificate.
So, no my nginx config show :

                ssl_stapling on;
                ssl_stapling_verify on;
                resolver 127.0.0.1 valid=300s;
                resolver_timeout 5s;

and ... my GUI works very well.

I use the default Resolver.
You use some "other DNS".

For the time being, your have severals options to get your GUi back :
Ask for a new certicate, without the OCSP Must Staple option (dono how that can be done without GUI access ^^).
Or blow away your DNS ( these "202.141.162.123 2001:19f0:7402:d:5400:00ff:fe2a:7fb6 1.1.1.1 2001:41d0:8:be92::1" ) - thuis can be done with the command viconfig - or export /conf/config.xml and it it.
Or reset to default, redo your config,

Now for plan Z :
The pfSense code (this file : /etc/inc/system.inc) doesn't set up the parameters for the "resolve" line correctly , this one :

resolver 202.141.162.123 2a05:dfc7:5::53 2001:19f0:7402:d:5400:00ff:fe2a:7fb6 1.1.1.1 2001:41d0:8:be92::1 valid=300s;

nginx became recently OSCP staple-aware, and a quick search on the net learns us :

resolver 202.141.162.123 [2a05:dfc7:5::53] [2001:19f0:7402:d:5400:00ff:fe2a:7fb6] 1.1.1.1 [2001:41d0:8:be92::1] valid=300s;

... the [] to delimit IPv6 addresses are missing !!! ( this is the bug)
( /etc/inc/system.inc needs a small edit )

So, I recap :
Use the default DNS - the resolver - and you'll be happy.
and/or
OCSP Must Staplede activate and ask a new cerificate - and remove the option OSCP .... in Menu System => Advanced => Admin Access

and you will get your GUI back.

yon 0

@gertjan

yes, you are smart. i delete these ipv6 dns ip just can open webGUI, but why 2.4.43 can work and 2.4.4 down?

and show system Crash Reporter how i submit it ?

Gertjan

@yon-0 said in form 2.4.3 upgrade 2.4.4rc20180904 can't open gateway GUI:

i delete these ipv6 dns ip just can open webGUI, but why 2.4.43 can work and 2.4.4 down?

Because 2.4.4 includes a newer "nginx" and/or pfSense exposes an option now that can handle OSCP Stapling for the GUI (and captive portal).
The integration was done without testing IPv6 resolver addresses (otherwise the author would have found the loss of the GUI right away ).

No need to send over the crash report. The bug has been identified.
I'lll put it on my todo list - prepare a Issue on redmine here.

Gertjan

This is what I'm running right now :

Instead of the present ( pfSense 2.4.4 Release - /etc/inc/system.inc - appr line 1460 - function system_generate_nginx_config() ) :

		if (($config['system']['webgui']['ocsp-staple'] == true) or
		    (cert_get_ocspstaple($cert_temp['crt']) == true)) {
			$nginx_config .= "\t\tssl_stapling on;\n";
			$nginx_config .= "\t\tssl_stapling_verify on;\n";
			$nginx_config .= "\t\tresolver " . implode(" ", get_dns_nameservers()) . " valid=300s;\n";
			$nginx_config .= "\t\tresolver_timeout 5s;\n";
		}

I use :

		if (($config['system']['webgui']['ocsp-staple'] == true) or
		    (cert_get_ocspstaple($cert_temp['crt']) == true)) {

			$nginx_resolver_list ='';
			$dns_nameservers_array = array();
			$dns_nameservers_array = get_dns_nameservers();
			foreach ($dns_nameservers_array as $dns_nameserver) {
				if (is_ipaddrv6($dns_nameserver))
					$nginx_resolver_list .= '[' . $dns_nameserver . '] ';
				else
					$nginx_resolver_list .= $dns_nameserver .' ';
			}

			$nginx_config .= "\t\tssl_stapling on;\n";
			$nginx_config .= "\t\tssl_stapling_verify on;\n";

			$nginx_config .= "\t\tresolver " . $nginx_resolver . " valid=300s;\n";
			$nginx_config .= "\t\tresolver_timeout 5s;\n";
		}

The DNS server list obtained by get_dns_nameservers() is concatenate and separated by a space,
and IPv6 addresses are surrounded with brackets [].
Like this

resolver 127.0.0.1 [::1]  valid=300s;

nginx is happy now and doesn't blow out of the water when DNS IP's are IPv6.

yon 0

@gertjan said in form 2.4.3 upgrade 2.4.4rc20180904 can't open gateway GUI:

Instead of the present ( pfSense 2.4.4 Release - /etc/inc/system.inc - appr line 1460 - function system_generate_nginx_config() ) :

YES, this is had fix in PF2.4.4 ?

Gertjan

@yon-0 said in form 2.4.3 upgrade 2.4.4rc20180904 can't open gateway GUI:

@gertjan said in form 2.4.3 upgrade 2.4.4rc20180904 can't open gateway GUI:

Instead of the present ( pfSense 2.4.4 Release - /etc/inc/system.inc - appr line 1460 - function system_generate_nginx_config() ) :

YES, this is had fix in PF2.4.4 ?

My "fix" should be applied for 2.4.4 Release, nothing else.
Didn't redmine it yet,and as said here Pfsense Bug report, where to send?, I like to have some reactions back, like, why not, yours, after you used the patch.
The bug-squash team has raised DEFCON 1 lately, they have bigger bugs to nail right now.

Anyway, these are my DNS servers right now :

which means : the two local hosts (I'm NOT sending anything else my request - I'm just using the Resolver, as simple as possible) .

Note : I did not test with DNS servers like 2001:19f0:7402:d:5400:00ff:fe2a:7fb6 and 2001:41d0:8:be92::1 : you tell me if it works ;)

yon 0

@gertjan

i done.

Gertjan

Update.

Keep in mind to re patch : 2.4.4-p1 doesn't like IPv6 as DNS server addresses :
Setting up something like this and the GUI will fail to start :

yon 0

yes, now i have to renew do it. thanks!

yon 0

why they still has no fix it?

Gertjan

You saw yourself the interesting part : https://forum.netgate.com/topic/138330/pfsense-2-4-4-release-p1-is-now-available/15

I'll have a look at it tomorrow.

edit : I guess I found it :
@jimp isn't using Stapling :

if (($config['system']['webgui']['ocsp-staple'] == true) or

So this bunch of code :

			$nginx_config .= "\t\tssl_stapling on;\n";
			$nginx_config .= "\t\tssl_stapling_verify on;\n";
			$nginx_config .= "\t\tresolver " . $nginx_resolver . " valid=300s;\n";
			$nginx_config .= "\t\tresolver_timeout 5s;\n";

never gets executed so the issue goes unnoticed for most people.
If he did, he will find this thread interesting - all the details are here(above)

@yon-0 don't worry, consider this : you are running an even better "2.4.4-p1" version ;)

Gertjan

Done : https://redmine.pfsense.org/issues/9160
@yon-0 : ok to you ?

yon 0

@gertjan said in form 2.4.3 upgrade 2.4.4rc20180904 can't open gateway GUI:

Done : https://redmine.pfsense.org/issues/9160
@yon-0 : ok to you ?

Very good, I think this question can only be reported clearly by your, because I don't understand code programming.

Gertjan

Jimp has applied a solution. See it here https://redmine.pfsense.org/projects/pfsense/repository/revisions/4c6e3de40f56a1bd8d978a9dd4677d0ab025b8cb