Backup Script Says 403: Forbidden



  • Hi all,

    based on this documentation I am trying to perform my regular backups.

    I just did cut&paste of the comands noted there (for 2.3.3 and later) but everytime when I run the last command I am getting an 403 error:

    root@ucs:~/backup/pfsense# wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(head -n 1 csrf2.txt)" https://pfsense:60443/diag_backup.php -O config-router-`date +%d%m%Y`.xml 
    --2019-04-08 22:12:05--  https://pfsense:60443/diag_backup.php
    Auflösen des Hostnamens »pfsense (pfsense)« … 192.168.9.1
    Verbindungsaufbau zu pfsense (pfsense)|192.168.9.1|:60443 … verbunden.
    WARNUNG: Dem Zertifikat von »pfsense« wird nicht vertraut.
    WARNUNG: Das Zertifikat von »»pfsense«« wurde von einem unbekannten Austeller herausgegeben.
    HTTP-Anforderung gesendet, auf Antwort wird gewartet … 403 Forbidden
    2019-04-08 22:12:05 FEHLER 403: Forbidden.
    

    English translation as far as needed:
    WARNING: Certificate is not trusted.
    WARNING: Certificate of pfsense is from an unknown issurer

    Anyone having an idea why I am getting a 403 error?

    I am getting an XML File and as far as I see it has content, but is it useable?

    Thanks for ideas!

    /KNEBB



  • The client you are running wget from is warning you that the https server you're trying to talk to doesn't have a valid cert. You will need to figure out for your client how to import the pfsense certificate and CA so that these warnings stop.



  • @KOM said in Backup Script Says 403: Forbidden:

    The client you are running wget from is warning you that the https server you're trying to talk to doesn't have a valid cert. You will need to figure out for your client how to import the pfsense certificate and CA so that these warnings stop.

    Sorry, but I do not mind about the warnings. As these are only warnings an not errors I am easily going to ignore them as my pfsense indeed uses self-signed certificates. But this is not the reason for 403 which is a server message while the warnings are a client message.

    I am wondering about 403- what part is not accessible and why?

    /KNEBB



  • Sorry, I thought the translated English was the error. Perhaps the server sends a 403 if wget does not accept its cert?

    Try switching WebGUI to http mode, edit your script accordingly and see if your problem disappears.



  • @KOM

    Sorry but SSL is for sure not the reason. 403 can happen on a non-SSL connection, too.

    Must be something else.

    /KNEBB



  • Yes, I am aware that 403 are usually for permissions issues, but would it hurt to try my test? Just taking a wild guess. Anything in the logs about your connection attempt?



  • Hi,

    your hint regarding the logs was really good. I usually check logs at first but this time I just forgot about it.

    I got this:

    Apr 8 21:20:53 	php-fpm 		/diag_backup.php: webConfigurator authentication error for user 'admin' from: 192.168.9.10
    Apr 8 21:20:53 	sshguard 	27528 	Attack from "192.168.9.10" on service 380 with danger 10.
    

    For better reading I used the backslash to skip the newline sign but then I added spaces to ident which broke up the URL parameters...
    In the end it was an escaping error. Instead of

    login=Login&username=admin...
    

    I send

    login=Login&   username=admin...
    

    Now fixed- thanks for the hint!

    /KNEBB



  • Glad to hear you got it working.


Log in to reply