Backup Script Says 403: Forbidden

Apr 8, 2019, 8:20 PM

Hi all,

based on this documentation I am trying to perform my regular backups.

I just did cut&paste of the comands noted there (for 2.3.3 and later) but everytime when I run the last command I am getting an 403 error:

root@ucs:~/backup/pfsense# wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(head -n 1 csrf2.txt)" https://pfsense:60443/diag_backup.php -O config-router-`date +%d%m%Y`.xml 
--2019-04-08 22:12:05--  https://pfsense:60443/diag_backup.php
Auflösen des Hostnamens »pfsense (pfsense)« … 192.168.9.1
Verbindungsaufbau zu pfsense (pfsense)|192.168.9.1|:60443 … verbunden.
WARNUNG: Dem Zertifikat von »pfsense« wird nicht vertraut.
WARNUNG: Das Zertifikat von »»pfsense«« wurde von einem unbekannten Austeller herausgegeben.
HTTP-Anforderung gesendet, auf Antwort wird gewartet … 403 Forbidden
2019-04-08 22:12:05 FEHLER 403: Forbidden.

English translation as far as needed:
WARNING: Certificate is not trusted.
WARNING: Certificate of pfsense is from an unknown issurer

Anyone having an idea why I am getting a 403 error?

I am getting an XML File and as far as I see it has content, but is it useable?

Thanks for ideas!

/KNEBB

KOM · Apr 8, 2019, 8:40 PM

The client you are running wget from is warning you that the https server you're trying to talk to doesn't have a valid cert. You will need to figure out for your client how to import the pfsense certificate and CA so that these warnings stop.

Apr 8, 2019, 8:46 PM

@KOM said in Backup Script Says 403: Forbidden:

The client you are running wget from is warning you that the https server you're trying to talk to doesn't have a valid cert. You will need to figure out for your client how to import the pfsense certificate and CA so that these warnings stop.

Sorry, but I do not mind about the warnings. As these are only warnings an not errors I am easily going to ignore them as my pfsense indeed uses self-signed certificates. But this is not the reason for 403 which is a server message while the warnings are a client message.

I am wondering about 403- what part is not accessible and why?

/KNEBB

KOM · Apr 8, 2019, 8:49 PM

Sorry, I thought the translated English was the error. Perhaps the server sends a 403 if wget does not accept its cert?

Try switching WebGUI to http mode, edit your script accordingly and see if your problem disappears.

Apr 8, 2019, 8:58 PM

@KOM

Sorry but SSL is for sure not the reason. 403 can happen on a non-SSL connection, too.

Must be something else.

/KNEBB

KOM · Apr 8, 2019, 8:59 PM

Yes, I am aware that 403 are usually for permissions issues, but would it hurt to try my test? Just taking a wild guess. Anything in the logs about your connection attempt?

Apr 9, 2019, 4:14 AM

Hi,

your hint regarding the logs was really good. I usually check logs at first but this time I just forgot about it.

I got this:

Apr 8 21:20:53 	php-fpm 		/diag_backup.php: webConfigurator authentication error for user 'admin' from: 192.168.9.10
Apr 8 21:20:53 	sshguard 	27528 	Attack from "192.168.9.10" on service 380 with danger 10.

For better reading I used the backslash to skip the newline sign but then I added spaces to ident which broke up the URL parameters...
In the end it was an escaping error. Instead of

login=Login&username=admin...

I send

login=Login&   username=admin...

Now fixed- thanks for the hint!

/KNEBB

KOM · Apr 9, 2019, 12:34 PM

Glad to hear you got it working.