Restore certs and users from backup
-
Last week a SG-1000 died at a customer.
I have a valid xml backup, and tried to import it to a fresh installation on a SG-1100.I had to start over a few times to get the interfaces assignment right, and (it had to happen fast) decided to configure the interfaces manually. So I have no certs imported right now and no users. The OpenVPN server config is there ...
In "Restore" there are no choices like "Certificates" or "Users". (how) can I import the certs and users only, without importing "All"? Right now I am remote and shouldn't lose connectivity ;-)
I have full ssh and https access, just as information. Basically I only miss the ovpn-server-certificate and users. I could recreate but then I would have to deploy a new package for the vpn-users.
thanks
-
Backup up config.xml files are meant to restore on the same (and you might pull of also the "identical" device like a 1100 to a new 1100)
Any other (new) hardware - like NIC or the presence of a build in switch like the 1100 : that's an official no-go.
Like backing up the Windows Regsitry from one PC, and then import it on another (not 100 % identical) PC : things will go bad.Now for the good news :
Download a good editor : here.
Use it to open the config.xml file.
See that it is a quiet good readable XML file.First things first : users on a pfSense ? There is the admin .... and who else ? Why ?
If you have a captive portal with many pre setup user account for the portal, I get it, because I have them also ( using pfSense for a hotel and I'm using the captive portal )Keep in mind that this kind of works needs some preparation, and you need to be on site. Like : prepare the device there where you are, and then you send it off to the site where it should be used.
VPN is nice for everything, and "light" admin work on pfSense.
IMHO, I'll never use it finalize the pfSense setup itself.Users and certs can have a relation between them. Like OpenVPN : certs used for a user are linked to the OpenVPN certificate used, and the CA used upfront.
Offering users the possibility to import users only, will also (have to) import related certs. This will get messy very fast.I never did this myself, but : you could copy the entire <users> </users> block, and the <c> </ca> and <certs> </certs> block, and try it out.
Prepare yourself for some test and fail sequences.I have been in your situation a couple of month before when I went from a home build old PC pfSense firewall to a SG-4100.
I thought I would make happen it like this :
On the new 4100, I created my WAN LAN OPT1 etc, identical to my 2.6.0 setup..
I exported the config.xml (4100) and compared it with mine, the old 2.6.0 config.xml, and replaced the <interfaces> block in the 4100 file with the block I found in the 2.6.0 file.
That was ... a no go.
I finally decided to build the thing upfront ground, using the 2.6.0 file as a reference.You can create a new openVPN server CA, create a new OpenVPN certificate, and a per user OpenVPN client certificate, export those, set up the OpenVPN to use the new cert and done.
Other certificates, like for FreeRadius can be re created and then assigned to FreeRadius.
acme certs can be re generated with a click. -
@gertjan thanks
Yes, I also assume that I could edit the xml and only import the relevant part.
The trial-and-error approach isn't exactly what I am looking for ;-)Basically I only need the server-cert for the OpenVPN server instance, and maybe 3 users with their certs, to make their vpn-tunnels work again.
-
@sgw
If you have access right now, not using OpenVPN, then go click for a new CA (name it openVPN-server-CA) and a certificate (name it OpenVPN-server).
Finish the pfSense openvpn-server setup.
Now create the 3 "openvpn" users, each with their own cert.
Export them, and test one - as you can see openvpn logs locally and remote.Plain https access comes in handy ones in a while ;)
-
J jimp moved this topic from Problems Installing or Upgrading pfSense Software on
-
@sgw said in Restore certs and users from backup:
@gertjan thanks
Yes, I also assume that I could edit the xml and only import the relevant part.
The trial-and-error approach isn't exactly what I am looking for ;-)Basically I only need the server-cert for the OpenVPN server instance, and maybe 3 users with their certs, to make their vpn-tunnels work again.
The certs can be converted from the old config and then added as "import existing cert" in cert manager.
The users, probably easiest to just manually add them then assign the certs to them.Go here:
https://www.opinionatedgeek.com/codecs/base64encoderPaste the text from the config for each cert and key, one at a time, and convert them. Then import.
-
I would prob. rather break an arm than use a Webpage to convert my private cert key...
M$ ...
https://dmfrsecurity.com/2017/01/07/windows-base64-encoding-and-decoding-using-certutil/https://stackoverflow.com/questions/65577255/encode-to-base64-a-specific-file-by-windows-command-line
Linux
cat <file_name> | base64
But wouldn't a decoder be needed ???
Isn't the cert stored base64 encoded in the XML ?/Bingo
-
@bingo600 said in Restore certs and users from backup:
I would prob. rather break an arm than use a Webpage to convert my private cert key...
How would the site know what your using it for??
-
@jarhead said in Restore certs and users from backup:
How would the site know what your using it for??
Have you ever looked at the info embedded in a certificate ??
/Bingo
-
@bingo600 said in Restore certs and users from backup:
@jarhead said in Restore certs and users from backup:
How would the site know what your using it for??
Have you ever looked at the info embedded in a certificate ??
/Bingo
Yes. And?
-
If you open a ticket with us we can convert your original config so it will import into the 1100 directly. Complete with all the users and certs.
https://www.netgate.com/tac-support-requestSteve
-
@stephenw10 great, thanks!
I will consider doing so.But you know what? The one employee using OpenVPN told me an hour ago that she doesn't even use it anymore! So I might not even need that setup anymore.
For my own administrative purposes I can simply start from scratch or even use Wireguard instead.
Thanks all for the feedback and help!