Unable to log into WebUI after 25.07 upgrade

michmoor

I ran into this similar issue when running the BETA and that did not get addresed but now when i go to install the 25.07 official release it reboots but the web UI loads with an error and reviewing the nginx folder via ssh i just see the following errors.

[25.07-RELEASE][michael@atl-fw1-inet.moore.lan]/var/log/nginx: tail error.log
2025/05/31 15:48:09 [warn] 39761#100407: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /var/etc/nginx-webConfigurator.conf:30
2025/05/31 15:48:09 [warn] 39761#100407: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /var/etc/nginx-webConfigurator.conf:31
2025/06/01 03:16:35 [warn] 27381#100260: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /var/etc/nginx-webConfigurator.conf:30
2025/06/01 03:16:35 [warn] 27381#100260: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /var/etc/nginx-webConfigurator.conf:31
2025/06/15 12:46:21 [warn] 32781#100404: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /var/etc/nginx-webConfigurator.conf:30
2025/06/15 12:46:21 [warn] 32781#100404: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /var/etc/nginx-webConfigurator.conf:31
2025/06/29 18:01:48 [warn] 33039#100378: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /var/etc/nginx-webConfigurator.conf:30
2025/06/29 18:01:48 [warn] 33039#100378: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /var/etc/nginx-webConfigurator.conf:31
2025/08/07 17:00:01 [warn] 21689#100256: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /var/etc/nginx-webConfigurator.conf:30
2025/08/07 17:00:01 [warn] 21689#100256: the "listen ... http2" directive is deprecated, use the "http2" directive instead in /var/etc/nginx-webConfigurator.conf:31

stephenw10

Hmm, I assume you haven't made any custom changes to the nginx config there?

Do you see that warning each time the webconfigurator is restarted?

What is the contents of /var/etc/nginx-webConfigurator.conf?

michmoor

@stephenw10
No custom configs at all for nginx. I use pfsense as-is from the factory with no modifications to the filesystem of conf files.
Here is the other freaky part. I cannot log in as admin. It does not take my password - the same one ive been using for years. It doesnt even take the default admin/pfsense credentials. Yet clearly my configuration is all here. I am assuming nginx has their own local database file that it uses for credentials? Admin is not working but a custom user account i created is working but sadly that doesnt have sudo access.

[25.07-RELEASE][michael@atl-fw1-inet.moore.lan]/var/etc: more nginx-webConfigurator.conf
#
# nginx configuration file

pid /var/run/nginx-webConfigurator.pid;

user  root wheel;
worker_processes  6;
error_log /dev/null;
error_log  syslog:server=unix:/var/run/log,facility=local5;

events {
    worker_connections  1024;
}

http {
        include       /usr/local/etc/nginx/mime.types;
        default_type  application/octet-stream;
        add_header X-Frame-Options SAMEORIGIN;
        server_tokens off;

        sendfile        off;

        access_log      syslog:server=unix:/var/run/log,facility=local5 combined;
        keepalive_timeout 75;
        error_page 404 /404.html;
        error_page 500 502 503 504 /50x.html;
        client_header_timeout 10;

        server {
                listen 10443 ssl;
                listen [::]:10443 ssl;
                http2 on;

                ssl_certificate         /var/etc/cert.crt;
                ssl_certificate_key     /var/etc/cert.key;
                ssl_session_timeout     10m;
                keepalive_timeout       70;
                ssl_session_cache       shared:SSL:10m;
                ssl_protocols   TLSv1.2 TLSv1.3;
                ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305";
                ssl_prefer_server_ciphers       on;
                add_header Strict-Transport-Security "max-age=31536000";
                add_header X-Content-Type-Options nosniff;
                ssl_session_tickets off;
                ssl_dhparam /etc/dh-parameters.4096;

                client_max_body_size 200m;

                gzip on;
                gzip_types text/plain text/css text/javascript application/x-javascript text/xml application/xml application/xml+rss application/json;

                root "/usr/local/www/";
                location / {
                        index  index.php index.html index.htm;
                }
                location ~ (\.inc$|\.orig$|\.pkgsave$) {
                        deny all;
                        return 403;
                }
                location ~ \.php$ {
                        try_files $uri =404; #  This line closes a potential security hole
                        # ensuring users can't execute uploaded files
                        # see: https://forum.nginx.org/read.php?2,88845,page=3
                        fastcgi_pass   unix:/var/run/php-fpm.socket;
                        fastcgi_index  index.php;
                        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                        # Fix httpoxy - https://httpoxy.org/#fix-now
                        fastcgi_param  HTTP_PROXY  "";
                        fastcgi_read_timeout 180;
                        fastcgi_intercept_errors on;

                        include        /usr/local/etc/nginx/fastcgi_params;
                }
                location ~ (^/status$) {
                        allow 127.0.0.1;
                        deny all;
                        fastcgi_pass   unix:/var/run/php-fpm.socket;
                        fastcgi_index  index.php;
                        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                        # Fix httpoxy - https://httpoxy.org/#fix-now
                        fastcgi_param  HTTP_PROXY  "";
                        fastcgi_read_timeout 360;
                        include        /usr/local/etc/nginx/fastcgi_params;
                }

        }
}
[25.07-RELEASE][michael@atl-fw1-inet.moore.lan]/var/etc:

stephenw10

Hmm, that looks normal. Default except the number of worker processes which you must have increased from 2 to 6 at some point. That should be fine.

You have console access? Can you reset the admin password? Or try restarting the webconfigurator?

michmoor

@stephenw10 I do have console access right now but the account I have doesn’t have admin privileges. I can’t log into the admin account for some reason.
How do I reset it from console?

Gertjan

@michmoor said in Unable to log into WebUI after 25.07 upgrade:

I do have console access right now but the account I have doesn’t have admin privileges. I can’t log into the admin account for some reason.

The console is the serial(USB) or VGA/HDMI access ? That doesn't use the web server at all.
Example, if the system main password file (/etc/password) can't be accessed or is 'broken', ... that would explain a lot.

3) Reset admin account and password

stephenw10

Yes if the admin/root account is unavailable for some reason I'd expect to see numerous errors.

Gertjan

@michmoor said in Unable to log into WebUI after 25.07 upgrade:

I am assuming nginx has their own local database file that it uses for credentials?

Not its own.
'The' System > User Password Manager. So a user like the 'admin' is present (has to be present) in the main pfSense config file :