Snapshot on 11th Jan 2011 GUI not work
-
System Log
Jan 14 10:23:53 php: /system_advanced_admin.php: webConfigurator configuration has changed. Restarting webConfigurator. Jan 14 10:23:53 check_reload_status: webConfigurator restart in progress Jan 14 10:23:55 php: : The command '/usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf' returned exit code '255', the output was '2011-01-14 10:23:55: (network.c.565) SSL: error:00000000:lib(0):func(0):reason(0) /var/etc/ca.pem' Jan 14 10:23:55 php: : Creating rrd update script Jan 14 10:25:14 check_reload_status: syncing firewall/var/log/lighttpd.error.log
2011-01-14 10:17:40: (log.c.166) server started 2011-01-14 10:17:46: (log.c.166) server started 2011-01-14 10:23:55: (log.c.166) server started 2011-01-14 10:25:18: (log.c.166) server started 2011-01-14 10:25:20: (log.c.166) server started -
I've been able to work around this by commenting out the following line from /var/etc/lighty-webConfigurator.conf:
ssl.ca-file = "/var/etc/ca.pem"Then, restarting lighttpd:
lighttpd -f /var/etc/lighty-webConfigurator.confIt appears that the CA cert / key pair do not survive.
-
That's the thing, with the default webgui cert there is no ca, so that line isn't there. I have no such line on mine.
-
Does /var/etc/ca.pem exist? If it does, is it empty? Or does it actually have the ca certificate in it?
-
When this issue occurs, the file ("/var/etc/ca.pem") exists and is empty. I think this is only an issue if you create your own CA and subsequently a certificate for use with the webgui.
-
When you do "ls -l /var/etc/ca.pem" does it show as 0 bytes, or does it actually have some (blank) content in it like spaces or blank lines?
-
I've made a cert from an existing CA and used it and it was OK, and I made a fresh CA and cert and used it and it was still OK… so if there is something happening it's likely related to your config in some way.
I can add some extra safety belts around writing out the CA. It already checks if it's empty (as in empty string, "") but it should probably actually be using php's empty() call instead.
-
I can't seem to reproduce this now, but IIRC, the file was 0 bytes.
-
That's the thing, with the default webgui cert there is no ca, so that line isn't there. I have no such line on mine.
JimP, like you, I have no such line in my /var/etc/lighty-webConfigurator.conf
-
JimP, like you, I have no such line in my /var/etc/lighty-webConfigurator.conf
To get the error you posted earlier, you have to have the ca line in the lighty config. If it wasn't there, you wouldn't get the error about ca.pem.
-
If I understand correctly, I should have that line in my file?
EDIT: I can't verify if it is in there because when I change the login to HTTPS I get a timeout on my browser and have to reset it using the "Set interface(s) IP address" on the console to revert back to HTTP.
-
You posted that you had an error referencing ca.pem, in order for that error to happen, you have to have a line in the lighty config file that references ca.pem.
-
It is due to a CA getting deleted. My main CA that was created to access the webgui was deleted, but I am questioning why it has been deleted on two different machines with different configurations. Wondering if it happened with one of the upgrades because it has been in there since I initially configured the firewall.
EDIT: All is working now that I recreated the CA. Thanks JimP!!
-
I've never had a CA go missing, and I have VMs with up to 10 CAs on them that I use when testing the cert manager…
-
The CA still shows up in my backup (from Nov. 1st) but doesn't show on the firewall itself config when I backed it up now. It shows the newly generated one in it, but not the old one from the Nov. 1st backup.
-
Make sure you are looking in the right spot. The CA's should be near the bottom and not under <system>- they used to be there before in really old configs but were moved quite some time ago (and the upgrade code relocated them)
They should be under their own <ca>tag, <cert>tag, and <crl>tag toward the end of the config.
I just checked in a better test to make sure an empty CA isn't written out or used. Next snapshot should have it – one was not building but the commit should make the builders start a new run.</crl></cert></ca></system>
-
If someone hitting this error wants to try and see if this helps, here's the commit:
https://rcs.pfsense.org/projects/pfsense/repos/mainline/commits/546f30caee9165f253d9ed3d84e23f03e82626d8
-
Yeah, they're showing up right where they should in the old config (backup). In the new one, these keys don't exist. The only thing I ever do is doing the updates on the pfSense. I noticed the problems on the 11th's snaps. That's when I couldn't login.
-
What is the config version on the old one, and the new one? It would be at the top of the config
<version>7.6</version> -
7.5 in the old one
7.6 in the new one
