Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CA is lost after update

    Scheduled Pinned Locked Moved
    2.0-RC Snapshot Feedback and Problems - RETIRED
    5
    88
    34.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      If you go to Diagnostics > Backup/Restore on the config history tab, if you do a diff between the config from before the update, and the current config, is the only difference the missing CA?

      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I've gone over the package code again and reviewed any place in the system that modifies the CA and came up empty yet again.

        I tried several times in a row on a VM and an ALIX to reproduce it and still have never lost a CA when it upgradesโ€ฆ

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • N
          Nachtfalke
          last edited by

          @jimp:

          If you go to Diagnostics > Backup/Restore on the config history tab, if you do a diff between the config from before the update, and the current config, is the only difference the missing CA?

          Sorry, I don't know how to use this feature :(

          1/23/11 21:07:02 	(system): Installed OpenVPN Client Export Utility package. 	Current
		1/23/11 21:06:40 	(system): Intermediate config write during package install for OpenVPN Client Export Utility. 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 21:06:37 	(system): Removed OpenVPN Client Export Utility package. 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:57:41 	admin: /system_advanced_admin.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:56:38 	admin: /firewall_nat.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:56:36 	admin: /firewall_nat_edit.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:43:20 	admin: /system_usermanager_settings.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:38:15 	admin: Deleted CRL Test-Liste. 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:32:04 	admin: Deleted Certificate pfsense webGUI from CRL Test-Liste 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:32:02 	admin: Deleted Certificate Remote-User-VPN from CRL Test-Liste 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:31:39 	admin: Revoked cert Remote-User-VPN in CRL Test-Liste. 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:31:32 	admin: Revoked cert pfsense webGUI in CRL Test-Liste. 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:31:04 	admin: Saved CRL Test-Liste 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:22:28 	admin: /firewall_rules_edit.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:22:20 	admin: /firewall_rules_edit.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:21:57 	admin: /firewall_rules_edit.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:21:33 	admin: /firewall_rules_edit.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:19:30 	admin: /system_certmanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:19:16 	admin: /system_usermanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:18:44 	admin: /vpn_openvpn_server.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:13:16 	admin: /system_certmanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:09:28 	admin: /system_certmanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:08:50 	admin: /system_camanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:08:10 	admin: /system_camanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:08:07 	admin: /system_camanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:07:57 	admin: /system_certmanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:07:34 	admin: /system_usermanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:07:12 	admin: /vpn_openvpn_server.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:06:51 	admin: /firewall_rules.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:06:44 	admin: /firewall_rules.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
	ย  	1/23/11 20:03:21 	admin: /vpn_openvpn_server.php made unknown change
          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Doesn't tell me much, really. To use the diff feature, select the "old" config in the first column of radio buttons, and the "new" config in the second column. Then press the diff button and it will show what changed between those two configuration files.

            So in your case, click the radio selector (circle button) in the first colmn next to "1/23/11 20:57:41" and click the topmost radio selector in the second column, then press 'diff'.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • N
              Nachtfalke
              last edited by 

              Configuration diff from 1/23/11 20:57:41 to 1/23/11 21:07:02
--- /conf/backup/config-1295812661.xml 2011-01-23 21:06:37.000000000 +0100
+++ /conf/config.xml 2011-01-23 21:07:02.000000000 +0100
@@ -1655,9 +1655,9 @@
<traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config>

 <revision>- <time>1295812661</time>
- 
- <username>admin</username>
+ <time>1295813222</time>
+ 
+ <username>(system)</username></revision> 
 <openvpn><openvpn-server>@@ -1695,6 +1695,7 @@
<wins_server1>172.16.0.1</wins_server1>
 <wins_server2><nbdd_server1>+ <dev_mode>tun</dev_mode></nbdd_server1></wins_server2></openvpn-server></openvpn> 
 <l7shaper>@@ -1888,13 +1889,6 @@
<ovpnallow>on</ovpnallow>

- <ca>- <refid>4d3c7cc0e8548</refid>
- 
- <crt>(deleted)</crt>
- <prv>(deleted)</prv>
- <serial>2</serial>
-</ca> 
 <cert><refid>4d3c7ce6de525</refid></cert></l7shaper>

              Hope this was correct ;-) Thanks for taking time!

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                I removed your cert data from that post since it really shouldn't be public, I just needed to know if the only thing missing was the CA, and that seems to be the case. Though I'm not sure why that extra setting popped up in the openvpn config for the tun device between those steps, since you didn't change any of the openvpn config, just the package (and it only reads, doesn't write)

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • N
                  Nachtfalke
                  last edited by

                  I did an firmwareupdate on another box but without OpenVPN Client Export Utility and without OpenVPN configured.

                  I created a TEST-CA - then did the update - and the TEST-CA is still there:

                  Configuration diff from 1/23/11 23:01:34 to 1/23/11 23:51:10
--- /conf/backup/config-1295820094.xml 2011-01-23 23:31:35.000000000 +0100
+++ /conf/config.xml 2011-01-23 23:51:10.000000000 +0100
@@ -804,7 +804,7 @@
<traffic_graphs-config>WAN_graph-config:show,LAN_graph-config:show,refreshInterval=1</traffic_graphs-config>

 <revision>- <time>1295820094</time>
+ <time>1295823070</time>

<username>(system)</username></revision> 
@@ -1104,4 +1104,11 @@
<crt>XXXxxxXXX</crt>
<prv>XXXxxxXXX</prv>

+ <ca>+ <refid>4d3caeb37ade1</refid>
+ 
+ <crt>XXXxxxXXX</crt>
+ <prv>XXXxxxXXX</prv>
+ <serial>0</serial>
+</ca>

                  Installed packages:
                  Cron
                  Lightsquid
                  squid2

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    So on that other box, if you install the client exporter and/or configure openvpn, I wonder if it gets lost.

                    Nothing I do (install the package, configure openvpn, etc) has lost a CA for me yet.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • N
                      Nachtfalke
                      last edited by

                      Hello again,

                      today I created a new CA on my first pfsense box, where I have OpenVPN and the OpenVPN Export Utility installed.

                      What I did:
                      Created a CA
                      Restarted the box - CA still exists
                      updated from:
                      2.0-BETA5 (i386) built on Sun Jan 23 10:30:03 EST 2011
                      to:
                      2.0-BETA5 (i386) built on Mon Jan 24 07:08:15 EST 2011

                      CA still exists!

                      This is the config history diff:

                      Configuration diff from 1/23/11 21:07:02 to 1/24/11 18:12:36
--- /conf/backup/config-1295813222.xml 2011-01-24 11:04:23.000000000 +0100
+++ /conf/config.xml 2011-01-24 18:12:36.000000000 +0100
@@ -1655,7 +1655,7 @@
<traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config>

 <revision>- <time>1295813222</time>
+ <time>1295889156</time>

<username>(system)</username></revision> 
@@ -1903,4 +1903,11 @@
<crt>XXXxxxXXX</crt>
<prv>XXXxxxXXX</prv>

+ <ca>+ <refid>4d3db071b0917</refid>
+ 
+ <crt>XXXxxxXXX</crt>
+ <prv>XXXxxxXXX</prv>
+ <serial>0</serial>
+</ca>

                      I have got another box, where I could do a test. Any special things I should do - any ideas ?

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Restore your config from the one that had the CA disappear, then install the OpenVPN export package, and then run and update. See if it disappears there.

                        If it does, then something else in your config is triggering it, though I have no idea what it might be.

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • N
                          Nachtfalke
                          last edited by

                          Couldn't make a cross change with the config files because of different configurations on my two boxes, but on the secon box, where no OpenVPN Server or OpenVPON Export utility was installed I created a CA and then did an Update and everything seems to be fine. CA is still there.

                          Don't know why but now it's okay.

                          1 Reply Last reply Reply Quote 0
                          • N
                            Nachtfalke
                            last edited by

                            Next Update. next loss of CA :(

                            Configuration diff from 1/25/11 08:36:41 to 1/25/11 08:47:56
--- /conf/backup/config-1295941001.xml 2011-01-25 08:37:17.000000000 +0100
+++ /conf/backup/config-1295941676.xml 2011-01-25 09:31:11.000000000 +0100
@@ -173,8 +173,8 @@
 <time-update-interval><timeservers>0.pfsense.pool.ntp.org</timeservers>
 <webgui>- <protocol>http</protocol>
- <ssl-certref>4d3c7ce6de525</ssl-certref>
+ <protocol>https</protocol>
+ <ssl-certref>4d3e7dac18276</ssl-certref>
 <port><nodnsrebindcheck><nohttpreferercheck>@@ -1618,9 +1618,9 @@
<traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config>

 <revision>- <time>1295941001</time>
- 
- <username>admin</username>
+ <time>1295941676</time>
+ 
+ <username>(system)</username></revision> 
 <openvpn><l7shaper>@@ -1816,17 +1816,17 @@

 <cert>- <refid>4d3c7ce6de525</refid>
+ <refid>4d3e7dac18276</refid>

- <caref>4d3c7cc0e8548</caref>
- <crt>XXXxxxXXX</crt>
- <prv>XXXxxxXXX</prv>
+ <caref>4d3e7d889b803</caref>
+ <crt>XXXxxxXXX</crt>
+ <prv>XXXxxxXXX</prv>
+</cert> 
+ <cert>+ <refid>4d3e7dcd508d4</refid>
+ 
+ <caref>4d3e7d889b803</caref>
+ <crt>XXXxxxXXX</crt>
+ <prv>XXXxxxXXX</prv></cert> 
- <ca>- <refid>4d3e7d889b803</refid>
- 
- <crt>XXXxxxXXX</crt>
- <prv>XXXxxxXXX</prv>
- <serial>0</serial>
-</ca></l7shaper></openvpn></nohttpreferercheck></nodnsrebindcheck></port></webgui></time-update-interval>
                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              Looks like there were a lot of other cert changes in that diffโ€ฆ a different WebGUI cert, different CAs, etc. Not sure what you did between one place and another there.

                              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • N
                                Nachtfalke
                                last edited by

                                before the update I deleted all left certificates. Then Created a new CA: HPA-CA and 2 certificates pfsense webGUI and VPM-Remote-User. Then did the firmware update and after this the CA get lost.

                                Fact is, there wasn't a difference to the other config diffs (in my eyes). Perhaps I will do a complete new installation of my pfsense box with the actual snapshot.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  myka
                                  last edited by

                                  Mine situation is the same as Nachtfalke. Same packages. Also tried recreating CA. It got lost again after second update.

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    myka
                                    last edited by

                                    HA :)

                                    deleted packages Open-VM-Tools and OpenVPN Client Export Utility.

                                    Updated. CA is still there

                                    reinstalled OpenVPN Client Export Utility then Open-VM-Tools

                                    CA is still there

                                    1 Reply Last reply Reply Quote 0
                                    • jimpJ
                                      jimp Rebel Alliance Developer Netgate
                                      last edited by

                                      Yeah it seems to be something about the combination of reinstalling the OpenVPN Client Export package only during the firmware upgrade cycle that kills it.

                                      Still no idea whyโ€ฆ

                                      EDIT: It's really quite puzzling because nothing in the package modifies the CA, only reads, and it doesn't do either one when installing or uninstalling.

                                      Can someone who is able to reproduce this remove the client export package and try a couple updates without it installed? Maybe I'm barking up the wrong tree.

                                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        myka
                                        last edited by

                                        Tried in situation when only one of those packages installed. In either way CA is lost.

                                        1 Reply Last reply Reply Quote 0
                                        • jimpJ
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by

                                          How about with no packages installed?

                                          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            myka
                                            last edited by

                                            Yes I already wrote. It is OK. CA is not lost when updating with NO package installed

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.