CA is lost after update

jimp

When the packages reinstall there are several config writes, can someone do a diff from before the upgrade to each of those and see at exactly which step the CA disappears?

myka

tried updating when only one package "The Country Block" is installed. CA disappeared.

here goes diff


Diagnostics: Configuration History

Configuration diff from 1/25/11 19:22:59 to 1/25/11 19:31:24
--- /conf/backup/config-1295976179.xml 2011-01-25 19:23:00.000000000 +0200
+++ /conf/backup/config-1295976684.xml 2011-01-25 19:33:21.000000000 +0200
@@ -794,9 +794,9 @@
<sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence>

 <revision>- <time>1295976179</time>
- 
- <username>admin</username>
+ <time>1295976684</time>
+ 
+ <username>(system)</username></revision> 
 <openvpn><openvpn-server>@@ -827,6 +827,7 @@
 <netbios_enable><netbios_ntype>0</netbios_ntype>
 <netbios_scope>+ <dev_mode>tun</dev_mode></netbios_scope></netbios_enable></openvpn-server></openvpn> 
 <l7shaper>@@ -855,7 +856,6 @@

 <service>- <tab><menu>

<menu>
<name>Country Block</name>
@@ -878,15 +878,13 @@
<maintainer>tom@tomschaefer.org</maintainer>
<configurationfile>countryblock.xml</configurationfile>

+ <tab>+ <text>Settings</text>
+ <url>/packages/countryblock/countryblock.php</url>
+ <active>+</active></tab> 

 <dhcrelay>- <ca>- <refid>4d2efa305ac2a</refid>
- 
- <crt>(deleted)</crt>
- <prv>(deleted)</prv>
- <serial>2</serial>
-</ca> 
 <ppps><gateways></gateways></ppps></dhcrelay> </menu>

</menu></tab></service></l7shaper>

jimp

So if you do a diff to the config labeled "intermediate config write" does it have the CA in it? or is it lost then?

myka

CA is lost after first (system): Intermediate config write during package removal for Country Block.


Diagnostics: Configuration History

Configuration diff from 1/25/11 19:23:00 to 1/25/11 19:31:04
--- /conf/backup/config-1295976180.xml 2011-01-25 19:31:04.000000000 +0200
+++ /conf/backup/config-1295976664.xml 2011-01-25 19:31:05.000000000 +0200
@@ -636,7 +636,8 @@
 <descr>- <shaper>+ <shaper>+</shaper> 
 <ipsec><preferoldsa></preferoldsa></ipsec> 
@@ -794,9 +795,9 @@
<sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence>

 <revision>- <time>1295976180</time>
- 
- <username>admin</username>
+ <time>1295976664</time>
+ 
+ <username>(system)</username></revision> 
 <openvpn><openvpn-server>@@ -827,12 +828,14 @@
 <netbios_enable><netbios_ntype>0</netbios_ntype>
 <netbios_scope>+ <dev_mode>tun</dev_mode></netbios_scope></netbios_enable></openvpn-server></openvpn> 
 <l7shaper><container></container></l7shaper> 
- <dnshaper>+ <dnshaper>+</dnshaper> 
 <cert><refid>4d2efa914085f</refid>

@@ -855,15 +858,7 @@

 <service>- <tab><menu>
- 

<menu>
- <name>Country Block</name>
- <tooltiptext>Country Block settings</tooltiptext>
- Firewall
- <configfile>countryblock.xml</configfile>
- <url>/packages/countryblock/countryblock.php</url>
- </menu>

 <package><name>Country Block</name>
 <website>@@ -877,16 +872,10 @@
<required_version>1.2.2</required_version>
<maintainer>tom@tomschaefer.org</maintainer>
<configurationfile>countryblock.xml</configurationfile>
+ <depends_on_package></depends_on_package></website></package> 

 <dhcrelay>- <ca>- <refid>4d2efa305ac2a</refid>
- 
- <crt>(deleted)</crt>
- <prv>(deleted)</prv>
- <serial>2</serial>
-</ca> 
 <ppps><gateways>I see some strange lines in console:

One moment please, reinstalling package...

Trying to fech package info... Done.
tar: Error opening archive: Failed to open '/tmp/pkg_libs.tgz'
Backing up libraries...
Removing package...

jimp

@myka:

CA is lost after first (system): Intermediate config write during package removal for Country Block.


Diagnostics: Configuration History

Configuration diff from 1/25/11 19:23:00 to 1/25/11 19:31:04
--- /conf/backup/config-1295976180.xml 2011-01-25 19:31:04.000000000 +0200
+++ /conf/backup/config-1295976664.xml 2011-01-25 19:31:05.000000000 +0200
@@ -636,7 +636,8 @@
 <descr>- <shaper>+ <shaper>+</shaper> 
 <ipsec><preferoldsa></preferoldsa></ipsec> 
@@ -794,9 +795,9 @@
<sequence>system_information-container:col1:show,captive_portal_status-container:col1:close,carp_status-container:col1:close,cpu_graphs-container:col1:close,gateways-container:col1:close,gmirror_status-container:col1:close,installed_packages-container:col1:close,interface_statistics-container:col1:close,interfaces-container:col2:show,ipsec-container:col2:close,load_balancer_status-container:col2:close,log-container:col2:close,picture-container:col2:close,rss-container:col2:close,services_status-container:col2:close,traffic_graphs-container:col2:close</sequence>

 <revision>- <time>1295976180</time>
- 
- <username>admin</username>
+ <time>1295976664</time>
+ 
+ <username>(system)</username></revision> 
 <openvpn><openvpn-server>@@ -827,12 +828,14 @@
 <netbios_enable><netbios_ntype>0</netbios_ntype>
 <netbios_scope>+ <dev_mode>tun</dev_mode></netbios_scope></netbios_enable></openvpn-server></openvpn> 
 <l7shaper><container></container></l7shaper> 
- <dnshaper>+ <dnshaper>+</dnshaper> 
 <cert><refid>4d2efa914085f</refid>

@@ -855,15 +858,7 @@

 <service>- <tab><menu>
- 

<menu>
- <name>Country Block</name>
- <tooltiptext>Country Block settings</tooltiptext>
- Firewall
- <configfile>countryblock.xml</configfile>
- <url>/packages/countryblock/countryblock.php</url>
- </menu>

 <package><name>Country Block</name>
 <website>@@ -877,16 +872,10 @@
<required_version>1.2.2</required_version>
<maintainer>tom@tomschaefer.org</maintainer>
<configurationfile>countryblock.xml</configurationfile>
+ <depends_on_package></depends_on_package></website></package> 

 <dhcrelay>- <ca>- <refid>4d2efa305ac2a</refid>
- 
- <crt>(deleted)</crt>
- <prv>(deleted)</prv>
- <serial>2</serial>
-</ca> 
 <ppps><gateways></gateways></ppps></dhcrelay> </menu></tab></service></cert></dnshaper></shaper></descr>

So those two config entries that you did a diff between were right next to each other in the list? Interesting… And did you do that from the GUI or during an upgrade?

myka

those lines are one after another and update done from GUI

Screenshot.jpg_thumb

jimp

ok, got it. One more question: Were you reinstalling the package or deleting it? (which button did you click? X? pkg? xml?)

jimp

On the systems where you can reproduce this problem, were they fresh installs of 2.0 or upgraded from 1.2.3?

myka

@jimp:

ok, got it. One more question: Were you reinstalling the package or deleting it? (which button did you click? X? pkg? xml?)

this line "(system): Intermediate config write during package removal for Country Block." is written when update ir done. Then reinstall of packages is done automatically. When I successfully updated I did manual remove pressing X then update from GUI and then manual install of packages. This way CA was NOT lost.
The system is fresh installed 2.0 and aprox 10 updates from GUI after.

c0nsumer

Same issue here (I opened bug 1231 about this today), and I've got just the OpenVPN Exporter installed. I explicitly backed up my config, upgraded to the absolute latest build (as of this posting), and found the CA missing.

Before the next daily release / upgrade I'll try removing the OpenVPN package and see what the result is. As a test I tried removing and installing the OpenVPN Exporter, but that didn't cause the same result.

Nachtfalke

Like myka said in some posts before, I didn't lose my CA if I uninstall OpenVPN Export Utility before an update. Strange …

Nachtfalke

Hi again,

before the last snapshot updates I deleted alway the OpenVPN Export Utility, updated pfsense and then my CA was still there. Today I deinstalled OpenVPN Utility again, but installed Unbound package (didn't configure something) and then did a firmware update and …. CA disappeared.

Perhaps with the new debugging system in the new snapshot someone can find this strange behaviour.

jimp

That was expected. It isn't tied to the OpenVPN client export package, but having any package installed.

It's something with the package reinstall routine that happens at bootup. Though what, exactly, remains mysterious.

jimp

I made a commit that I suspect might make at least some difference, though I won't know for sure until the new snapshots are up.

dszp

On the system that was giving me the most trouble, I haven't updated in a few days. The CA was still gone from the last time I'd had the issue (I didn't reimport it). I created a new internal CA, left the two packages (OpenVPN Export and VMware Tools) installed, and rebooted. The CA I created stayed there as did both packages, after the upgrade/reboot. I'll try again in a day or two :-)

myka

@David:

On the system that was giving me the most trouble, I haven't updated in a few days. The CA was still gone from the last time I'd had the issue (I didn't reimport it). I created a new internal CA, left the two packages (OpenVPN Export and VMware Tools) installed, and rebooted. The CA I created stayed there as did both packages, after the upgrade/reboot. I'll try again in a day or two :-)

The same I also tried. Then I lost CA in the update after.

jimp

Has anyone tried an update to a snapshot from today, and still lost their CA? Or are you talking about things you did yesterday or before?

dszp

I upgraded this morning to the latest snapshot on the problem system, then upgraded again as by the time the upgrade was done the newer snapshot was ready :-) Currently on:

2.0-BETA5 (i386)
built on Fri Jan 28 05:30:15 EST 2011

And both upgrades didn't kill the CA, where they have before on this machine (this is one of the ones I sent you the config and diffs from, Jim, the pf.la…. box where it happened every time I restored configs, not just upgrades).

jimp

OK, if it happens again, let me know.

Nachtfalke

Hi,

now using 2.0-BETA5 (i386) built on Sat Jan 29 01:09:59 EST 2011 on two boxes.

box1: OpenVPN Utility installed. The last two updates were okay with no CA lost.
box2: OpenVPN Utility, cron, squid, lightsquid installed. The last two updates were okay with no CA lost, too.

Seems to be fine now. Thanks :-)