CA is lost after update

jimp

Nah what you've posted so far may be enough.

I have just checked in a bunch of things that, while they may not fix it, may at least improve the situation in terms of logging. Hopefully the next snap will behave a bit better.

myka

That is strange …

did update

2.0-BETA5 (amd64)
from built on Wed Jan 12 23:13:34 EST 2011
to built on Tue Jan 18 13:16:28 EST 2011

CA is NOT lost

earlier tried

2.0 BETA5 AMD64
From: Wed Jan 12 23:13:34 EST 2011
To new version: Mon Jan 17 23:09:19 EST 2011

and CA was lost

jimp

I checked in some changes to the OpenVPN Client Export package this afternoon. It's possible the fix was there and not what is coming from the snapshot being built now.

dszp

I left both packages installed and upgraded one of the two boxes today to the latest snapshot a few hours ago, and it did NOT delete the CA this time! Both packages remain installed. Will upgrade the other as I have time; been a bit busy today. I did set up pfSense as the new firewall at our main office today though, not just my office, and I'm deploying pfSense on two NetGate boxes to customers in the next two days as well :-)

myka

me too successfully upgraded without loosing CA to

2.0-BETA5 (amd64)
built on Wed Jan 19 20:58:29 EST 2011

myka

CA is lost when updated

2.0-BETA5 (amd64)
from built on Wed Jan 19 20:58:29 EST 2011
to built on Thu Jan 20 01:23:56 EST 2011

jimp

Nothing changed that would have affected that between those builds…

Anything in the system log? What does the config history show for the last few config revisions?

Nachtfalke

Hi,

my CA is lost, too.

Updated from:
2.0-BETA5 (i386) built on Sun Jan 23 02:03:12 EST 2011
to:
2.0-BETA5 (i386) built on Sun Jan 23 10:30:03 EST 2011

Just have "OpenVPN Client Export utility" installed.

I read this earlier posts but didn't fully understand all.
If you need some files/configs please let me know step by step what should I have to do to help you.

jimp

If you go to Diagnostics > Backup/Restore on the config history tab, if you do a diff between the config from before the update, and the current config, is the only difference the missing CA?

jimp

I've gone over the package code again and reviewed any place in the system that modifies the CA and came up empty yet again.

I tried several times in a row on a VM and an ALIX to reproduce it and still have never lost a CA when it upgrades…

Nachtfalke

@jimp:

If you go to Diagnostics > Backup/Restore on the config history tab, if you do a diff between the config from before the update, and the current config, is the only difference the missing CA?

Sorry, I don't know how to use this feature :(

1/23/11 21:07:02 	(system): Installed OpenVPN Client Export Utility package. 	Current
		1/23/11 21:06:40 	(system): Intermediate config write during package install for OpenVPN Client Export Utility. 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 21:06:37 	(system): Removed OpenVPN Client Export Utility package. 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:57:41 	admin: /system_advanced_admin.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:56:38 	admin: /firewall_nat.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:56:36 	admin: /firewall_nat_edit.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:43:20 	admin: /system_usermanager_settings.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:38:15 	admin: Deleted CRL Test-Liste. 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:32:04 	admin: Deleted Certificate pfsense webGUI from CRL Test-Liste 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:32:02 	admin: Deleted Certificate Remote-User-VPN from CRL Test-Liste 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:31:39 	admin: Revoked cert Remote-User-VPN in CRL Test-Liste. 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:31:32 	admin: Revoked cert pfsense webGUI in CRL Test-Liste. 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:31:04 	admin: Saved CRL Test-Liste 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:22:28 	admin: /firewall_rules_edit.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:22:20 	admin: /firewall_rules_edit.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:21:57 	admin: /firewall_rules_edit.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:21:33 	admin: /firewall_rules_edit.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:19:30 	admin: /system_certmanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:19:16 	admin: /system_usermanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:18:44 	admin: /vpn_openvpn_server.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:13:16 	admin: /system_certmanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:09:28 	admin: /system_certmanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:08:50 	admin: /system_camanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:08:10 	admin: /system_camanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:08:07 	admin: /system_camanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:07:57 	admin: /system_certmanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:07:34 	admin: /system_usermanager.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:07:12 	admin: /vpn_openvpn_server.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:06:51 	admin: /firewall_rules.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
		1/23/11 20:06:44 	admin: /firewall_rules.php made unknown change 	Revert to this configuration 	Remove this backup 	Download this backup
	  	1/23/11 20:03:21 	admin: /vpn_openvpn_server.php made unknown change

jimp

Doesn't tell me much, really. To use the diff feature, select the "old" config in the first column of radio buttons, and the "new" config in the second column. Then press the diff button and it will show what changed between those two configuration files.

So in your case, click the radio selector (circle button) in the first colmn next to "1/23/11 20:57:41" and click the topmost radio selector in the second column, then press 'diff'.

Nachtfalke

Configuration diff from 1/23/11 20:57:41 to 1/23/11 21:07:02
--- /conf/backup/config-1295812661.xml 2011-01-23 21:06:37.000000000 +0100
+++ /conf/config.xml 2011-01-23 21:07:02.000000000 +0100
@@ -1655,9 +1655,9 @@
<traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config>

 <revision>- <time>1295812661</time>
- 
- <username>admin</username>
+ <time>1295813222</time>
+ 
+ <username>(system)</username></revision> 
 <openvpn><openvpn-server>@@ -1695,6 +1695,7 @@
<wins_server1>172.16.0.1</wins_server1>
 <wins_server2><nbdd_server1>+ <dev_mode>tun</dev_mode></nbdd_server1></wins_server2></openvpn-server></openvpn> 
 <l7shaper>@@ -1888,13 +1889,6 @@
<ovpnallow>on</ovpnallow>

- <ca>- <refid>4d3c7cc0e8548</refid>
- 
- <crt>(deleted)</crt>
- <prv>(deleted)</prv>
- <serial>2</serial>
-</ca> 
 <cert><refid>4d3c7ce6de525</refid></cert></l7shaper> 

Hope this was correct ;-) Thanks for taking time!

jimp

I removed your cert data from that post since it really shouldn't be public, I just needed to know if the only thing missing was the CA, and that seems to be the case. Though I'm not sure why that extra setting popped up in the openvpn config for the tun device between those steps, since you didn't change any of the openvpn config, just the package (and it only reads, doesn't write)

Nachtfalke

I did an firmwareupdate on another box but without OpenVPN Client Export Utility and without OpenVPN configured.

I created a TEST-CA - then did the update - and the TEST-CA is still there:

Configuration diff from 1/23/11 23:01:34 to 1/23/11 23:51:10
--- /conf/backup/config-1295820094.xml 2011-01-23 23:31:35.000000000 +0100
+++ /conf/config.xml 2011-01-23 23:51:10.000000000 +0100
@@ -804,7 +804,7 @@
<traffic_graphs-config>WAN_graph-config:show,LAN_graph-config:show,refreshInterval=1</traffic_graphs-config>

 <revision>- <time>1295820094</time>
+ <time>1295823070</time>

<username>(system)</username></revision> 
@@ -1104,4 +1104,11 @@
<crt>XXXxxxXXX</crt>
<prv>XXXxxxXXX</prv>

+ <ca>+ <refid>4d3caeb37ade1</refid>
+ 
+ <crt>XXXxxxXXX</crt>
+ <prv>XXXxxxXXX</prv>
+ <serial>0</serial>
+</ca> 

Installed packages:
Cron
Lightsquid
squid2

jimp

So on that other box, if you install the client exporter and/or configure openvpn, I wonder if it gets lost.

Nothing I do (install the package, configure openvpn, etc) has lost a CA for me yet.

Nachtfalke

Hello again,

today I created a new CA on my first pfsense box, where I have OpenVPN and the OpenVPN Export Utility installed.

What I did:
Created a CA
Restarted the box - CA still exists
updated from:
2.0-BETA5 (i386) built on Sun Jan 23 10:30:03 EST 2011
to:
2.0-BETA5 (i386) built on Mon Jan 24 07:08:15 EST 2011

CA still exists!

This is the config history diff:

Configuration diff from 1/23/11 21:07:02 to 1/24/11 18:12:36
--- /conf/backup/config-1295813222.xml 2011-01-24 11:04:23.000000000 +0100
+++ /conf/config.xml 2011-01-24 18:12:36.000000000 +0100
@@ -1655,7 +1655,7 @@
<traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config>

 <revision>- <time>1295813222</time>
+ <time>1295889156</time>

<username>(system)</username></revision> 
@@ -1903,4 +1903,11 @@
<crt>XXXxxxXXX</crt>
<prv>XXXxxxXXX</prv>

+ <ca>+ <refid>4d3db071b0917</refid>
+ 
+ <crt>XXXxxxXXX</crt>
+ <prv>XXXxxxXXX</prv>
+ <serial>0</serial>
+</ca> 

I have got another box, where I could do a test. Any special things I should do - any ideas ?

jimp

Restore your config from the one that had the CA disappear, then install the OpenVPN export package, and then run and update. See if it disappears there.

If it does, then something else in your config is triggering it, though I have no idea what it might be.

Nachtfalke

Couldn't make a cross change with the config files because of different configurations on my two boxes, but on the secon box, where no OpenVPN Server or OpenVPON Export utility was installed I created a CA and then did an Update and everything seems to be fine. CA is still there.

Don't know why but now it's okay.

Nachtfalke

Next Update. next loss of CA :(

Configuration diff from 1/25/11 08:36:41 to 1/25/11 08:47:56
--- /conf/backup/config-1295941001.xml 2011-01-25 08:37:17.000000000 +0100
+++ /conf/backup/config-1295941676.xml 2011-01-25 09:31:11.000000000 +0100
@@ -173,8 +173,8 @@
 <time-update-interval><timeservers>0.pfsense.pool.ntp.org</timeservers>
 <webgui>- <protocol>http</protocol>
- <ssl-certref>4d3c7ce6de525</ssl-certref>
+ <protocol>https</protocol>
+ <ssl-certref>4d3e7dac18276</ssl-certref>
 <port><nodnsrebindcheck><nohttpreferercheck>@@ -1618,9 +1618,9 @@
<traffic_graphs-config>WAN1_graph-config:show,LAN_graph-config:hide,WAN2_graph-config:show,refreshInterval=1</traffic_graphs-config>

 <revision>- <time>1295941001</time>
- 
- <username>admin</username>
+ <time>1295941676</time>
+ 
+ <username>(system)</username></revision> 
 <openvpn><l7shaper>@@ -1816,17 +1816,17 @@

 <cert>- <refid>4d3c7ce6de525</refid>
+ <refid>4d3e7dac18276</refid>

- <caref>4d3c7cc0e8548</caref>
- <crt>XXXxxxXXX</crt>
- <prv>XXXxxxXXX</prv>
+ <caref>4d3e7d889b803</caref>
+ <crt>XXXxxxXXX</crt>
+ <prv>XXXxxxXXX</prv>
+</cert> 
+ <cert>+ <refid>4d3e7dcd508d4</refid>
+ 
+ <caref>4d3e7d889b803</caref>
+ <crt>XXXxxxXXX</crt>
+ <prv>XXXxxxXXX</prv></cert> 
- <ca>- <refid>4d3e7d889b803</refid>
- 
- <crt>XXXxxxXXX</crt>
- <prv>XXXxxxXXX</prv>
- <serial>0</serial>
-</ca></l7shaper></openvpn></nohttpreferercheck></nodnsrebindcheck></port></webgui></time-update-interval>