Can't access web config pages after SSL

Lectrician

I have been using https for the web config since installing PFSense, and can access from the web or internally.

I have for the last year been using an SSL cert which has worked fine.  The date has now expired.

I tried to change the certificate for a current one, and then changed the certificate in the drop down on the web config page (where you select if to use HTTP or HTTPs).  Since saving that page, I cannot access the web config.

Port 22 is still open, and I can see the front via PuTTy, and have rebooted.  Still nothing, port 80 and 443 are closed according to a port scan.
I can still sFTP in as well.

What's likely to have gone wrong here, and how can I rectify?

Thanks!!

firewalluser

Console (2.2.x iirc) has a new feature to step back a config/backup/restore change, if you have access.

Do you get your pfsense syslogs sent off to another device in which to investigate whats going on?

Lectrician

Hi. No. I don't have a syslog server running.

I can access via sFTP, and could amend the webconfig conf file to set the port to 80, not 443 to see if this restores access?

Lectrician

I've tried changing the lighty-webSonfigurator.conf file to port 80 rather than 443, and deleting the below entry:

ssl configuration

ssl.engine = "enable"
ssl.pemfile = "/var/etc/cert.pem"

ssl.use-sslv2 = "disable"
ssl.cipher-list = "TLSv1+HIGH !SSLv2 RC4+MEDIUM !aNULL !eNULL !3DES @STRENGTH"
$SERVER["socket"] == ":80" {
$HTTP["host"] =~ "(.)" {
url.redirect = ( "^/(.)" => "https://%1/$1" )
}
}

As soon as I restart the web configurator from the shell, this file is restored to port 443, and the above is added again.

Any clues?

Thanks :-)

firewalluser

Can you get to the logs via sftp to see whats going on?

Have you seen these?
https://doc.pfsense.org/index.php/Locked_out_of_the_WebGUI
https://doc.pfsense.org/index.php/Using_the_PHP_pfSense_Shell

You havent said what version of pfsense you are running so some of the above may not apply.

Lectrician

I have looked at the firewall logs, and there is no entries there that are blocking access.  I didn't touch the firewall either.

I have looked through the https://doc.pfsense.org/index.php/Locked_out_of_the_WebGUI page, the only section there that I think applies to me (the GUI is not working, i'm not locked out as such) is the SSH tunnelling option.  I have tried (and failed) to get this working.

The PHP Shell is something I have not used, and am cautious of using it.

I guess I could find and inspect the XML file through sFTP.

Lectrician

Looking in the config.xml file, the web configurator section looks odd compared to those when looking on forum.

<webgui><protocol>https</protocol>
  <ssl-certref>55cefab41a7d0</ssl-certref>
  <port><max_procs>2</max_procs></port></webgui>

The port is missing (expecting to see <port>443 <port>not just <port>  ?
Also, if I was to ditch the ssl-certref, would this cause issues?  Would it just mean no certificate in use?</port></port></port>

Lectrician

Actually, in saying that, I have just looked at another PFS box I have access to, and that had the same <port>part…..</port>

firewalluser

@Lectrician:

I have looked through the https://doc.pfsense.org/index.php/Locked_out_of_the_WebGUI page, the only section there that I think applies to me (the GUI is not working, i'm not locked out as such) is the SSH tunnelling option.

I'm a bit confused over which method you are using to access pfsense, are you are using ssh to access pfsense or the webgui, on 443?

Have you cleared down the cache in putty if using ssh from windows?
http://tripoverit.blogspot.co.uk/2007/03/clear-puttys-cache.html

From the webgui I had that problem recently when changing the cert, which I never solved, so I blanked and reinstalled before restoring a backup. Think that was with 2.2.3 iirc. I use browser automation for the webgui as I've not finished developing an automated ssh interface so cant comment on if the ssh approach will work for you or not.

Lectrician

SSH I can connect via PuTTy and sFTP.

The web config just does not appear (port 443 is closed on port scan).

I have got the backup from before making changes, and may just look to restore that I think?  Can I just rename the old config.xml file and place the backup in place of it and reboot?

firewalluser

Theres an option to restore from the last 10 config changes via the console, if you havent tried that yet assuming you havent made more than 10 changes.

If not you can restore from a backup, but you'll need to reset/reinstall pfsense first to gain access to the gui before uploading the old xml backup if you want to do it that way.

I havent spent any time in looking at the problem as it takes about 10mins to do a wipe, fresh install and restore from backup, but off the top of my head, in my case I seem to remember the http to https option being changed at the same time which might also be a factor.

Lectrician

My config has quite a few tweaks to the PHP files, so I would prefer not to reinstall and then restore, as would have to make those changes again.

Is simply replacing the config.xml file via sFTP not advisable?

Lectrician

OK.

I went ahead and copied the backed up config.xml file into the /cf/conf folder, renaming the old one.  I thought worse case, it's a fresh install if this bukes the system completely.

After rebooting, it has worked.  Everything is back and working.

Scared to touch the SSL certs for a bit now!  Happy to access with the red warning for a bit, until I have the inclination to attempt it again!