AutoConfigBackup on 2.3.1

ssc

Hello,

we had upgraded our pfsense to 2.3 and since this upgrade we can't pull backup-files (https://doc.pfsense.org/index.php/Remote_Config_Backup).
I get the cookie- and csrf-token-information. But then when I try to download the xml-File I get a 403: Forbidden Error:

/usr/bin/wget –keep-session-cookies --load-cookies /opt/pfsense-backup/cookies/cookies.txt --no-check-certificate --post-data 'Submit=download&donotbackuprrd=yes' http://<ip>/diag_backup.php -O /opt/pfsense-backup/data/config-date +%Y%m%d.xml
--2016-05-09 13:25:54--  http://<ip>/diag_backup.php
Verbindungsaufbau zu <ip>:80... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden
2016-05-09 13:25:54 FEHLER 403: Forbidden.

Before the update it worked.

Our pfsense:
Version 2.3-RELEASE (amd64)
built on Mon Apr 11 18:10:34 CDT 2016
FreeBSD 10.3-RELEASE
(Intel(R) Atom(TM) CPU C2358 @ 1.74GHz )

AutoConfigBackup: Version 1.45

What can I do to work it again? Thanks.</ip></ip></ip>

jimp

Check your script against the code on the wiki again and make sure it matches exactly. It was updated a few weeks ago so compare the code closely. The code on the wiki works, I've tested it quite a bit.

ssc

Thanks for the reply.

The script matches exactly the code on the wiki. I can't see any differences:

/usr/bin/wget -qO- –keep-session-cookies --save-cookies /opt/pfsense-backup/cookies/cookies.txt --no-check-certificate http://<ip>/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.value="(.)".*/\1/' > /opt/pfsense-backup/CSRF/csrf.txt

Result: sid:f838ce72843ae08c4d9cb5a848e64beb0d4ae95a,1463559798;ip:236eda74838f1ea71c0b5d43efd038dab2ab3e62,1463559798

/usr/bin/wget -qO- --keep-session-cookies --load-cookies /opt/pfsense-backup/cookies/cookies.txt  --save-cookies /opt/pfsense-backup/cookies/cookies.txt --no-check-certificate --post-data "login=Login&usernamefld=admin&passwordfld=<password>&__csrf_magic=$(cat /opt/pfsense-backup/CSRF/csrf.txt)" http://<ip>/diag_backup.php | grep "name='__csrf_magic'" | sed 's/.value="(.)".*/\1/' > /opt/pfsense-backup/CSRF/csrf2.txt

Result: 4 Lines with: sid:f222de889f9384e93cf8fb4f0529d5f2fc60b29a,1463559815

/usr/bin/wget --keep-session-cookies --load-cookies /opt/pfsense-backup/cookies/cookies.txt --no-check-certificate --post-data 'Submit=download&donotbackuprrd=yes&__csrf_magic=$(head -n 1 /opt/pfsense-backup/CSRF/csrf2.txt)' http://<ip>/diag_backup.php -O /opt/pfsense-backup/data/<name>pfsense/config<ip>-date +%Y%m%d.xml

Result: --2016-05-18 10:24:14--  http://<ip>/diag_backup.php
Verbindungsaufbau zu <ip>:80... verbunden.
HTTP-Anforderung gesendet, warte auf Antwort... 403 Forbidden
2016-05-18 10:24:14 FEHLER 403: Forbidden.

On other pfsenses with Version 2.2.6 I can download the backup with this script. Only on pfsense with Version 2.3_1 I get this Error.</ip></ip></ip></name></ip></ip></password></ip>

jimp

That does look OK, but the same exact code works here, so perhaps it's something specific to the config on that system.

Can the 'admin' account actually access the diag_backup.php URL if you attempt to load that same URL in a web browser?

ssc

Yes, the admin account can access the URL in a browser.