pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162017-12-01T02:34:34ZpfSense bugtracker
Redmine pfSense - Bug #8150 (Not a Bug): upgrade from 2.3* to 2.4* caused new self signed ssl cert to be ...https://redmine.pfsense.org/issues/81502017-12-01T02:34:34ZOliver Schonrockoliver@openbrackets.net
<p>We recently upgraded several pfsense installs from 2.3.x to 2.4.y.</p>
<p>All these installs had properly signed SSL cert installed for the webconfigurator.</p>
<p>The upgrade generated a new self signed cert (not 100% sure this is accurate, maybe it was still there from earlier install), and then selected that self signed cert rather than the proper one.</p>
<p>because the domain uses HSTS and browsers won't allow you to make "security exceptions" for badly signed ssl certs in case of HSTS, we almost got a bit stuck. We solved it by ssh tunneling behind the upgraded install and accessing the webconfigurator from the "LAN" side.</p> pfSense Packages - Feature #8147 (Closed): include a serial console file tranfer utility like "ke...https://redmine.pfsense.org/issues/81472017-11-30T06:36:45ZOliver Schonrockoliver@openbrackets.net
<a name="Scenario"></a>
<h3 >Scenario<a href="#Scenario" class="wiki-anchor">¶</a></h3>
<p>- I updated from 2.3 => 2.4 (FreeBSD 11) and it went badly<br />- I wanted to recover my config.xml (I know I should have backed up first)<br />- I downloaded the 2.4 memstick installer and booted off that<br />- The installer gave me a lovely option (!!) to recover my config.xml from existing install<br />- This worked great, so I now have the file on one of the ramdisks (the installer USB is read only...could it be re-mounted read/write? I didn't try that)</p>
<p>How to get the config.xml off the FW box? I have serial console access only. No network. I fiddled around with getting it to recognise a second USB stick (formatted as UFS etc), lots of problems. I also tried capturing serial console output and "cat'ing" the file..but this resulted in a corrupted file.</p>
<a name="Request"></a>
<h3 >Request<a href="#Request" class="wiki-anchor">¶</a></h3>
<p>If the installer image recovery root prompt had access to kermit: <a class="external" href="http://www.columbia.edu/kermit/ckututor.html">http://www.columbia.edu/kermit/ckututor.html</a><br />or something similar, it would have been trivial to:</p>
<p>- connect to FW box via kermit running on laptop<br />- boot the installer image<br />- do the lovely config.xml recovery<br />- run kermit on the FW box (...REQUIRES kermit to be part of the installer image...!)<br />- use kermit "send" command to send the file back to my laptop over the serial console.<br />- proceed with install, get basic operation working, and then use webconfigurator or scp/ssh to re-install the recovered config.xml</p>
<p>- might also be nice to have kermit as one of the INSTALLED packages (or at least have it available from the pfsense package respository)</p>
<a name="How-I-solved-it"></a>
<h3 >How I solved it<a href="#How-I-solved-it" class="wiki-anchor">¶</a></h3>
<p>- In the end I managed to get hold of my config.xml, by booting into the semi-broken 2.3 install and saving it to USB from there (USB seemed less problematic when fully booted, rather than from installer image recovery console which has "less stuff")<br />- once the box was fully restored, I tried the kermit idea. I installed kermit with "pkg add ...fbsd_repo_url".. and .. it works like a charm! I had the recovered config.xml back on my laptop in minutes.</p>
<p>Happy to write an article on how to use Kermit for these sorts of operations (the man page is pretty scary!)</p>