pfSense bugtracker: Issueshttps://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162024-02-26T09:51:00ZpfSense bugtracker
Redmine pfSense Packages - Bug #15292 (New): Certificate renewal with 'dns_inwx.sh' not working: Error ad...https://redmine.pfsense.org/issues/152922024-02-26T09:51:00ZLorenzo Marroccoli
<p>Hello,</p>
<p>we use Acme-package to obtain a wildcard certificate for our domain. It has always worked well. <br />Lately, the renewal process failed, as dns_inwx.sh is no longer able to add the necessary TXT-record via the API of the DNS provider INWX.<br />It started failing about five days ago and since then it failed once a day within the cron-scheduled-job. I tried manual renewal via GUI as well, same result.</p>
<p>The relevant log file is attached. (the domain has been redacted in the logs to somedomain.com)</p> pfSense Packages - Bug #15229 (New): ACME DNS-Selfhost verification issueshttps://redmine.pfsense.org/issues/152292024-02-03T07:50:08ZSTefan Graf
<p>When using Selfhost.de DNS verification and entering the requested information the renewal is not working.<br />To make it work the following amendments are required:</p>
<p>1. Update /usr/local/pkg/acme/acme.inc - line 1317</p>
<pre><code class="php syntaxhl"><span class="nv">$acme_domain_validation_method</span><span class="p">[</span><span class="s1">'dns_selfhost'</span><span class="p">]</span> <span class="o">=</span> <span class="k">array</span><span class="p">(</span><span class="s1">'name'</span> <span class="o">=></span> <span class="s2">"DNS-Selfhost"</span><span class="p">,</span>
<span class="s1">'fields'</span> <span class="o">=></span> <span class="k">array</span><span class="p">(</span>
<span class="s1">'SELFHOSTDNS_USERNAME'</span> <span class="o">=></span> <span class="k">array</span><span class="p">(</span><span class="s1">'name'</span> <span class="o">=></span> <span class="s2">"selfhostdns_username"</span><span class="p">,</span> <span class="s1">'columnheader'</span> <span class="o">=></span> <span class="s2">"Username (customer number - not email address or DynDNS account)"</span><span class="p">,</span> <span class="s1">'type'</span> <span class="o">=></span> <span class="s2">"textbox"</span><span class="p">,</span>
<span class="s1">'description'</span> <span class="o">=></span> <span class="s2">"Username"</span>
<span class="p">),</span>
<span class="s1">'SELFHOSTDNS_PASSWORD'</span> <span class="o">=></span> <span class="k">array</span><span class="p">(</span><span class="s1">'name'</span> <span class="o">=></span> <span class="s2">"selfhostdns_password"</span><span class="p">,</span> <span class="s1">'columnheader'</span> <span class="o">=></span> <span class="s2">"Password"</span><span class="p">,</span> <span class="s1">'type'</span> <span class="o">=></span> <span class="s2">"password"</span><span class="p">,</span>
<span class="s1">'description'</span> <span class="o">=></span> <span class="s2">"Password"</span>
<span class="p">),</span>
<span class="s1">'SELFHOSTDNS_MAP'</span> <span class="o">=></span> <span class="k">array</span><span class="p">(</span><span class="s1">'name'</span> <span class="o">=></span> <span class="s2">"selfhostdns_map"</span><span class="p">,</span> <span class="s1">'columnheader'</span> <span class="o">=></span> <span class="s2">"RecordID (found in brackets when editing the record)"</span><span class="p">,</span> <span class="s1">'type'</span> <span class="o">=></span> <span class="s2">"textbox"</span><span class="p">,</span>
<span class="s1">'description'</span> <span class="o">=></span> <span class="s2">"SELFHOSTDNS_MAP"</span>
<span class="p">)</span>
<span class="p">));</span>
</code></pre>
<p>2. Additional the password requires additional conversion to not break the URL syntax.<br /> For example the letter '#' needs to be converted to '%23'</p> pfSense - Bug #15134 (Incomplete): Post upgrade to 2.7.2 - Change in alias name stops all traffichttps://redmine.pfsense.org/issues/151342024-01-03T11:03:01ZRajko Bogdanovicrajko@itroom-a.com
<p>After installing the last 2.7.2 release, when we edited an Alias name - that rule stopped working, and all traffic was blocked from that point until a full reboot was done. <br />Once rebooted, old nat/access rules are working again using a new alias.</p> pfSense Packages - Bug #15061 (New): acme.sh nsupdate with challengealias is failinghttps://redmine.pfsense.org/issues/150612023-12-04T17:57:02ZSeyfidin Hamraoui
<p>When using nsupdate with challengealias the wrong filename is used, therefore the script fails.</p>
<pre><code class="shell syntaxhl"><span class="o">[</span>Mon Dec 4 03:48:50 CET 2023] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
<span class="o">[</span>Mon Dec 4 03:48:50 CET 2023] Using pre generated key: /tmp/acme/domain/domain.de/domain.de.key.next
<span class="o">[</span>Mon Dec 4 03:48:50 CET 2023] Generate next pre-generate key.
<span class="o">[</span>Mon Dec 4 03:48:51 CET 2023] Single <span class="nv">domain</span><span class="o">=</span><span class="s1">'domain.de'</span>
<span class="o">[</span>Mon Dec 4 03:48:51 CET 2023] Getting domain auth token <span class="k">for </span>each domain
<span class="o">[</span>Mon Dec 4 03:48:54 CET 2023] Getting webroot <span class="k">for </span><span class="nv">domain</span><span class="o">=</span><span class="s1">'domain.de'</span>
<span class="o">[</span>Mon Dec 4 03:48:54 CET 2023] Adding txt value: gVr0HUKsGuBvrO7Iz-Ks-hfVuo0YAU0qBilM1cj6fW8 <span class="k">for </span>domain: dns.domain.de
<span class="o">[</span>Mon Dec 4 03:48:54 CET 2023] key /tmp/acme/DOMAIN/domain.densupdatedns.domain.de.key is unreadable
<span class="o">[</span>Mon Dec 4 03:48:54 CET 2023] Error add txt <span class="k">for </span>domain:dns.domain.de
<span class="o">[</span>Mon Dec 4 03:48:54 CET 2023] Please check log file <span class="k">for </span>more details: /tmp/acme/DOMAIN/acme_issuecert.log
</code></pre>
<p>Expected correct filename => /tmp/acme/DOMAIN/domain.densupdatedns.domain.de.key<br />Actual wrong filename => /tmp/acme/DOMAIN/domain.densupdate_acme-challenge.dns.domain.de.key</p>
<p><a class="external" href="https://github.com/pfsense/FreeBSD-ports/pull/1330">https://github.com/pfsense/FreeBSD-ports/pull/1330</a></p> pfSense Packages - Bug #14815 (New): ACME.sh ingnores Certificates in Trust Storehttps://redmine.pfsense.org/issues/148152023-09-27T16:02:59ZHannes Gebhart
<p>ACME.sh does not trust the certificates in /etc/ssl/certs. This a problem when you add a custom ACME provider. <br />Curl refuses to connect to the web address because it finds it insecure.<br />I think it relates to this problem: <a class="external" href="https://redmine.pfsense.org/issues/12737">https://redmine.pfsense.org/issues/12737</a><br />I also opend a github pull request with a working fix: <a class="external" href="https://github.com/pfsense/FreeBSD-ports/pull/1299">https://github.com/pfsense/FreeBSD-ports/pull/1299</a></p> pfSense Packages - Bug #14796 (New): ACME for domain registrar INWX in Germanyhttps://redmine.pfsense.org/issues/147962023-09-19T22:15:55ZK. K.
<p>I am using ACME with INWX in Germany and automatic renewal has worked up to (at least) 11 July 2023. The latest renewal, however, did no longer work despite no changes to the pfSense System. I got in contact with the INWX support and they said that their API now also supports HTTPS/2 while previosly they only offered HTTP/1 and 1.1. Their explanation for the issue was as follows:</p>
<p>HTTP/1 and 1.1 both support uppercase parameters, whilst HTTP/2 automatically converts those to lowercase, which results in ACME being unable to store the cookie, thus loosing access to the system.</p>
<p>Their initial suggestion was to update to the latest version of ACME - which I did (in one go for both pfSense to 2.7 CE and ACME to 0.7.5). Unfortunately, the problem persisted after the update, but they then provided me with a quick solution as follows:</p>
<p>In the dns_inwx.sh script there is one line, line 197, which slightly needs to be changed as follows:<br />OLD LINE: INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')")<br />NEW LINE: INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')")</p>
<p>In other words: the grep in the sequence '| grep "^Set-Cookie:" |' needs to be made case-insensitive and thus read '| grep -i "^Set-Cookie:" |'</p>
<p>After this small change, the renewal of certificates again works as before and the problem appears to be solved.</p>
<p>BTW, the (original) source code on github under <a class="external" href="https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_inwx.sh">https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_inwx.sh</a> also contains the "grep -i" command on line 197 - though I have not checked whether there are other changes in that file.</p> pfSense - Bug #14313 (Assigned): Unable to create nested URL table aliaseshttps://redmine.pfsense.org/issues/143132023-04-26T05:22:32ZAzamat Khakimyanov
<p>In docs there is a phrase:<br /><em>"URL table aliases can nest other URL table aliases, and URL aliases can nest other URL aliases."</em></p>
<p>I'm tested it on 23.01 and on 23.05-DEV and I can't create nested alias with 2 URL table aliases inside:</p>
<p>1. If I tried to create 'Type: Host(s)' alias, I got <br /><em>"The following input errors were detected:<br />The alias(es): urltest1 urltest2 cannot be nested because they are not of the same type."</em></p>
<p>2. If I tried to create 'Type: Network(s)' alias, there was no error but I didn't see this new alias in Diagnostics/Tables</p>
<p>3. If I tried to create 'Type: URL (IPs)' alias, I got <br /><em>"The following input errors were detected:<br />A valid URL or alias must be provided. Could not fetch usable data from 'urltest1'.<br />A valid URL or alias must be provided. Could not fetch usable data from 'urltest2'."</em></p>
<p>4. If I tried to create 'Type: URL Table (IPs)' alias and add one of these URL Table aliases I already created, I got<br /><em>"The following input errors were detected:<br />A valid URL must be provided."</em></p>
<p>5. If I tried to import aliases, I got no errors but I didn't see this new alias in Diagnostics/Tables</p> pfSense - Bug #13706 (Confirmed): Static routes are not updated when updating a nested alias.https://redmine.pfsense.org/issues/137062022-11-28T19:16:13ZMarcos M
<p>Tested on <code>22.05</code> and <code>23.01.a.20221123.0600</code>.</p>
Setup:
<ul>
<li>Create the network alias <code>a2</code> with a subnet defined.</li>
<li>Create the network alias <code>a1</code> with <code>a2</code> as an entry and an additional subnet.</li>
<li>Add a static route using the alias <code>a1</code>.</li>
</ul>
Issue:
<ul>
<li>Updating <code>a2</code> correctly updates the alias table seen under Diagnostics / Tables, but it does not affect the route table.</li>
<li>Re-saving <code>a1</code> adds a new route with the updated settings, but the old route is not removed.</li>
<li>Removing <code>a2</code> from <code>a1</code> does not delete the routes.</li>
</ul> pfSense Packages - Bug #12670 (New): ACME package writes credentials to system loghttps://redmine.pfsense.org/issues/126702022-01-09T06:26:28ZFlorian Apollonerflorian@apolloner.eu
<p>The acme renewal cron currently dumps the config into the system log:<br /><pre>
<13>1 2022-01-09T03:57:32.299169+01:00 fw01.xxx.lan ACME 93105 - - ## Its time to renew ##
<13>1 2022-01-09T03:57:32.299183+01:00 fw01.xxx.lan ACME 93105 - - Renewing certificate
<13>1 2022-01-09T03:57:32.299198+01:00 fw01.xxx.lan ACME 93105 - - account: xxx
<13>1 2022-01-09T03:57:32.299212+01:00 fw01.xxx.lan ACME 93105 - - server: letsencrypt-production-2
<13>1 2022-01-09T03:57:32.300864+01:00 fw01.xxx.lan ACME 93105 - -
<13>1 2022-01-09T03:57:32.300896+01:00 fw01.xxx.lan ACME 93105 - - /usr/local/pkg/acme/acme.sh --issue --domain '*.infra.xxx.co.at' --dns 'dns_inwx' --home '/tmp/acme/infra.xxx.co.at/' --accountconf '/tmp/acme/infra.xxx.co.at/accountconf.conf' --force --reloadCmd '/tmp/acme/infra.xxx.co.at/reloadcmd.sh' --log-level 3 --log '/tmp/acme/infra.xxx.co.at/acme_issuecert.log'
<13>1 2022-01-09T03:57:32.300916+01:00 fw01.xxx.lan ACME 93105 - - Array
<13>1 2022-01-09T03:57:32.300931+01:00 fw01.xxx.lan ACME 93105 - - (
<13>1 2022-01-09T03:57:32.300945+01:00 fw01.xxx.lan ACME 93105 - - [path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
<13>1 2022-01-09T03:57:32.300958+01:00 fw01.xxx.lan ACME 93105 - - [PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
<13>1 2022-01-09T03:57:32.300972+01:00 fw01.xxx.lan ACME 93105 - - [INWX_User] => XXX
<13>1 2022-01-09T03:57:32.300985+01:00 fw01.xxx.lan ACME 93105 - - [INWX_Password] => YYY
<13>1 2022-01-09T03:57:32.300999+01:00 fw01.xxx.lan ACME 93105 - - [INWX_Shared_Secret] =>
<13>1 2022-01-09T03:57:32.301013+01:00 fw01.xxx.lan ACME 93105 - - )
<13>1 2022-01-09T03:57:38.616297+01:00 fw01.xxx.lan ACME 93105 - - [Sun Jan 9 03:57:33 CET 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
</pre></p>
<p>Imo this array shouldn't be spit out as it leaks information.</p> pfSense Packages - Bug #12623 (New): acme.sh package | DNS-ISPConfig settingshttps://redmine.pfsense.org/issues/126232021-12-21T04:43:49ZKarsten Deubert
<p>We are running a pfSense 2.5.2 on a qemu based virtual machine.</p>
<p>The acme.sh package is used to generate LetsEncrypt certificats, in our case we want to create a wildcard certificate, so we need a DNS challenge.<br />Our DNS Provider is DNS-ISPConfig based.</p>
<p>While the configuration we enter is correct, it seems the acme.sh script does not see all required ISPConfig extra settings.</p>
<p>The error we always get from pfSense UI based certificate renewal is:</p>
<pre>
[Tue Dec 21 11:09:45 CET 2021] You haven't specified the ISPConfig Login data, URL and whether you want check the ISPC SSL cert. Please try again.
[Tue Dec 21 11:09:45 CET 2021] Error add txt for domain:_acme-challenge.example.org
</pre>
<p>From the package output it seems like the ISPConfig settings are provided as environment variables:</p>
<pre>
Array
(
[path] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[PATH] => /etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin/
[ISPC_User] => ispconfig_secret_user_name
[ISPC_Password] => ispconfig_secret_password
[ISPC_Api] => https://ispconfig.example.org:8080/remote/json.php
[ISPC_Api_Insecure] =>
)
</pre>
<p>We also saw that there is an --accountconfig used, and checked its contents:</p>
<pre>
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
ACCOUNT_EMAIL='foo@example.org'
LOG_FILE='/tmp/acme/wildcard.example.org/acme_issuecert.log'
LOG_LEVEL='3'
</pre>
<p>As a <strong>workaround</strong> we found that adding entries to the accountconf file, then executing the acme.sh call (as displayed in the package output) manually, will correctly generate the certificate and process callbacks, so the certificate is also displayed correctly and usable all around pfSense. But since it is a manual process, we would have to do it every 90 days.</p>
<p>The accountconf file looks like this after the manual change:<br /><pre>
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
ACCOUNT_EMAIL='foo@example.org'
LOG_FILE='/tmp/acme/wildcard.example.org/acme_issuecert.log'
LOG_LEVEL='3'
ISPC_User='ispconfig_secret_user_name'
ISPC_Password='ispconfig_secret_password'
ISPC_Api='https://ispconfig.example.org:8080/remote/json.php'
ISPC_Api_Insecure='0'
</pre></p>
<p>We suspect that something with supplying the options via ENV is broken (then it might need a bug report in the acme.sh project possibly?) - or the configuration could be moved to the accountconf file, because this way it seems to work already.</p> pfSense Packages - Bug #9497 (New): AWS VPN Wizard: WebGUI times out.https://redmine.pfsense.org/issues/94972019-04-30T13:42:53ZSteve Wheeler
<p>When creating a new VPN using the AWS VPN Wizard the webgui times out at step 3 going to step 4 and also at step 4 going to step 5.<br />In both cases it results in a 504 error. <br />In both cases the actual config was added to AWS in what appeared to be a short time but the status remained at pending for a while.<br />Going back a page and resubmitting allowed the wizard to complete.</p> pfSense Packages - Bug #9495 (New): AWS VPC VPN wizard produces incorrect config (SHA256 should b...https://redmine.pfsense.org/issues/94952019-04-30T09:24:32ZFrank Hecker
<p>I was trying to create a site-to-site VPN to my AWS default VPC in the us-west-2 region using the AWS VPC VPN Wizard on my Netgate SG-1100. After going through the configuration, I found that I could not get the VPN to connect. Looking at the log at Status / System Logs / IPsec I noticed the error message "received NO_PROPOSAL_CHOSEN error notify", which apparently indicates a phase 1 encryption algorithm mismatch.</p>
<p>I downloaded a pfsense configuration from AWS for the site-to-site VPN connection, and it indicated that the phase 1 hash algorithm should be SHA1. However, in looking at the Phase 1 settings created by the wizard, the phase 1 hash algorithm was set to SHA256. I went to VPN /IPSec / Tunnels and manually changed the phase 1 hash algorithms for the tunnels to SHA1, saved both, and then applied the changes. I was then able to click "Connect" and get the VPN tunnels established. I confirmed the connection by pinging a Linux EC2 instance in AWS, then logged into the instance via ssh (using its private IP address) and was able to ping and ssh back into my own network.</p>
<p>So the wizard appears to be setting up the phase 1 encryption algorithm incorrectly, at least for the AWS region I'm using (us-west-2 in commercial AWS).</p>
<p>I have uploaded a complete set of screenshots, backup files, and steps to reproduce to <a class="external" href="https://civilityandtruth.com/assets/texts/netgate-inc-26504.tar.gz">https://civilityandtruth.com/assets/texts/netgate-inc-26504.tar.gz</a> (This file is slightly too large to attach to this report).</p>
<p>Here are the steps to reproduce. The references to filenames are to files in the netgate-inc-26504.tar.gz linked to above, and the steps are taken from the file inc-26504-steps-to-reproduce.txt included in the tar.gz file.</p>
<p>1. Start with pfSense and AWS initial state:
* Netgate SG-1100 running pfSense 2.4.4-RELEASE-p2 (arm64)
* Backup of pfSense configuration (config-gw.fhecker.com-20190430121437.xml)
* No AWS IPsec VPN defined (inc-26504-ss-01.png)
* Single default VPC defined in AWS us-west-2 region (inc-26504-ss-02.png)
* No customer gateway defined (inc-26504-ss-03.png)
* No virtual private gateway defined (inc-26504-ss-04.png)
* No site-to-site VPN defined (inc-26504-ss-05.png)</p>
<p>2. Start AWS VPC VPC configuration wizard (inc-26504-ss-06.png)</p>
<p>3. On step 1, select us-west-2 region, click Next (inc-26504-ss-07.png)</p>
<p>4. On step 2, select default VPC, click Next (inc-26504-ss-08.png)</p>
<p>5. On step 3, accept default values, click Next (inc-26504-ss-09.png)</p>
<p>6. Chrome waits for response for approx. 3 minutes (inc-26504-ss-10.png)</p>
<p>7. Chrome displays "504 Gateway Time-Out" message (inc-26504-ss-11.png)</p>
<p>8. Hit reload button and click Continue to resubmit (inc-26504-ss-12.png)</p>
<p>9. pfSense shows step 4 screen, click Next (inc-26504-ss-13.png)</p>
<p>10. Final screen of wizard, click Next (inc-26504-ss-14.png)</p>
<p>11. Tunnels show as disconnected, click Connect on first (inc-26504-ss-15.png)</p>
<p>12. IPsec log shows "received NO_PROPOSAL_CHOSEN error notify" <br /> (inc-26504-ss-16.png)</p>
<p>13. Take backup of pfSense (config-gw.fhecker.com-20190430122509.xml)</p>
<p>14. Edit tunnel, phase 1 hash algorithm shows as SHA256 (inc-26504-ss-17.png)</p>
<p>15. Look at phase 2 info for tunnel (inc-26504-ss-18.png)</p>
<p>16. Download configuration from AWS for site-to-site VPN (inc-26504-ss-19.png)</p>
<p>17. Select configuration download for pfSense (inc-26504-ss-20.png)</p>
<p>18. Configuration file says phase 1 hash algorithm should be SHA1<br /> (vpn-068f85d4833718e47.txt)</p>
<p>19. Edit the first tunnel, change hash algorithm to SHA1 (inc-26504-ss-21.png)</p>
<p>20. Edit the second tunnel, make the same change (inc-26504-ss-22.png)</p>
<p>21. Apply the changes (inc-26504-ss-23.png)</p>
<p>22. Status screen now shows VPN tunnels as connected. (inc-26504-ss-24.png)</p>
<p>23. Take final backup of pfSense (config-gw.fhecker.com-20190430123055.xml)</p> pfSense Packages - Bug #9348 (New): Results of Acme certificate issuance/renewal are not properly...https://redmine.pfsense.org/issues/93482019-02-22T12:08:48ZIsaac McDonald
<p>The results of an Acme certificate issuance/renewal aren't properly formatted. Even when there are no errors the results look like a core dump which diminishes confidence in the quality of this plugin.</p>
<p><strong>Steps to reproduce:</strong><br /><strong>1.</strong> Navigate to services ---> Acme Certificates<br /><strong>2.</strong> Click Add<br /><strong>3.</strong> Enter a name for the certificate and use foo.example.com as the domain name in the SAN list.<br /><strong>4.</strong> Use a DNS update method such as "DNS-NSUpdate / RFC 2136" or "DNS-ClouDNS" and enter bogus information<br /><strong>5.</strong> Click Save<br /><strong>6.</strong> Click "Issue renew" next to the certificate you just created.<br /><strong>7.</strong> Note the results of the cert issuance/renewal aren't properly formatted</p>
<p>See attached screenshot.</p> pfSense Packages - Bug #8560 (New): ACME: can't update DNS records in DNSMadeEasy registar for se...https://redmine.pfsense.org/issues/85602018-06-08T13:15:35ZAlex Kolesnikpfsenseorg3@temp.spb.ru
<p>The API key/id of the 3rd domain is used for updating records of the 1st domain. Please, see attached screenshots.</p> pfSense Packages - Bug #7453 (New): DNS-ovh need to save or display consumer key https://redmine.pfsense.org/issues/74532017-04-06T10:54:06ZCédric Caron
<p>Consumer key is generated at the first connection to OVH ([Thu Apr 6 17:46:00 CEST 2017] OVH consumer key is empty, Let's get one:) and need to be saved for the next connections.</p>
<p>This can be done automaticaly if the field is empty in the settings or by displaying the key to allow the user to fill the parameter.</p>