Bug #9160
closed
OCSP Must-Staple, when checked on the System > Advanced AND on the System > General Setup some IPv6 DNS servers are listed, then the nginx web configurator file will a contain syntax error
100%
Description
... and the result will be : no more GUI.
To begin with, one should have a certificate with the "OCSP Must Staple" 'extension' set. For example, the acme package handles this very well.
When you use such a certificate, and you select it for the the web configurator (the GUI) AND you have some IPv6 DNS servers listed on General > General Setup then you trigger the error.
Initially, Stapling was discussed here https://forum.netgate.com/topic/129063/ocsp-must-staple-nginx-configuration
Later on, when acme/LetEnscrypt became really important, the GUI (that is the web server nginx) must become "Stapling" aware = it needed some more line in its config file.
But ... the function used get_dns_nameservers() ( here https://github.com/pfsense/pfsense/blob/b6acaf760b8f606e4365e1ba4041be5b4f1c007a/src/etc/inc/system.inc#L1475 ) return plain IPv4 or IPv6. The issue is : the IPv6 on the "resolver = IPv4 IPV6 ....." line should be bracketed like "[::1]".
Read this forum thread what happened and a possible solution : https://forum.netgate.com/topic/135394/form-2-4-3-upgrade-2-4-4rc20180904-can-t-open-gateway-gui
This issue pops up only if several conditions are met.
The issue is that nginx's config file isn't correctly build, nginx will bail out.
Updated by Gertjan KROEB over 5 years ago
Not related, but while I was stapling :
hideCheckbox('ocsp-staple', "
<?php
$cert_temp = lookup_cert($config['system']['webgui']['ssl-certref']);
echo (cert_get_ocspstaple($cert_temp['crt']) ? "true" : "false");
?>" === "true");
( /usr/local/www/system_advanced_admi.php - line 726 )
What I make of it - consider a certificate with the "must-staple" extension present :
The cert being used by the weggui is extracted : $cert_temp = lookup_cert($config['system']['webgui']['ssl-certref']);
cert_get_ocspstaple($cert_temp['crt']) return boolean 'true' if the certificate has the extension "stapable" (for example, this is an option for acme package : LetEnscrypt will deliver a stapabale certificate)
Thus "echo (cert_get_ocspstaple($cert_temp['crt']) ? "true" : "false");" will be the equivalent of "true"
"true" === "true"
Result : This all boils down to
hideCheckbox('ocsp-staple', "true")
and the checkbox will be hidden ... which means : If you have a certificate that has the "must-staple" extension present, you can not see or use this checkbox.
It's very probable that I didn't understand something, but I tend to say (propose) :
?>" === "false");
Or, using my logic : if the cert has no must-staple, then "false" === "false" (= true) and we have a
hideCheckbox('ocsp-staple', "true")
The checkbox will be hidden.
If the cert has the staple option, then
hideCheckbox('ocsp-staple', "false")
and the checkbox will be shown.
I'm using this proposal right now - and can see the checkbox because my cert has the staple option.
Thought ?
Updated by Jim Pingle over 5 years ago
When you have a certificate that requires stapling, you can't disable it or it will break GUI access. Hiding the checkbox prevents that from happening easily. The reason it's present at all is so you can manually enable stapling if for some reason the automatic detection fails.
Updated by Gertjan KROEB over 5 years ago
?! You are right. Forgot all about that one.
Zap my staple story : that "true" one is probably right after all.
Thanks for the fast reply and connecting some of my neurons.
Updated by Jim Pingle over 5 years ago
- Assignee set to Jim Pingle
- Target version changed from 48 to 2.4.4-p2
Updated by Jim Pingle over 5 years ago
- Status changed from 13 to Feedback
- % Done changed from 50 to 100
Applied in changeset 4c6e3de40f56a1bd8d978a9dd4677d0ab025b8cb.
Updated by Jim Pingle over 5 years ago
Testing is super easy with ACME/LE certs. Edit the cert entry, check the box for stapling, and then renew the cert. It will be reissued with the stapling bits in place, and the GUI will pick it up. Then add an IPv6 name server and watch nginx fail (pre-fix) or work (post-fix)
Updated by Jim Pingle about 5 years ago
- Status changed from Feedback to Resolved
This has been working for me in a test VM for over a month now, but it would be nice to have additional confirmation that the problem is solved for others.