OCSP Must-Staple, when checked on the System > Advanced AND on the System > General Setup some IPv6 DNS servers are listed, then the nginx web configurator file will a contain syntax error
... and the result will be : no more GUI.
To begin with, one should have a certificate with the "OCSP Must Staple" 'extension' set. For example, the acme package handles this very well.
When you use such a certificate, and you select it for the the web configurator (the GUI) AND you have some IPv6 DNS servers listed on General > General Setup then you trigger the error.
Initially, Stapling was discussed here https://forum.netgate.com/topic/129063/ocsp-must-staple-nginx-configuration
Later on, when acme/LetEnscrypt became really important, the GUI (that is the web server nginx) must become "Stapling" aware = it needed some more line in its config file.
But ... the function used get_dns_nameservers() ( here https://github.com/pfsense/pfsense/blob/b6acaf760b8f606e4365e1ba4041be5b4f1c007a/src/etc/inc/system.inc#L1475 ) return plain IPv4 or IPv6. The issue is : the IPv6 on the "resolver = IPv4 IPV6 ....." line should be bracketed like "[::1]".
Read this forum thread what happened and a possible solution : https://forum.netgate.com/topic/135394/form-2-4-3-upgrade-2-4-4rc20180904-can-t-open-gateway-gui
This issue pops up only if several conditions are met.
The issue is that nginx's config file isn't correctly build, nginx will bail out.
#1 Updated by Gertjan KROEB over 2 years ago
Not related, but while I was stapling :
hideCheckbox('ocsp-staple', " <?php $cert_temp = lookup_cert($config['system']['webgui']['ssl-certref']); echo (cert_get_ocspstaple($cert_temp['crt']) ? "true" : "false"); ?>" === "true");
( /usr/local/www/system_advanced_admi.php - line 726 )
What I make of it - consider a certificate with the "must-staple" extension present :
The cert being used by the weggui is extracted : $cert_temp = lookup_cert($config['system']['webgui']['ssl-certref']);
cert_get_ocspstaple($cert_temp['crt']) return boolean 'true' if the certificate has the extension "stapable" (for example, this is an option for acme package : LetEnscrypt will deliver a stapabale certificate)
Thus "echo (cert_get_ocspstaple($cert_temp['crt']) ? "true" : "false");" will be the equivalent of "true"
"true" === "true"
Result : This all boils down to
and the checkbox will be hidden ... which means : If you have a certificate that has the "must-staple" extension present, you can not see or use this checkbox.
It's very probable that I didn't understand something, but I tend to say (propose) :
?>" === "false");
Or, using my logic : if the cert has no must-staple, then "false" === "false" (= true) and we have a
The checkbox will be hidden.
If the cert has the staple option, then
and the checkbox will be shown.
I'm using this proposal right now - and can see the checkbox because my cert has the staple option.
#2 Updated by Jim Pingle over 2 years ago
When you have a certificate that requires stapling, you can't disable it or it will break GUI access. Hiding the checkbox prevents that from happening easily. The reason it's present at all is so you can manually enable stapling if for some reason the automatic detection fails.
#7 Updated by Jim Pingle over 2 years ago
Testing is super easy with ACME/LE certs. Edit the cert entry, check the box for stapling, and then renew the cert. It will be reissued with the stapling bits in place, and the GUI will pick it up. Then add an IPv6 name server and watch nginx fail (pre-fix) or work (post-fix)