Project

General

Profile

Bug #9160

OCSP Must-Staple, when checked on the System > Advanced AND on the System > General Setup some IPv6 DNS servers are listed, then the nginx web configurator file will a contain syntax error

Added by Gertjan KROEB 9 days ago. Updated 1 day ago.

Status:
Feedback
Priority:
Low
Assignee:
Category:
Web Interface
Target version:
Start date:
12/03/2018
Due date:
% Done:

100%

Estimated time:
0.50 h
Affected Version:
2.4.4_1
Affected Architecture:
All

Description

... and the result will be : no more GUI.

To begin with, one should have a certificate with the "OCSP Must Staple" 'extension' set. For example, the acme package handles this very well.
When you use such a certificate, and you select it for the the web configurator (the GUI) AND you have some IPv6 DNS servers listed on General > General Setup then you trigger the error.

Initially, Stapling was discussed here https://forum.netgate.com/topic/129063/ocsp-must-staple-nginx-configuration

Later on, when acme/LetEnscrypt became really important, the GUI (that is the web server nginx) must become "Stapling" aware = it needed some more line in its config file.

But ... the function used get_dns_nameservers() ( here https://github.com/pfsense/pfsense/blob/b6acaf760b8f606e4365e1ba4041be5b4f1c007a/src/etc/inc/system.inc#L1475 ) return plain IPv4 or IPv6. The issue is : the IPv6 on the "resolver = IPv4 IPV6 ....." line should be bracketed like "[::1]".

Read this forum thread what happened and a possible solution : https://forum.netgate.com/topic/135394/form-2-4-3-upgrade-2-4-4rc20180904-can-t-open-gateway-gui

This issue pops up only if several conditions are met.
The issue is that nginx's config file isn't correctly build, nginx will bail out.

Associated revisions

Revision 4c6e3de4 (diff)
Added by Jim Pingle 1 day ago

Fix nginx resolver handling when a cert needs OCSP stapling. Fixes #9160

Revision eed4d8ae (diff)
Added by Jim Pingle 1 day ago

Fix nginx resolver handling when a cert needs OCSP stapling. Fixes #9160

(cherry picked from commit 4c6e3de40f56a1bd8d978a9dd4677d0ab025b8cb)

History

#1 Updated by Gertjan KROEB 7 days ago

Not related, but while I was stapling :

    hideCheckbox('ocsp-staple', " 
            <?php 
            $cert_temp = lookup_cert($config['system']['webgui']['ssl-certref']);
            echo (cert_get_ocspstaple($cert_temp['crt']) ? "true" : "false");
            ?>" === "true");

( /usr/local/www/system_advanced_admi.php - line 726 )
What I make of it - consider a certificate with the "must-staple" extension present :
The cert being used by the weggui is extracted : $cert_temp = lookup_cert($config['system']['webgui']['ssl-certref']);
cert_get_ocspstaple($cert_temp['crt']) return boolean 'true' if the certificate has the extension "stapable" (for example, this is an option for acme package : LetEnscrypt will deliver a stapabale certificate)
Thus "echo (cert_get_ocspstaple($cert_temp['crt']) ? "true" : "false");" will be the equivalent of "true"
"true" === "true"
Result : This all boils down to
hideCheckbox('ocsp-staple', "true")
and the checkbox will be hidden ... which means : If you have a certificate that has the "must-staple" extension present, you can not see or use this checkbox.

It's very probable that I didn't understand something, but I tend to say (propose) :

            ?>" === "false");

Or, using my logic : if the cert has no must-staple, then "false" === "false" (= true) and we have a
hideCheckbox('ocsp-staple', "true")
The checkbox will be hidden.

If the cert has the staple option, then
hideCheckbox('ocsp-staple', "false")
and the checkbox will be shown.

I'm using this proposal right now - and can see the checkbox because my cert has the staple option.

Thought ?

#2 Updated by Jim Pingle 7 days ago

When you have a certificate that requires stapling, you can't disable it or it will break GUI access. Hiding the checkbox prevents that from happening easily. The reason it's present at all is so you can manually enable stapling if for some reason the automatic detection fails.

#3 Updated by Gertjan KROEB 7 days ago

?! You are right. Forgot all about that one.
Zap my staple story : that "true" one is probably right after all.
Thanks for the fast reply and connecting some of my neurons.

#4 Updated by Jim Pingle 1 day ago

  • Assignee set to Jim Pingle
  • Target version changed from 2.4.5 to 2.4.4_2

#5 Updated by Jim Pingle 1 day ago

  • Status changed from New to This Sprint

#6 Updated by Jim Pingle 1 day ago

  • Status changed from This Sprint to Feedback
  • % Done changed from 50 to 100

#7 Updated by Jim Pingle 1 day ago

Testing is super easy with ACME/LE certs. Edit the cert entry, check the box for stapling, and then renew the cert. It will be reissued with the stapling bits in place, and the GUI will pick it up. Then add an IPv6 name server and watch nginx fail (pre-fix) or work (post-fix)

Also available in: Atom PDF