Bug #9160
closed
OCSP Must-Staple, when checked on the System > Advanced AND on the System > General Setup some IPv6 DNS servers are listed, then the nginx web configurator file will a contain syntax error
100%
Description
... and the result will be : no more GUI.
To begin with, one should have a certificate with the "OCSP Must Staple" 'extension' set. For example, the acme package handles this very well.
When you use such a certificate, and you select it for the the web configurator (the GUI) AND you have some IPv6 DNS servers listed on General > General Setup then you trigger the error.
Initially, Stapling was discussed here https://forum.netgate.com/topic/129063/ocsp-must-staple-nginx-configuration
Later on, when acme/LetEnscrypt became really important, the GUI (that is the web server nginx) must become "Stapling" aware = it needed some more line in its config file.
But ... the function used get_dns_nameservers() ( here https://github.com/pfsense/pfsense/blob/b6acaf760b8f606e4365e1ba4041be5b4f1c007a/src/etc/inc/system.inc#L1475 ) return plain IPv4 or IPv6. The issue is : the IPv6 on the "resolver = IPv4 IPV6 ....." line should be bracketed like "[::1]".
Read this forum thread what happened and a possible solution : https://forum.netgate.com/topic/135394/form-2-4-3-upgrade-2-4-4rc20180904-can-t-open-gateway-gui
This issue pops up only if several conditions are met.
The issue is that nginx's config file isn't correctly build, nginx will bail out.
Updated by 
Updated by