plugins icon indicating copy to clipboard operation
plugins copied to clipboard

Published 20 hours ago verified publisher icon opnsense

security/acme-client: HTTP-01 challenge type not working on a fresh new install (24.1.3_1)

Open beckzg opened this issue 1 year ago • 3 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [x] The title contains the plugin to which this issue belongs

Describe the bug On a fresh new installed OPNsense the ACME client is not working, as far as I could debug the problem is that the lighthttpd is not working: fetch: http://127.0.0.1:43580/: Connection reset by peer

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert) It's a fresh new so I have no clue.

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Services->ACME Client->Certificates'
  2. Click on 'Issue/Renew All Certificates'
  3. Scroll down to '....'
  4. See error <15>1 2024-03-20T11:50:18+01:00 xxxx acme.sh 22311 - [meta sequenceId="162"] [Wed Mar 20 11:50:18 CET 2024] _CURL='curl --silent --dump-header /var/etc/acme-client/home/http.header -L --trace-ascii /tmp/tmp.AJ0sQCj6 -g -- connect-timeout 1' <11>1 2024-03-20T11:50:23+01:00 xxxx acme.sh 32219 - [meta sequenceId="163"] [Wed Mar 20 11:50:23 CET 2024] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 56 <11>1 2024-03-20T11:50:23+01:00 xxxx acme.sh 34932 - [meta sequenceId="164"] [Wed Mar 20 11:50:23 CET 2024] Here is the curl dump log: <11>1 2024-03-20T11:50:23+01:00 xxxx acme.sh 38156 - [meta sequenceId="165"] [Wed Mar 20 11:50:23 CET 2024] == Info: Host xxxx:80 was resolved. == Info: IPv6: (none) == Info: IPv4: x.x.x.x == Info: Trying x.x.x.x:80... == Info: Connected to xxxx (x.x.x.x) port 80 => Send header, 199 bytes (0xc7) 0000: GET /.well-known/acme-challenge/4c2sd6MWKh47dviFULmIK6y3Z1XhIeHa 0040: zAyvuSvWx7Q HTTP/1.1 0056: Host: xxxx 0070: User-Agent: acme.sh/3.0.7 (https://github.com/acmesh-official/ac 00b0: me.sh) 00b8: Accept: / 00c5: == Info: Recv failure: Connection reset by peer == Info: Closing connection <15>1 2024-03-20T11:50:23+01:00 xxxx acme.sh 41903 - [meta sequenceId="166"] [Wed Mar 20 11:50:23 CET 2024] ret='56' <15>1 2024-03-20T11:50:23+01:00 xxxx acme.sh 45455 - [meta sequenceId="167"] [Wed Mar 20 11:50:23 CET 2024] Debugging, skip removing: /var/etc/acme-client/challenges/.well-known

Expected behavior To generate a new certificate.

Screenshots If applicable, add screenshots to help explain your problem.

Relevant log files If applicable, information from log files supporting your claim.

Additional context Add any other context about the problem here.

Environment

OPNsense 24.1.3_1-amd64 FreeBSD 13.2-RELEASE-p10 OpenSSL 3.0.13 Intel(R) Xeon(R) Platinum 8180M CPU @ 2.50GHz (16 cores, 16 threads)

beckzg avatar Mar 20 '24 11:03 beckzg

Some more debug steps:

#> netstat -an | grep 43580 tcp4 0 0 127.0.0.1.43580 . LISTEN

#> ps axuw | grep lighttp root 34472 0.0 0.0 14468 3820 - S 12:42 0:00.00 /usr/local/sbin/lighttpd -f /var/etc/lighttpd-acme-challenge.conf root 67698 0.0 0.1 22816 10428 - S 11:36 0:02.06 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf

#> fetch http://127.0.0.1:43580/ fetch: http://127.0.0.1:43580/: Connection reset by peer

beckzg avatar Mar 20 '24 11:03 beckzg

#> curl -v http://localhost:43580/

  • Host localhost:43580 was resolved.
  • IPv6: ::1
  • IPv4: 127.0.0.1
  • Trying [::1]:43580...
  • Connected to localhost (::1) port 43580

GET / HTTP/1.1 Host: localhost:43580 User-Agent: curl/8.6.0 Accept: /

  • Recv failure: Operation timed out
  • Closing connection curl: (56) Recv failure: Operation timed out

beckzg avatar Mar 20 '24 13:03 beckzg

Two different failure reasons:

fetch: http://127.0.0.1:43580/: Connection reset by peer

curl: (56) Recv failure: Operation timed out

What did you change between these two attempts?

FWIW, I cannot reproduce this anywhere. I assume that this is related to a firewall/networking configuration on your OPNsense installation.

fraenki avatar Mar 27 '24 22:03 fraenki

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Sep 16 '24 10:09 OPNsense-bot