Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/haproxy: Commit Error in syncCerts.py #4560

Open
3 tasks done
aque opened this issue Feb 23, 2025 · 0 comments
Open
3 tasks done

net/haproxy: Commit Error in syncCerts.py #4560

aque opened this issue Feb 23, 2025 · 0 comments
Assignees
@fraenki
Labels
bug Production bug

Comments

@aque
Copy link

aque commented Feb 23, 2025

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug
I am still chasing after #4203 and I narrowed it down to syncCerts.py. It generates an error when attempting to update the HAProxy certificate under /tmp/haproxy/ssl.

# /usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py sync
CRT-LIST: /tmp/haproxy/ssl/60294d9f6fa932.93592251.certlist
  FRONTEND NAME: frontend_https
  FRONTEND ID: 60294d9f6fa932.93592251
  NEW / UPDATE: /tmp/haproxy/ssl/6029e37fc87ca.pem
    ''
    "No ongoing transaction! !\nCan't commit /tmp/haproxy/ssl/6029e37fc87ca.pem!\n\n"

Both diff | actions correctly identified which certificate to replace.

# /usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py diff
FRONTEND NAME: frontend_https
  CONFIG:
    CERT (Default):
      Serial:  04E5785288966E848BB9839AAE181BBD8F00
      Issuer:  /C=US/O=Let's Encrypt/CN=E6
      Subject: /CN=host1.domain.tld
    CERT:
      Serial:  049EAE15A1E3248F1B4EA5CFE5A3A2ED5600
      Issuer:  /C=US/O=Let's Encrypt/CN=E6
      Subject: /CN=host2.domain.tld
  ACTIVE:
    CERT:
      Serial:  04E5785288966E848BB9839AAE181BBD8F00
      Issuer:  /C=US/O=Let's Encrypt/CN=E6
      Subject: /CN=host1.domain.tld
    CERT:
      Serial:  038121C688432012BF2BFDED363F6DEAAC00
      Issuer:  /C=US/O=Let's Encrypt/CN=E6
      Subject: /CN=host2.domain.tld


# /usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py actions
FRONTEND: frontend_https
  CRT-LIST: /tmp/haproxy/ssl/60294d9f6fa932.93592251.certlist
  CERT NEW / UPDATE:
     Cert:    /tmp/haproxy/ssl/6029e37fc87ca.pem
     Serial:  049EAE15A1E3248F1B4EA5CFE5A3A2ED5600
     Issuer:  /C=US/O=Let's Encrypt/CN=E6
     Subject: /CN=host2.domain.tld

  CERT ADD: []
  CERT REMOVE: []

But transactions show an empty output.

# /usr/local/opnsense/scripts/OPNsense/HAProxy/syncCerts.py transactions
## OPEN TRANSACTIONS ##

To Reproduce
Steps to reproduce the behavior:

  1. Have a different active HAProxy certificate from the configuration
  2. Run syncCerts.py sync

Expected behavior
I expect an updated certificate under /tmp/haproxy/ssl and it is synced to the running HAProxy process without requiring a restart.

Additional context
I am eager to get this working since Let's Encrypt is planning to offer 6-day certificate lifetimes as an option this year.

In case certificate key length is relevant, I have it set to ec-384.

Environment
OPNsense 25.1.1-amd64
Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz
igb network driver
@fraenki fraenki self-assigned this Feb 25, 2025
@fraenki fraenki added the bug Production bug label Feb 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fraenki fraenki

Labels
bug Production bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fraenki @aque