Cannot connect to ipfire web interface

General questions.
nurbles62
Posts: 8
Joined: October 12th, 2018, 12:53 pm
Location: Rockledge, Florida, USA

Cannot connect to ipfire web interface

Post by nurbles62 » July 26th, 2019, 11:49 am

I check my firewall and other servers every few days by logging in to their web interface control panels. This morning neither Chrome nor Firefox will allow me to connect to my IPFire system. Chrome gives this (The address is IPFire on my internal network):
ipfire-whoops.png
ipfire-whoops.png (8.1 KiB) Viewed 2713 times
Firefox at least gave me a chance to continue:
ipfire-whoops-ff.png
ipfire-whoops-ff.png (8.94 KiB) Viewed 2713 times
But clicking the "Accept Risk" button brings back the same warning instead of continuing on to the page.

So, have I been hacked? Have all of the browsers suddenly become hostile to my IPFire certificate?

I am not knowledgeable about certificates, so I do not know what to look for when I view the certificate from Firefox. However, the top line in the general tab says Could not verify this certificate because the issuer is unknown. Could that be the cause of my problem?

How do I fix this (hopefully short of starting over from scratch!) Thanks!

PS: Since I'm not sure how my sig gets the latest IPFire version, I want to mention that it was most recently updated within the past week or so. I don't know how to get the Core Update number from a command line, but the version (2.23) is what I see in /etc/issue.
Image

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8522
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: Cannot connect to ipfire web interface

Post by Arne.F » July 26th, 2019, 5:56 pm

Its normal that the browsers complain the self signed certificate but in your case it give an other error that the format of the certificate is wrong.

Have you tried an other pc? Sometimes malware or protection software break the tls connections.

Can you check the start of apache on the console.

/etc/init.d/apache restart

If this also report problems i think your local hostkey files are corrupted.
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

xfire
Posts: 3
Joined: August 11th, 2011, 12:54 pm
Location: Wien

Re: Cannot connect to ipfire web interface

Post by xfire » July 26th, 2019, 7:15 pm

Hallo Leut,
ich habe seit ein paar Tagen dasselbe Problem wie nurbles62.
Firefox lässt sich nicht dazu bringen, das Zertifikat zu akzeptieren.
Ich vermute es ist mit der Aktualisierung auf Version 68.0.1 aus und Ende gewesen.
MS-edge verhält sich gleichermaßen.
Auf einer anderen WIN10-Maschine geht MS-edge zumindest holprig mit folgender Fehlermeldung:
"Dem Sicherheitszertifikat dieser Website wird von Ihrem PC nicht vertraut.
Der Hostname im Sicherheitszertifikat der Website stimmt nicht mit dem Namen der Website überein,
die Sie besuchen möchten.
Fehlercode: DLG_FLAGS_INVALID_CA
DLG_FLAGS_SEC_CERT_CN_INVALID
Webseite trotzdem laden (Nicht empfohlen)"
Für mich Chinesisch
Ich habe inzwischen den ipfire komplett neu gestartet - keine Änderung
die Empfehlung von Anrne habe ich dann auch noch durchgeführt - keine Änderung
Ich kenne mich mit Zertifikaten leider zu wenig aus um hier eine Lösung zu finden

Hat jemand einen Tipp?

xfire
Posts: 3
Joined: August 11th, 2011, 12:54 pm
Location: Wien

Re: Cannot connect to ipfire web interface

Post by xfire » July 26th, 2019, 8:42 pm

habe gerade einem Tipp auf der Mozilla homepage Folge geleistet und eine Reinigungsprozedur durchgeführt.
Danach konnte man den Sicherheitshinweis akzeptieren und das webinterface von ipfire wieder öffnen.

@nurbles62
try this in the firefox browser
https://support.mozilla.org/en-US/kb/re ... d-settings
click on the button: Refresh Firefox
I succeed

xfire
Posts: 3
Joined: August 11th, 2011, 12:54 pm
Location: Wien

Re: Cannot connect to ipfire web interface

Post by xfire » July 27th, 2019, 6:27 am

sorry but this isn't a very good solution
it is up to refresh firefox whenever you restart your pc

User avatar
oldcrow
Posts: 21
Joined: March 20th, 2012, 5:23 am
Location: austria

Re: Cannot connect to ipfire web interface

Post by oldcrow » July 29th, 2019, 9:47 am

Hello! The same problem, "google chrome" and "ms edge" not working.
It´s only possible to log on with iphone safari. is there a solution? best greets

nurbles62
Posts: 8
Joined: October 12th, 2018, 12:53 pm
Location: Rockledge, Florida, USA

Re: Cannot connect to ipfire web interface

Post by nurbles62 » July 29th, 2019, 11:37 am

Have you tried an other pc? Sometimes malware or protection software break the tls connections.
I tried from several different computers before posting my question and all of them had the same issue.
Can you check the start of apache on the console.

/etc/init.d/apache restart

If this also report problems i think your local hostkey files are corrupted.
The error_log shows "resuming normal operations" BUT before it says that there are two lines that say "server certificate does NOT include an ID which matches the server name". Out of curiosity, I searched the old error log files and every one back to error_log.40 contains the same certificate message. error_log.42 (from Oct 7, 2018) shows a certificate being revoked and then generated (I believe it is my cert for openvpn access [which I turned off and no longer use] because the path starts with /var/ipfire/ovpn)

Thanks to your comments and questions, I found this reference https://wiki.ipfire.org/optimization/ssl_cert (shared for anyone with a similar problem who finds this thread). After regenerating the two certificates I found, things seem to be working OK (once I added the exception for the local cert to the browsers).

Thanks for your help!
Image

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8522
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: Cannot connect to ipfire web interface

Post by Arne.F » July 29th, 2019, 2:32 pm

Since a while Mozilla not acceppt the "hostmane" to connect with a self signed certificate. It only work with the IP Address. (https://ip-address:444)
You need still some more clicks to ignore the self signed certificate...
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

User avatar
H&M
Posts: 471
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: Cannot connect to ipfire web interface

Post by H&M » July 29th, 2019, 5:23 pm

Hi,

I had same problem so i wrote a custom apache init script that creates a local ROOT CA and an Intermediary CA.
Then I imported these CAs (the trust chain) in my machine.

Custom apache init script: viewtopic.php?f=27&t=19814&hilit=apache ... 15#p112742
How to create openssl.cnf files for ROOt CA and Intermediary CA: viewtopic.php?f=27&t=19814&hilit=apache ... 15#p112342

Option 2: I am working to get an Let's Encrypt certificate for my Ipfire following the Method 3 (acme.sh for Let's Encrypt) from this IPFire wiki: https://wiki.ipfire.org/nginx/start
I am stil having problems to validate the Let's Encrypt certtificate reuest (CSR is created, also private key) - Let's encrypt requires to access local apache from IPFire over port 80 to read a special key that is created by acme.sh :
1. Apache listen on port 81 - to deploy wpad for example. This is the only way to bypass Authentication for IPFIre Apache - rest ports require authentication. Port 81 does not!
2. Although I NAT-ed port 80 from red0 to green0 port 81, the validation fails and I believe that there is an HTTP redirect somewhere I have to identify and build second NAT for that... I see the HTTP GET request coming from Let's Encrypt, but then something fails...

I'll let you know when I will manage to have an Let's encrypt certifice for my IPFire and replace the locally build ROOT CA and Intermediary CA ...+ the need to installt trust chain in my machines...

Hope it heps!
H&M

User avatar
oldcrow
Posts: 21
Joined: March 20th, 2012, 5:23 am
Location: austria

Re: Cannot connect to ipfire web interface

Post by oldcrow » July 31st, 2019, 2:47 pm

i had installed mozilla again and so i can go again on web interface ::)

gpatel-fr
Posts: 51
Joined: July 24th, 2019, 7:59 am

Re: Cannot connect to ipfire web interface

Post by gpatel-fr » August 1st, 2019, 11:03 am

>>I NAT-ed port 80 from red0 to green0 port 81

I'm not sure it's a very good idea. All that you need is to Let's encrypt is to download ONE (1) file from your computer so that it proves you are controlling the domain. And for that you are (unless I'm mistaken) exposing your Ipfire administrative interface permanently to the internet.
I think that you should rather investigate the use of the --standalone certbot flag. With this option, certbot fires up a temporary web server (in fact that's the web server integrated with the python interpreter) only for the time necessary to serve the proof file. All that would be needed is to open the port 80 and said port would be really usable only the very limited time neeeded by certbot to serve the file, one time every 3 months. After that you may have more work to copy the certificate at the needed place and restart Apache by yourself. But I think that's a better way since it allows you to automate the process while keeping the exposure to a minimum (it's not a very big one to have an open port on which no program listens IMO)

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8522
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: Cannot connect to ipfire web interface

Post by Arne.F » August 1st, 2019, 11:33 am

I would add a own vhost config for port80 with a different webroot and not use a redirect to port81 which usually redirect to https for the webgui.
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

boh73
Posts: 2
Joined: August 3rd, 2019, 9:26 pm

Re: Cannot connect to ipfire web interface

Post by boh73 » August 3rd, 2019, 9:40 pm

I have the same problem, cannot open the web interface with Firefox (my main browser) after update to version 68.0.1.
I tried InternetExplorer and Goggle Chrome too ... without success.

I installed Firefox new ... then I was able to open the web interface ... but only 1 or 2 times.
I tried to create a new certificate on ipfire ... the result was the same ... the next 1-2 times I can open the web interface.
But nothing worked for longer, it ends in getting the security warning and Firefox ignors the "accept the risk" button.

Any other ideas how to fix this problem?

gpatel-fr
Posts: 51
Joined: July 24th, 2019, 7:59 am

Re: Cannot connect to ipfire web interface

Post by gpatel-fr » August 4th, 2019, 6:42 am

>>I have the same problem

that should not prevent you to give all relevant information, such as:
- Ipfire version
- did you reset Firefox ? I'm not sure that reinstalling Firefox does not restore parameters, you should be sure that all parameters are at default value and the recommanded way is to reset Firefox (troubleshooting menu)
- do you acess ipfire through the internal network, with the url
https://ipfire:444
where 'ipfire' is the internal name of your firewall, so that you can do
ping ipfire
on the computer you use to connect to the web interface, and ping should work.

For the record, I have tested Firefox 68.0.1 with Ipfire 2.23 core134 and I don't see your problem. There is a warning first time, yes, but it allows me through after that.

User avatar
H&M
Posts: 471
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: Cannot connect to ipfire web interface

Post by H&M » August 4th, 2019, 10:03 am

gpatel-fr wrote:
August 1st, 2019, 11:03 am
>>I NAT-ed port 80 from red0 to green0 port 81

I think that you should rather investigate the use of the --standalone certbot flag. With this option, certbot fires up a temporary web server (in fact that's the web server integrated with the python interpreter) only for the time necessary to serve the proof file. All that would be needed is to open the port 80 and said port would be really usable only the very limited time neeeded by certbot to serve the file, one time every 3 months. After that you may have more work to copy the certificate at the needed place and restart Apache by yourself. But I think that's a better way since it allows you to automate the process while keeping the exposure to a minimum (it's not a very big one to have an open port on which no program listens IMO)
Hello,
I tried that - it requires socat which is not (by default) present on ipfire. Also, socat is not part of addon list..


acme.sh --issue --standalone -d ipfire1.mydomain.com
[Sun 04 Aug 2019 01:00:35 PM EEST] Please install socat tools first.
[Sun 04 Aug 2019 01:00:35 PM EEST] _on_before_issue.

Thank you, & if have more ideas I am willing to test them - I have a spare ipfire just for this: test Let's encrypt. Is a bit by bit copy of the production one...

H&M

Post Reply