Cannot connect to ipfire web interface

General questions.
boh73
Posts: 2
Joined: August 3rd, 2019, 9:26 pm

Re: Cannot connect to ipfire web interface

Post by boh73 » August 4th, 2019, 10:27 am

gpatel-fr wrote:
August 4th, 2019, 6:42 am
>>I have the same problem

that should not prevent you to give all relevant information, such as:
- Ipfire version
I have installed the newest version v2.23 core update 134

- did you reset Firefox ? I'm not sure that reinstalling Firefox does not restore parameters, you should be sure that all parameters are at default value and the recommanded way is to reset Firefox (troubleshooting menu)
no, I did not reset firefox because I need my configuration. But I created a new profil, which is total empty (no addons or changed settings). I also tried it with a second windows PC. there was access possible, but only because the firefox was not updated to 68.0.1. After the update some problem. And I used a linux machine with firefox ... same problem.
As you could read from xfire ... he had to reset firefox after every reboot of the PC. I wrote the same ... using new profile or reinstall firefox allowed me to access webinterface .. but only 1 or 2 times.


- do you acess ipfire through the internal network, with the url
https://ipfire:444
where 'ipfire' is the internal name of your firewall, so that you can do
ping ipfire
on the computer you use to connect to the web interface, and ping should work.
Yes I do ... I used the FQDN and I access it from the local subnet and tried the IP address too.
And yes, ping is ok.


For the record, I have tested Firefox 68.0.1 with Ipfire 2.23 core134 and I don't see your problem. There is a warning first time, yes, but it allows me through after that.

gpatel-fr
Posts: 51
Joined: July 24th, 2019, 7:59 am

Re: Cannot connect to ipfire web interface

Post by gpatel-fr » August 4th, 2019, 1:36 pm

@H&M

>>if have more ideas

certbot.
if you have a x86 type processor it should work.

Code: Select all

pakfire install python3
wget https://dl.eff.org/certbot-auto
chmod 0755 certbot-auto
USE_PYTHON_3=1 ./certbot-auto --no-bootstrap

User avatar
oldcrow
Posts: 21
Joined: March 20th, 2012, 5:23 am
Location: austria

Re: Cannot connect to ipfire web interface

Post by oldcrow » August 14th, 2019, 6:10 am

Hey folks!

With the new firefox version (68.0.1 Firefox Release - July 18, 2019) i have now also problems to connect on the web if.

@gpatel-fr
is this a problem solution when i install your command?

best greets, crow!

User avatar
Arne.F
Core Developer
Core Developer
Posts: 8522
Joined: May 7th, 2006, 8:57 am
Location: BS <-> NDH
Contact:

Re: Cannot connect to ipfire web interface

Post by Arne.F » August 14th, 2019, 7:14 am

Firefox doesn't add correct exceptions for self-signed certs for local dns names anymore.

Use the green IP Address instead if the name.
https://xx.xx.xx.xx:444
Arne

Support the project on the donation!

Image

Image

Image
PS: I will not answer support questions via email and ignore IPFire related messages on my non IPFire.org mail addresses.

gpatel-fr
Posts: 51
Joined: July 24th, 2019, 7:59 am

Re: Cannot connect to ipfire web interface

Post by gpatel-fr » August 14th, 2019, 7:38 am

oldcrow wrote:
August 14th, 2019, 6:10 am

@gpatel-fr
is this a problem solution when i install your command?
It may be a way to create an approved (not self-signed) certificate, it's a very complicated way to address the problem and mostly overkill. Also, when I was posting this I failed to notice that ipfire includes dehydrated, a letsencrypt client, and that should be the preferred way to address this particular need. I had replied to someone using acme.sh, yet another letsencrypt client, and as I had seen that acme.sh was not packaged by ipfire I was assuming that there was no ipfire letsencrypt client at all, so I was falling bak to the canonical letsencrypt client, certbot (I'm still in the process of trying out ipfire to see if it fits my needs)

Anyway, if you add to your local hosts file the ip address of your ipfire green interface, https;//your-ipfire-name:444 will work, at least on linux (I don't have a quick way to test this on other OSes)

User avatar
H&M
Posts: 471
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: Cannot connect to ipfire web interface

Post by H&M » August 14th, 2019, 3:31 pm

gpatel-fr wrote:
August 14th, 2019, 7:38 am


It may be a way to create an approved (not self-signed) certificate, it's a very complicated way to address the problem and mostly overkill. Also, when I was posting this I failed to notice that ipfire includes dehydrated, a letsencrypt client, and that should be the preferred way to address this particular need. I had replied to someone using acme.sh, yet another letsencrypt client, and as I had seen that acme.sh was not packaged by ipfire I was assuming that there was no ipfire letsencrypt client at all, so I was falling back to the canonical letsencrypt client, certbot (I'm still in the process of trying out ipfire to see if it fits my needs)
Hi,
After looking to dehydrated (thank you for mentioning it!) I see that it needs same way to verify the domain: hhtp-01 type verification -> an HTTP access to a verification file on an URL that Let's Encrypt server (or ACME in general) should found on my server...

It worth mention that dehydrated can also use dns-01 type verification, but I do not own the domain so I can't create the TXT entry as required by dns-01 type verification..

If I am not making any wrong assumption, then no matter of script to be used (acme, dehydrated, etc) I will need to pass a http-01 type verification because I do not own the domain hence I have no solution to create the TXT record used by dns-01 type verification.

Hope I got this right - that we have only 2 options available to verify the certificate, and as you very well pointed out this might be overkill...

Because I have zero (minus 1 to be fair) experience with vhosts (as Arne suggested to use for port 80), I plan to use the pi-hole as http server and build a temporary NAT from RED0 to pi-hole IP address in order http-01 verification works. As soon as that ends, the script will delete the NAT so Pi-hole be protected.

This is the theory...I'll let you know how good (or bad!) I was in making them work.

Thank you all for the valuable inputs!
H&M

gpatel-fr
Posts: 51
Joined: July 24th, 2019, 7:59 am

Re: Cannot connect to ipfire web interface

Post by gpatel-fr » August 14th, 2019, 4:10 pm

H&M wrote:
August 14th, 2019, 3:31 pm

If I am not making any wrong assumption, then no matter of script to be used (acme, dehydrated, etc) I will need to pass a http-01 type verification because I do not own the domain hence I have no solution to create the TXT record used by dns-01 type verification.
Yes, if it's not possible to do *any* change to the DNS it's not possible to use dns-01. There are 2 workarounds:

1) some DNS providers (the good ones) provide an API, basically the customers get something like an API key that they enter in their letsencrypt client and then said client does its thing. Acme.sh is said to be great for that.

2) there is no API but you can ask the DNS owner to setup some subdomain thingy that you control. It's been a while I did read about it and I don't remember the details but I think they could easily be dug out the letsencrypt forum if needed

As of your pihole idea, if you like it so be it, but if I had to do it I"d prefer keep it all on the ipfire system by using Python for the web server part on the ipfire system; that's how certbot the EFF Letsencrypt client implements the standalone option and it's quite easy:

cd <letsencrypt directory>
python3 -m http.server port 80

that's it, with a bit of scripting :-)

Maybe dehydrated can do something like that, I have never looked it up until now, but since it's based on bash it's not straightforward because last time I looked bash can't be a web server (and it can't read mail either)

User avatar
H&M
Posts: 471
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: Cannot connect to ipfire web interface

Post by H&M » August 14th, 2019, 6:08 pm

dehydrated is a dead end: pakfire brings version 0.6.2 which generates an error when trying to verify the cert with Let's Encrypt server
I've manually got from GIT the version 0.6.5 just to discover that it does not respect the config: it cleans the verification token and also generates (always!) a new private key plus a new csr although I said NO in the config file for those...

Trying certbot....

User avatar
H&M
Posts: 471
Joined: May 29th, 2014, 9:38 pm
Location: Europe

[SOLVED with Let's Encrypt Certificate] Cannot connect to ipfire web interface

Post by H&M » August 14th, 2019, 7:42 pm

Certbot:

Running http.server daemon:

Code: Select all

python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
18.197.227.110 - - [14/Aug/2019 22:22:35] "GET /.well-known/acme-challenge/uxbXUiiqGLya2nrlFlyNh5_99E8fArToQjRDMR69JXk HTTP/1.1" 200 -
66.133.109.36 - - [14/Aug/2019 22:22:36] "GET /.well-known/acme-challenge/uxbXUiiqGLya2nrlFlyNh5_99E8fArToQjRDMR69JXk HTTP/1.1" 200 -
34.222.229.130 - - [14/Aug/2019 22:22:36] "GET /.well-known/acme-challenge/uxbXUiiqGLya2nrlFlyNh5_99E8fArToQjRDMR69JXk HTTP/1.1" 200 -
In the exact folder where the http.server was launched there is a need to have the acme folder structure:

Code: Select all

mkdir -p /.well-known/acme-challenge/

Then create a DNAT from RED to GREEN: use the GUI... because it needs a rule in INPUTFW for your RED and another rule in NAT table to do the Port Address translation...

Then launch certbot and watch how http.server launched above is serving the http-01 verification file to Let's Encrypt

Code: Select all

USE_PYTHON_3=1 ./certbot-auto certonly --webroot -w /root/certbot -d mydomain.ISP.tld
bash: ./certbot-auto: No such file or directory
[root@test_ipfire acme-v02.api.letsencrypt.org]# cd ~/certbot/
[root@test_ipfire certbot]# USE_PYTHON_3=1 ./certbot-auto certonly --webroot -w /root/certbot -d mydomain.ISP.tld
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): your_email@hide.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.ISP.tld
Using the webroot path /root/certbot for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/mydomain.ISP.tld/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/mydomain.ISP.tld/privkey.pem
   Your cert will expire on 2019-11-12. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

This is it... in manual mode.
Now I need to transport the generated files in /etc/httpd and restart apache...all of these in a nice script that also stops the FW (INPUTFW and DNAT rules) because while I tested this I got so many people poking on my port 80 ...
Actually I need to find all Let's Encrypt source IP addresses and allow only those to access my port 80...



The good news is that in manual mode it works, the rest is hard work to create a good script...

Thanks!
H&M

Lete edit: after I moved the files in /etc/httpd and replacing the ones that were created by /etc/init.d/apache
Lets Encrypt certificate for ipfire.PNG
Last edited by H&M on August 14th, 2019, 8:03 pm, edited 2 times in total.

gpatel-fr
Posts: 51
Joined: July 24th, 2019, 7:59 am

Re: Cannot connect to ipfire web interface

Post by gpatel-fr » August 14th, 2019, 7:52 pm

H&M wrote:
August 14th, 2019, 7:42 pm

Actually I need to find all Let's Encrypt source IP addresses and allow only those to access my port 80...
I don't think this is a good idea, IIRC Let's encrypt engineers discourage it since their source address is not always constant.

User avatar
H&M
Posts: 471
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: Cannot connect to ipfire web interface

Post by H&M » August 14th, 2019, 8:00 pm

No problem with that: I've found a way to get all source IP addresses I need: apparently Let's Encrypt uses only Amazon EC2 servers.
Amazon EC2 has posted their addresses in a json that can be parsed with below command:

Code: Select all

amazon=`curl -k https://ip-ranges.amazonaws.com/ip-ranges.json 2>/dev/null |grep ip_prefix |tr -d '":\n'|sed -e 's/ip_prefix//g' |sed -e 's/ //g'|sed -e 's/,$//g'`
Then I can use that variables in any iptables chain I need... and avoid to open my port 80 to who world...

Is just a thought... will see if works.

gpatel-fr
Posts: 51
Joined: July 24th, 2019, 7:59 am

Re: Cannot connect to ipfire web interface

Post by gpatel-fr » August 14th, 2019, 9:01 pm

H&M wrote:
August 14th, 2019, 8:00 pm
No problem with that: I've found a way to get all source IP addresses I need: apparently Let's Encrypt uses only Amazon EC2 servers.
https://community.letsencrypt.org/t/ip- ... le/5410/18

they *want* their source addresses to be unpredictable.

User avatar
H&M
Posts: 471
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: Cannot connect to ipfire web interface

Post by H&M » August 14th, 2019, 9:27 pm

In this case, no more Let's Encrypt for me - I am running (literally) full GeoIP block: all countries are blocked for Input Trafic and this is *standard* for me.
I do understand Let's Encrypt concern but that makes it unusable for me ... Same for exit traffic: less than 10 countries allowed, the rest of resources I need are allowed like this

Well, back to my own script for creating ROOT CA + intermediary CA and issue from those an Apache certificate. It's much easier to push the internal chain to all may machines compared with tracking all attacks against port 80 opened by python3...

Thanks for the inputs - quite a learning for me!
H&M

Old-IT-Guy
Posts: 1
Joined: April 20th, 2018, 2:10 pm

Re: Cannot connect to ipfire web interface

Post by Old-IT-Guy » November 7th, 2019, 8:27 pm

After a clean install of IPfire 136. Still no web interface with Chrome, Edge! but Firefox lets me in.

Rebuilt SSH Keys. Waited 2 weeks hoping for updates on this problem. Seems everyone has given up or

I am not seeing any fix that is out on the internet. IPFire has not addressed it on their site.

Post Reply