search

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.
https://packetfence.org
GNU General Public License v2.0
1.37k stars 287 forks source link

Status code 422 - Let's Encrypt #6412

Closed mattuyga closed 3 years ago

mattuyga commented 3 years ago

Describe the bug I intend to install an SSL certificate generated with "Let's Encrypt" to be used on the captive portal and admin interface. After carrying out the port-forworing of the ports (1443, 443 and 80) and having verified the operation, I enter the Common name in the appropriate page, I click test, and I receive the status code 422.

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Configuration' > 'System Configuration' > 'SSL Certificates'
  2. Click on 'HTTP' > 'Edit"
  3. Enable 'Use Let's Encrypt' and insert the Common name (my domain pointing to my public IP);
  4. Click on 'Test'
  5. The error 'Request failed with status code 422' appears

Screenshots image

Desktop:

Server:

PacketFence version:

Additional context I opened the ports on my firewall and checked that port-forwording is working correctly

julsemaan commented 3 years ago

My initial thought is that something must be misconfigured for your domain and port forwarding because that's what the code means.

I can take a quick look anyway if you give us your domain name

mattuyga commented 3 years ago

Thanks for your help.

This is my domain name: packet.bcentral.cloud

These are the iptables rules present on the Packetfence server:

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N forward-internal-inline-if
-N forward-internal-isolvlan-if
-N forward-internal-vlan-if
-N input-dhcp-if
-N input-dns-if
-N input-highavailability-if
-N input-internal-inline-if
-N input-internal-isol_vlan-if
-N input-internal-vlan-if
-N input-management-if
-N input-portal-if
-N input-radius-if
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -d 224.0.0.0/8 -i enp2s0 -j ACCEPT
-A INPUT -i enp2s0 -p vrrp -j ACCEPT
-A INPUT -i enp2s0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -d 66.70.255.147/32 -i enp2s0 -j input-internal-vlan-if
-A INPUT -i enp2s0 -p udp -m udp --dport 53 -j input-internal-inline-if
-A INPUT -i enp2s0 -p tcp -m tcp --dport 53 -j input-internal-inline-if
-A INPUT -d 10.0.8.1/32 -i enp2s0 -j input-internal-inline-if
-A INPUT -d 255.255.255.255/32 -i enp2s0 -j input-internal-inline-if
-A INPUT -d 192.168.0.63/32 -i enp2s0 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d 224.0.0.0/8 -i enp1s0 -j ACCEPT
-A INPUT -i enp1s0 -p vrrp -j ACCEPT
-A INPUT -i enp1s0 -j input-radius-if
-A INPUT -d 224.0.0.0/8 -i enp1s0 -j ACCEPT
-A INPUT -i enp1s0 -p vrrp -j ACCEPT
-A INPUT -i enp1s0 -j input-radius-if
-A INPUT -i enp1s0 -j input-management-if
-A FORWARD -i enp2s0 -j forward-internal-inline-if
-A FORWARD -i enp1s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward-internal-inline-if -m mark --mark 0x3 -m set --match-set pfsession_passthrough dst,dst -j ACCEPT
-A forward-internal-inline-if -m mark --mark 0x2 -m set --match-set pfsession_isol_passthrough dst,dst -j ACCEPT
-A forward-internal-inline-if -m mark --mark 0x1 -j ACCEPT
-A forward-internal-isolvlan-if -m set --match-set pfsession_isol_passthrough dst,dst -j ACCEPT
-A forward-internal-isolvlan-if -m set --match-set pfsession_isol_passthrough src,src -j ACCEPT
-A forward-internal-vlan-if -m set --match-set pfsession_passthrough dst,dst -j ACCEPT
-A forward-internal-vlan-if -m set --match-set pfsession_passthrough src,src -j ACCEPT
-A input-dhcp-if -p udp -m udp --dport 67 -j ACCEPT
-A input-dhcp-if -p tcp -m tcp --dport 67 -j ACCEPT
-A input-dns-if -p tcp -m tcp --dport 53 -j ACCEPT
-A input-dns-if -p udp -m udp --dport 53 -j ACCEPT
-A input-highavailability-if -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A input-highavailability-if -p udp -m udp --dport 4253 -j ACCEPT
-A input-highavailability-if -p tcp -m tcp --dport 4444 -j ACCEPT
-A input-highavailability-if -p tcp -m tcp --dport 4567 -j ACCEPT
-A input-highavailability-if -p tcp -m tcp --dport 4568 -j ACCEPT
-A input-highavailability-if -p tcp -m tcp --dport 7890 -j ACCEPT
-A input-highavailability-if -p tcp -m tcp --dport 7891 -j ACCEPT
-A input-highavailability-if -p udp -m udp --dport 5405 -j ACCEPT
-A input-highavailability-if -p udp -m udp --dport 5407 -j ACCEPT
-A input-highavailability-if -p tcp -m tcp --dport 7788 -j ACCEPT
-A input-highavailability-if -p udp -m udp --dport 694 -j ACCEPT
-A input-highavailability-if -p tcp -m tcp --dport 2224 -j ACCEPT
-A input-highavailability-if -p tcp -m tcp --dport 3121 -j ACCEPT
-A input-highavailability-if -p tcp -m tcp --dport 21064 -j ACCEPT
-A input-internal-inline-if -p tcp -m tcp --dport 53 -j ACCEPT
-A input-internal-inline-if -p udp -m udp --dport 53 -j ACCEPT
-A input-internal-inline-if -p tcp -m tcp --dport 80 -j ACCEPT
-A input-internal-inline-if -p tcp -m tcp --dport 443 -j ACCEPT
-A input-internal-inline-if -p tcp -m tcp --dport 647 -j ACCEPT
-A input-internal-isol_vlan-if -p tcp -m tcp --dport 53 -j ACCEPT
-A input-internal-isol_vlan-if -p udp -m udp --dport 53 -j ACCEPT
-A input-internal-isol_vlan-if -p udp -m udp --dport 67 -j ACCEPT
-A input-internal-isol_vlan-if -p tcp -m tcp --dport 67 -j ACCEPT
-A input-internal-isol_vlan-if -p tcp -m tcp --dport 80 -j ACCEPT
-A input-internal-isol_vlan-if -p tcp -m tcp --dport 443 -j ACCEPT
-A input-internal-isol_vlan-if -p tcp -m tcp --dport 647 -j ACCEPT
-A input-internal-isol_vlan-if -p tcp -m tcp --dport 5252 -j ACCEPT
-A input-internal-vlan-if -p tcp -m tcp --dport 53 -j ACCEPT
-A input-internal-vlan-if -p udp -m udp --dport 53 -j ACCEPT
-A input-internal-vlan-if -p tcp -m tcp --dport 80 -j ACCEPT
-A input-internal-vlan-if -p tcp -m tcp --dport 443 -j ACCEPT
-A input-internal-vlan-if -p tcp -m tcp --dport 647 -j ACCEPT
-A input-internal-vlan-if -p tcp -m tcp --dport 5252 -j ACCEPT
-A input-management-if -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 80 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 443 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 1443 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 9090 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 7070 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 9999 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 1444 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 9292 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 19999 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 1812 -j ACCEPT
-A input-management-if -p udp -m udp --dport 1812 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 1813 -j ACCEPT
-A input-management-if -p udp -m udp --dport 1813 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 1815 -j ACCEPT
-A input-management-if -p udp -m udp --dport 1815 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 2083 -j ACCEPT
-A input-management-if -p udp -m udp --dport 162 -j ACCEPT
-A input-management-if -p udp -m udp --dport 67 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 67 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 9392 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 8834 -j ACCEPT
-A input-management-if -p udp -m udp --dport 1192 -j ACCEPT
-A input-management-if -p udp -m udp --dport 2055 -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 4723 -j ACCEPT
-A input-management-if -p udp -m udp --dport 6343 -j ACCEPT
-A input-management-if -p udp -m udp --dport 2056 -j ACCEPT
-A input-management-if -d 224.0.0.0/8 -j ACCEPT
-A input-management-if -p vrrp -j ACCEPT
-A input-management-if -p tcp -m tcp --dport 3306 -j ACCEPT
-A input-management-if -p udp -m udp --dport 514 -j ACCEPT
-A input-portal-if -p tcp -m tcp --dport 80 -j ACCEPT
-A input-portal-if -p tcp -m tcp --dport 443 -j ACCEPT
-A input-radius-if -p tcp -m tcp --dport 1812 -j ACCEPT
-A input-radius-if -p udp -m udp --dport 1812 -j ACCEPT
-A input-radius-if -p tcp -m tcp --dport 1813 -j ACCEPT
-A input-radius-if -p udp -m udp --dport 1813 -j ACCEPT
-A input-radius-if -p tcp -m tcp --dport 1815 -j ACCEPT
-A input-radius-if -p udp -m udp --dport 1815 -j ACCEPT
-A input-radius-if -p tcp -m tcp --dport 2083 -j ACCEPT
julsemaan commented 3 years ago

You don't seem to have the portal daemon on your management interface (or the interface packet.bcentral.cloud points to internally)

This looks like a configuration issue, not a bug