lighthttpd warns about missing module - deprecation

[EugenMayer]

2018-04-15 09:24:33: (configfile.c.60) Warning: please add "mod_openssl" to server.modules list in lighttpd.conf.  A future release of lighttpd 1.4.x *will not* automatically load mod_openssl and lighttpd *will not* use SSL/TLS where your lighttpd.conf contains ssl.* directives

Version: 18.1.5 / 18.1.6

[fichtner]

Is this with a captive portal active?

[EugenMayer]

Not activated, i would suggest thats rather core? ( lighthttpd is currently the forward proxy for the FPM daemon, isnt it? )

[fichtner]

nope https://github.com/opnsense/core/blob/6901b5af8fd26342ee8f5496475b5715f211503f/src/etc/inc/plugins.inc.d/webgui.inc#L236

[EugenMayer]

Thats odd - tell me what to look for. Activated plugins are:

I did never touch the configuration manually. No custom patches installed. Only 1 "non usual plugin", thats the tinccustom one, but its totally off the grid for anything like lighthttpd

---

should that not give me a match at least?

grep mod_openssl ./ -R
root@gateway:/usr/local/etc/lighttpd #

[fichtner]

Do you have HTTPS disabled? Check /var/etc/lighty-webConfigurator.conf

[EugenMayer]

i have it enabled:

root@gateway:~ # cat /var/etc/lighty-webConfigurator.conf | grep ssl
  "mod_cgi", "mod_fastcgi","mod_alias", "mod_rewrite", "mod_openssl"
## ssl configuration
ssl.engine = "enable"
ssl.dh-file = "/usr/local/etc/dh-parameters.4096"
ssl.ec-curve = "secp384r1"
ssl.pemfile = "/var/etc/cert.pem"
ssl.ca-file = "/var/etc/ca.pem"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
ssl.cipher-list = "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
    ssl.engine = "enable"
    ssl.engine = "enable"

[fichtner]

Looks good. Where do you get that log entry from?

[EugenMayer]

during the boot, before tty login, displays after the usual kernel logs right after the "starting unbound".

[fichtner]

Was this a 17.7 right before 18.1.6 was installed?

[EugenMayer]

No it was 18.1.5 ( if i understood your question properly ). I mean that instance was 17.x back in time yes, but that error is from both, 18.1.5 and .6

[fichtner]

Was that the box misbehaving as mentioned on Twitter?

https://twitter.com/eugenmayer/status/985420365714415616

[EugenMayer]

yes the box went crazy once today, hence the upgrade. But it was for sure no "lighthttpd" issues. The box had no connection at all prior the reboot, i had to hard reset it, i could not even connect using the terminal. After that, a lot was not working and i tried the upgrade, that fixed it.

[fichtner]

It sounds a bit like the box wasn't on 18.1.5, somehow still on 17.7 at least for the part that generates the lighttpd config, because in 17.7.x it would make sense that you're seeing the warning. So the real question is:does this still happen on reboot? :)

[EugenMayer]

I really doubt that. That box was on 18.1.1/2/3/4/5 .. And yes it does happen after a reboot - as i had to reboot to 18.1.6 and saw the issue right again.

If you want this issue to be a local, one instance only one, be my guest :) But AFAICS, you will happen to see the consequence of this when you release a OPNsense with 1.4 lighthttpd. The only reason why you never had this one reported is, because its really early and you need a serial console to see that + maybe its something only people will run into which upgraded from 17.x

Nevertheless, just close it, i really do not mind.

[fichtner]

you can check the health status of your packages from the gui now see if all files are correct on the disk. It’s not the captive portal by your argument, so it’s the admin gui and the admin gui code has mod_openssl. Maybe it throws the error anyway. For now, I have no idea how this happens and it can’t be reproduced from here. It’s possible I’m missing something, but I’m not sure what do when I saw I don’t know I need your help and we’ve already looked into it so we are already half way there. :)

On 15. Apr 2018, at 10:47, Eugen Mayer notifications@github.com wrote:

I really doubt that. That box was on 18.1.1/2/3/4/5 .. And yes it does happen after a reboot - as i had to reboot to 18.1.6 and saw the issue right again.

If you want this issue to be a local, one instance only one, be my guest :) But AFAICS, you will happen to see the consequence of this when you release a OPNsense with 1.4 lighthttpd. The only reason why you never had this one reported is, because its really early and you need a serial console to see that + maybe its something only people will run into which upgraded from 17.x

Nevertheless, just close it, i really do not mind.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[EugenMayer]

***GOT REQUEST TO AUDIT HEALTH***
Check for and install missing package dependencies
Checking all packages: .......... done
Detect installed package files with invalid checksums
Checking all packages: .....
os-tincdcustom-0.7.5: missing file /usr/local/etc/tinc/example/hosts/theotherservername
os-tincdcustom-0.7.5: missing file /usr/local/etc/tinc/example/hosts/thisservername
os-tincdcustom-0.7.5: missing file /usr/local/etc/tinc/example/tinc-up
os-tincdcustom-0.7.5: missing file /usr/local/etc/tinc/example/tinc.conf
os-tincdcustom-0.7.5: missing file /usr/local/etc/tinc/nets.boot.example
Checking all packages........ done
***DONE***

I guess that is what you have been asking for, right? Looks good to me, the tincdcustom file are expected and unrelated

[EugenMayer]

Well, as written in twitter i was just upgrading the second box, thus had the terminal open... and sorry..

>>> Invoking start script 'freebsd'
Configuring additional services: OK
Starting acme_http_challenge.
2018-04-15 11:50:29: (configfile.c.60) Warning: please add "mod_openssl" to server.modules list in lighttpd.conf.  A future release of lighttpd 1.4.x *will not* automatically load mod_openssl and lighttpd *will not* use SSL/TLS where your lighttpd.conf contains ssl.* directives
Starting haproxy.

I should have just copied more lines. Now we both know why its not the core lighty, neither its the captive portal, its ACME challenge. Moving the issue over there - sorry for wasting yours ( and mine ) time on this

[EugenMayer]

For reference, moved to https://github.com/opnsense/plugins/issues/649