Script fails with error parsing token on firewall main page

[useribs]

Hola!

I've been trying to use the script with OPNsense 24.7.7-amd64, done all the steps as per README and getting the following error:

/migrate_pfsense/src# python3 migrate_pfsense.py
connecting to firewall on https://192.168.8.x
[+] firewall login sucessful
==== STARTING MIGRATION OF STATIC ROUTES
==== STARTING MIGRATION OF CERTIFICATES
error parsing token on firewall main page

I've pinpointed it that at the failing call r.text there are no "hidden" values with CSRF, instead it's being passed as JavaScript:

xhr.setRequestHeader("X-CSRFToken", "O0r5HWqHwRocQMk40fFHyg" );

After investigation it seems that system_camanager.php and subsequent links are missing from modern OPNsense, it's been replaced with /ui/trust/cert

[useribs]

What was the version of OPNsense that migration script was known to work with?

[tjakobi]

Having exactly the same issue using OPNsense 24.7.7-amd64 freshly installed.

[useribs]

I've been trying to use new API, as follows

    def import_ca(self, ca):
        # acessing form of new ca (system-> trust->ca)
        r = self.http_session.get(f'{self.baseurl}/ui/trust/ca', verify=False )

        # check x-csrftoken
        match = re.search('setRequestHeader\("X-CSRFToken", "(?P<csrftoken>[^"]+)"', r.text)
        if match is None:
            print(f'failed to get X-CSRFToken')
            sys.exit(0)
        else:
            #print(f'got X-CSRFToken as {match.group("csrftoken")}')
            self.csrf_token = match.group("csrftoken")
        ca_data = {
            "ca":   {
                "refid": "",
                "action": "existing",
                "descr": ca["descr"],
                "crt": b64decode(ca["crt"]).decode().replace("\r\n","\n"),
                "prv": b64decode(ca.get("prv", "")).decode().replace("\r\n","\n"),
                "serial": "",
               # "caref": ca["refid"]
            },
        }

        # fix for serial
        if int(ca["serial"] ) > 0:
            ca_data["serial"] = ca["serial"]

#        #print(f'DEBUG CA: {data}')

        headers = {}
        headers["X-CSRFToken"] = self.csrf_token
        headers["referer"] = f'{self.baseurl}/ui/trust/ca'

        #print(f'DEBUG: {form_data}')
        print(ca)
        print(ca_data)
        # sending form of ca import:
        r = self.http_session.post(f'{self.baseurl}/api/trust/ca/add/', verify=False, json=ca_data, headers=headers)

However i have no idea what PHP x509 function does not like about the certificates, it always complains that

{"errorMessage":"Invalid X509 certificate provided","errorTitle":"Certificate error"} erro ao importar CA. detalhes: {"errorMessage":"Invalid X509 certificate provided","errorTitle":"Certificate error"}

Tried various combinations of new line characters, etc, payload redacted

-- {'ca': {'refid': '', 'action': 'existing', 'descr': 'team client OVPN', 'crt': '-----BEGIN CERTIFICATE-----\n\n-----END CERTIFICATE-----', 'prv': '\n-----BEGIN PRIVATE KEY-----\n\n-----END PRIVATE KEY-----', 'serial': ''}, 'serial': '365'}}

Payload syntax seems to be correct, if i change action to something else API complains about invalid action. So it tries to import the cert/CA

[sysadminbr]

It has been used in opnsense 23.x. not updated yet for 24.x series.

[tjakobi]

Thank you for your reply.

I just took my chances and downloaded the 23.x series release, did a fresh install, imported everything and was able to update up to 24.7, took a bit longer but worked flawlessly.

Thank you for your work!

[sudheeshb]

@sysadminbr Is there any plan to update the tool for 24.7?