Botched up certs. Locked out of GUI.

[Yaguznal]

Sooo I managed to botch something up for cert I was using for my GUI. Of course I disabled acces via http so now I am stuck in shell limbo.

Firefox spews me this error:

Code:

 Your certificate contains the same serial number as another certificate issued by the certificate authority. 
Please get a new certificate containing a unique serial number. 
Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL 

How do I switch from https to http from shell on a 11.1U4 machine?

Many thanks in advance

Yagu

 

[danb35]

You may be able to get in using a different browser, which would likely be the easiest answer. Another possibility might be to use this script to upload a different cert.

 

[Yaguznal]

If it is in any way possible, I'd prefer to change certs via GUI.
I am struggling to find a browser on kubuntu that does not apply certificates given that linux tries to be as secure as possible.
I find it hard to imagine that you can not switch to plain http from command line. There aught to be other people who fucked this up and got locked out.

 

[danb35]

I find it hard to imagine that you can not switch to plain http from command line.

I don't know why you find this hard to imagine; FreeNAS simply isn't designed to be administered via the CLI. However, it does have an API, which the script I linked to makes use of. So if you use that script to install a new cert, it'll appear in the GUI and can be modified or removed like any other cert.

If you're set on switching to HTTP via the CLI, the only "right" way I can think of is using the API.

 

[Yaguznal]

YES

Code:

PUT /api/v1.0/system/settings/
Update settings.

Example request:

PUT /api/v1.0/system/settings/ HTTP/1.1
Content-Type: application/json

  {
		 "stg_timezone": "America/Sao_Paulo"
  }

Example response:

HTTP/1.1 200 OK
Vary: Accept
Content-Type: application/json

  {
		 "stg_timezone": "America/Sao_Paulo",
		 "stg_guiport": 80,
		 "stg_guihttpsport": 443,
		 "stg_guihttpsredirect": true,
		 "stg_guiprotocol": "http",
		 "stg_guiv6address": "::",
		 "stg_syslogserver": "",
		 "stg_language": "en",
		 "stg_directoryservice": "",
		 "stg_guiaddress": "0.0.0.0",
		 "stg_guicertificate": 1,
		 "stg_kbdmap": "",
		 "id": 1
  }

JSON Parameters:
 

stg_guiprotocol (string) – http, https
stg_guicertificate (integer) – Certificate ID
stg_guiaddress (string) – WebGUI IPv4 Address
stg_guiv6address (string) – WebGUI IPv6 Address
stg_guiport (integer) – WebGUI Port for HTTP
stg_guihttpsport (integer) – WebGUI Port for HTTPS
stg_guihttpsredirect (boolean) – Redirect HTTP (port 80) to HTTPS when only the HTTPS protocol is enabled
stg_language (string) – webguil language
stg_kbdmap (string) – see /usr/share/syscons/keymaps/INDEX.keymaps
stg_timezone (string) – see /usr/share/zoneinfo
stg_syslogserver (string) – Syslog server
stg_directoryservice (string) – activedirectory, ldap, nt4, nis
Request Headers:
 

Content-Type – the request content type
Response Headers:
 

Content-Type – the response content type
Status Codes:

200 – no error

Gettin' somewhere. Now to learn how to use this api stuff.
Break stuff => learn stuff
Good thing this isn't a production machine :)

 

[Yaguznal]

Looks like I will need to factory reset and reup my configs.

Code:

ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",

 

[danb35]

You know, I think I've seen that error reported for my script as well, but haven't been able to track down what's going on to cause it.

 

[Yaguznal]

It's my first try at python and it actually is a frankenstein because I got some snippets from everywhere, modified to taste. Maybe you get some value out of the error because I don't.

Code:

import json
import subprocess
import requests

USER = "root"
PASSWORD = "xxxxxxxxxxx"
DOMAIN_NAME = "xxx.xxx.x.x'"
PROTOCOL = 'https://'

r = requests.put(
  PROTOCOL + DOMAIN_NAME + '/api/v1.0/system/settings/',
  auth=(USER, PASSWORD),
  headers={'Content-Type': 'application/json'},
  data=json.dumps({
  "stg_guiprotocol": "http",
  }),
)

if r.status_code == 200:
  print ("Setting active certificate successful")
else:
  print ("Error setting active certificate!")
  print (r)
  sys.exit(1)

Error:

Code:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 441, in wrap_socket
	cnx.do_handshake()
  File "/usr/local/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1426, in do_handshake
	self._raise_ssl_error(self._ssl, result)
  File "/usr/local/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1174, in _raise_ssl_error
	_raise_current_error()
  File "/usr/local/lib/python3.6/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
	raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 601, in urlopen
	chunked=chunked)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 346, in _make_request
	self._validate_conn(conn)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 850, in _validate_conn
	conn.connect()
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 326, in connect
	ssl_context=context)
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 329, in ssl_wrap_socket
	return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/local/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 448, in wrap_socket
	raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 440, in send
	timeout=timeout
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 639, in urlopen
	_stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/retry.py", line 388, in increment
	raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='xxx.xxx.x.xxx', port=xxxx): Max retries exceeded with url: /api/v1.0/system/settings/ (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "test.py", line 17, in <module>
	"stg_guiprotocol": "http",
  File "/usr/local/lib/python3.6/site-packages/requests/api.py", line 126, in put
	return request('put', url, data=data, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/api.py", line 58, in request
	return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 502, in request
	resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 634, in send
	history = [resp for resp in gen] if allow_redirects else []
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 634, in <listcomp>
	history = [resp for resp in gen] if allow_redirects else []
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 212, in resolve_redirects
	**adapter_kwargs
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 612, in send
	r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 504, in send
	raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='xxx.xxx.x.xxx', port=xxxx): Max retries exceeded with url: /api/v1.0/system/settings/ (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

I tried over http as well:

Code:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 441, in wrap_socket
	cnx.do_handshake()
  File "/usr/local/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1426, in do_handshake
	self._raise_ssl_error(self._ssl, result)
  File "/usr/local/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1174, in _raise_ssl_error
	_raise_current_error()
  File "/usr/local/lib/python3.6/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
	raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 601, in urlopen
	chunked=chunked)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 346, in _make_request
	self._validate_conn(conn)
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 850, in _validate_conn
	conn.connect()
  File "/usr/local/lib/python3.6/site-packages/urllib3/connection.py", line 326, in connect
	ssl_context=context)
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 329, in ssl_wrap_socket
	return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/local/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 448, in wrap_socket
	raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 440, in send
	timeout=timeout
  File "/usr/local/lib/python3.6/site-packages/urllib3/connectionpool.py", line 639, in urlopen
	_stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python3.6/site-packages/urllib3/util/retry.py", line 388, in increment
	raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='192.168.1.250', port=4321): Max retries exceeded with url: /api/v1.0/system/settings/ (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "test.py", line 17, in <module>
	"stg_guiprotocol": "http",
  File "/usr/local/lib/python3.6/site-packages/requests/api.py", line 126, in put
	return request('put', url, data=data, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/api.py", line 58, in request
	return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 502, in request
	resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 634, in send
	history = [resp for resp in gen] if allow_redirects else []
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 634, in <listcomp>
	history = [resp for resp in gen] if allow_redirects else []
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 212, in resolve_redirects
	**adapter_kwargs
  File "/usr/local/lib/python3.6/site-packages/requests/sessions.py", line 612, in send
	r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/requests/adapters.py", line 504, in send
	raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='192.168.1.250', port=4321): Max retries exceeded with url: /api/v1.0/system/settings/ (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

 

[danb35]

Sure, the config database is a SQLite file that can be read and edited using any compatible tools. But I don't believe that changing the database will kick of the appropriate middleware events. Perhaps with a reboot.

 

[Yaguznal]

Is that database read and stored in memory at start-up or is it continuously used? If I logged in via ssh as root and replaced that database with my backup, I'm pretty sure the root:operator permissions would be replaced, right? If I fuck up permissions and my box tries to read from it before I adjust, would it .. shut down or break my ssh connection? Because that's pretty much all I've got left. I am 2500 km away from my box and I fucked up enough as it is.

 

[justinb]

You were close... I botched my system similarly, and this thread has got me going in the right direction. The next step you were missing was telling the Python requests library to bypass all SSL validation with a verify=False option to put().

Turns out that just setting sts_guiprotocol to http doesn't seem to be enough, though. (Or maybe it didn't actually save even though it said it did?)

In any case, I just need to browse through the API and find the right command now. I'll update here when I get my system web-accessible again. I expect it won't be too long.

 

[justinb]

Not sure if my initial fix failed because Firefox was being a stickler for HSTS or not.

In either case, I set stg_guihttpsredirect to False using the same API call then used a blank Firefox profile that didn't have HSTS stuck on for my FreeNAS box, and I was able to login and fix it.