Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google Drive backup no longer functional in 24.1 #7184

Closed
bucker00 opened this issue Jan 31, 2024 · 3 comments
Closed

Google Drive backup no longer functional in 24.1 #7184

bucker00 opened this issue Jan 31, 2024 · 3 comments
Assignees
@AdSchellevis
Labels
bug Production bug
Milestone
24.7

Comments

@bucker00
Copy link

The bug:
Google Drive backups are no longer working after upgrade to 24.1. It previously worked daily up until yesterday on version 23.7.12.
The setup configuration is still in place but attempting a backup produces the message "Invalid P12 key, openssl_pkcs12_read() failed".
Configuring a new valid p12 file and supplying that in the configuration instead also produces the same message.

To Reproduce

Steps to reproduce the behavior:

  1. Go to ~/diag_backup.php and then the Google Drive section on that page.
  2. Set up Google Drive backups as per https://docs.opnsense.org/manual/how-tos/cloud_backup.html
  3. When the configuration is complete upload the p12 file using the Browse button.
  4. Click the 'Setup/Test Google Drive' button.
  5. The following error is displayed:
    "The following input errors were detected:
    Invalid P12 key, openssl_pkcs12_read() failed
    Saved settings, but remote backup failed."

Expected behavior
Usually and up until today, a backup is saved to the configured Google Drive and a list of the backups currently stored there already is displayed.

Alternatives:
Manual backups seem to be the only option currently without finding and installing plugins.

Software version used and hardware type:
OPNsense 24.1-amd64
CPU type | 12th Gen Intel(R) Core(TM) i3-1215U (6 cores, 8 threads)

Screenshot 2024-01-31 212838
@bucker00
Copy link
Author

I should also have mentioned that this has also been encountered by several other users in the 24.1 thread in the forums.

@fichtner
Copy link
Member

fichtner commented Jan 31, 2024
edited
Loading

Could be an incompatibility with OpenSSL 3. Will pick this up soon.

@fichtner fichtner added the support Community support label Jan 31, 2024
@AdSchellevis AdSchellevis self-assigned this Jan 31, 2024
@AdSchellevis AdSchellevis added bug Production bug and removed support Community support labels Jan 31, 2024
@AdSchellevis
Copy link
Member

In order to read the legacy pkcs12 files, legacy mode need to be enabled in /usr/local/openssl/openssl.cnf offering support for MD4. If someone wants to test this commit, you may also copy the supplied openssl.cnf file to /usr/local/openssl/openssl.cnf and restart the webserver (using configctl webgui restart)

/usr/local/bin/openssl list -providers will list the providers available and should look like this:

Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.12
    status: active
  legacy
    name: OpenSSL Legacy Provider
    version: 3.0.12
    status: active

@fichtner fichtner added this to the 24.7 milestone Jan 31, 2024
fichtner pushed a commit that referenced this issue Feb 1, 2024
@AdSchellevis @fichtner
System/Trust - enable openssl legacy provider by default
64bbe58 
PR: #7184

(cherry picked from commit d8ba131)
(cherry picked from commit e68e795)
(cherry picked from commit c344279)
fichtner pushed a commit that referenced this issue Mar 12, 2024
@AdSchellevis @fichtner
System/Trust - enable openssl legacy provider by default. closes #7184
3a01cf3 
Since exising gdrive backups are in legacy mode, these can only be parsed when legacy is enabled.
For more information about openssl_pkcs12_read() and used configuration, see https://www.php.net/manual/en/function.openssl-pkcs12-read.php

In order for this to work, one need to generate the template (handled on bootup https://github.com/opnsense/core/blob/master/src/etc/rc.syshook.d/early/15-templates) and restart the webgui.

To validate in a console if legacy mode is available, use the command below:

Providers:
  default
    name: OpenSSL Default Provider
    version: 3.0.12
    status: active
  legacy
    name: OpenSSL Legacy Provider
    version: 3.0.12
    status: active
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
bug Production bug
Milestone
24.7
Development

No branches or pull requests
3 participants
@fichtner @bucker00 @AdSchellevis