Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security/acme-client: api controller fails to update cron when acmeclient holds a legacy cron job UUID #4627

Open
3 tasks done
cluck opened this issue Mar 28, 2025 · 0 comments
Open
3 tasks done

security/acme-client: api controller fails to update cron when acmeclient holds a legacy cron job UUID #4627

cluck opened this issue Mar 28, 2025 · 0 comments
Assignees
@fraenki

Comments

@cluck
Copy link

cluck commented Mar 28, 2025
edited
Loading

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug
Probably due to config restore, acmeclient may "remember" a cron job UUID under ./AcmeClient/settings/UpdateCron which cron itself does not have anymore (cron/jobs/job[@uuid] in /conf/config.xml).

Under this circumstances the acme API controller fails to reinstate a consistent state (it refusues to both remove the inexistent job and to re-link to a pre-existing job).

To Reproduce
Steps to reproduce the behavior:

  1. Enable acme autorenewal
  2. Go to /conf/config.xml ./AcmeClient/settings/UpdateCron and remember the UUID for later
  3. Then replace it with another UUID (and restart)
  4. Try to disable Auto Renewal in Acme Client settings: it will fail silently and not remove the cron job with the original UUID
  5. Restore the original UUID in config.xml and disable auto renewal (should work this time)
  6. Then search that UUID among the CRON jobs in /conf/config.xml, and change that UUID (and restart).
  7. Try to enable Auto Renewal in Acme: it will add a second cron job, instead of finding and re-linking the first one.
  8. (To clean up leftovers from this test: Disable Auto Renewal, then remove the cron job you changed the UUID of)

To actually trace the problem, I had to set breakpoints in opnsense.js to see the actual AJAX results.
Here is what I saw:
POST to /acmeclient/settings/set: OK
POST to /configtest: Action not allowed
POST to /reconfigure: Saved
POST to /fetchCronIntegration: unable to delete cron
[etc]

Expected behavior
CRON and acmeclient config to be re-synchronized, and cron entries to be updated when the UI doesn't show errors.

The cron jobs have an <origin>AcmeClient</origin> property to correlate.

Screenshots
Just for reference on how I traced the problem, as I had a hard time finding logs on the backend, and Chrome was forgetting the responses of POST requests after a page reload which follows the "Apply" action, here is where I set breakpoints to look at the traffic.
Image

Relevant log files
If applicable, information from log files supporting your claim.

Additional context
Add any other context about the problem here.

Environment
Software version used and hardware type if relevant.
e.g.:

OPNsense 25.1-amd64
FreeBSD 14.2-RELEASE
OpenSSL 3.0.15

os-acme-client 4.8
@fraenki fraenki self-assigned this Mar 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fraenki fraenki

Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cluck @fraenki