pfSense Plus generating corrupted backups

SteveITS

@hayescompatible I just checked a recent backup from a 3100 and it has only one <sshdata> section.

But, see https://forum.netgate.com/topic/171966/not-posible-to-restore-backups which links to https://redmine.pfsense.org/issues/13132

That shows "Plus Target Version: 22.05" but I don't see it in the release notes for 22.05.

If it uploads the config as is (??) you should be able to edit it:
https://docs.netgate.com/pfsense/en/latest/config/xml-configuration-file.html#edit-in-place

hayescompatible

@steveits thanks for pointing out those links, especially being able to edit the config in place. What I did instead was to edit the config file before I uploaded it to a fresh pfSense install, in order to make sure there were no duplicate <sshdata> sections.

I have a bunch of config file backups going back probably a year, I could check those to see when the duplicate <sshdata> sections started appearing, but I know I've successfully restored from backups before so it must be a recent thing.

In any event, hopefully this fix was rolled into 22.05 as the bug suggests.

SteveITS

@hayescompatible Editing before uploading would make more sense, if one knows to do that. Since mine doesn't have the duplicate section, and yours and the other poster's does, that implies something is causing it. If you can pin it to something, that might be useful for others, and/or make a Redmine entry. It might be useful to know if it's in the "live" config file that way? Just thinking about how to pursue it...

jimp

That bug was fixed quite some time ago, but if your config already had it in there it may not have been cleaned up properly at the time.

After import that section should have been removed, but it wasn't always removed.

IIRC there was an additional fix that went into 22.05 but I can't remember for certain without digging through redmine.

On 22.05 I did quite extensive testing of restoring SSH keys various ways and it's all solid now as far as I've been able to tell. When reinstalling using the memstick/iso the config recovery also now recovers SSH keys, which is also fun.

hayescompatible

@jimp I just generated a backup of my config with 22.05 and there are still duplicate <sshdata> sections in it. However, if I understand correctly, 22.05 and above will now know to use only one section and then subsequent backups will only contain the one section?

stephenw10

Hmm, that's not what I would expect. If you try to restore it again I'd expect that to fail in the same way.

jimp

Looking at https://redmine.pfsense.org/issues/13132 it should be cleaning that up as a part of the restore process on 22.05.

stephenw10

I can't replicate that here in a backup.

Do you know the exact steps you took to reach that?

hayescompatible

@stephenw10 said in pfSense Plus generating corrupted backups:

I can't replicate that here in a backup.

Do you know the exact steps you took to reach that?

Checking my old backups archive, the duplicate <sshdata> sections began appearing after I reinstalled pfSense 22.01 to a new disk and restored an XML config file to it. Every backup taken since then (including with today's 22.05 release) is generating duplicate <sshdata> sections.

jimp

The extra section was made then, but if you restore it to 22.05 it should work properly -- it will remove the duplicate, restore the keys, then remove the sshdata section entirely.

It's fixed when restoring, not when generating.

p1erre

@jimp this is what i got on the last 22.05 RC

[25-Jun-2022 11:51:00 Europe/Zurich] PHP Fatal error:  Uncaught Exception: XML error: SSHDATA at line 15302 cannot occur more than once
 in /etc/inc/xmlparse.inc:89
Stack trace:
#0 [internal function]: startElement(Resource id #27, 'SSHDATA', Array)
#1 /etc/inc/xmlparse.inc(188): xml_parse(Resource id #27, 'aCB023tWNBoI3S4...', true)
#2 /etc/inc/xmlparse.inc(149): parse_xml_config_raw('/conf/config.xm...', Array, 'false')
#3 /etc/inc/config.lib.inc(134): parse_xml_config('/conf/config.xm...', Array)
#4 /etc/inc/config.gui.inc(56): parse_config()
#5 /etc/inc/auth.inc(33): require_once('/etc/inc/config...')
#6 /etc/inc/ipsec.inc(26): require_once('/etc/inc/auth.i...')
#7 /etc/inc/gwlb.inc(27): require_once('/etc/inc/ipsec....')
#8 /etc/inc/functions.inc(35): require_once('/etc/inc/gwlb.i...')
#9 /etc/inc/notices.inc(26): require_once('/etc/inc/functi...')
#10 /etc/inc/config.inc(51): require_once('/etc/inc/notice...')
#11 /etc/inc/openvpn.inc(32): require_once('/etc/inc/config...')
#12 /etc/inc/filter.inc(30): require_once('/etc/inc/openvp...')
#13 /usr/local/sbin/ in /etc/inc/xmlparse.inc on line 89
[25-Jun-2022 11:51:00 Europe/Zurich] PHP Warning:  fopen(): Filename cannot be empty in /etc/inc/notices.inc on line 101

This broke the whole system.

hayescompatible

@jimp said in pfSense Plus generating corrupted backups:

The extra section was made then, but if you restore it to 22.05 it should work properly -- it will remove the duplicate, restore the keys, then remove the sshdata section entirely.

It's fixed when restoring, not when generating.

I can confirm 22.05 is still broken in this regard.

I created a backup of my running system in 22.05; the backup contained two <sshdata> sections.

I reinstalled 22.01 (latest ISO I have) then updated to 22.05 when prompted.

After rebooting, I restored the backed-up config file which completely broke pfSense and required another reinstall… which, coupled with the issue I reported here, was NOT fun.

At the console:

Fatal error: Uncaught Exception: XML error: SSHDATA at line 7349 cannot occur more than once
 in /etc/inc/xmlparse.inc:89
Stack trace:
#0 [internal function]: startElement(Resource id #26, 'SSHDATA', Array)
#1 /etc/inc/xmlparse.inc(188): xml_parse(Resource id #26, 'aEK1LX9+3feLBOO...', false)
#2 /etc/inc/xmlparse.inc(149): parse_xml_config_raw('/conf/config.xm...', Array, 'false')
#3 /etc/inc/config.lib.inc(134): parse_xml_config('/conf/config.xm...', Array)
#4 /etc/inc/config.gui.inc(56): parse_config()
#5 /etc/inc/auth.inc(33): require_once('/etc/inc/config...')
#6 /etc/inc/openvpn.inc(35): require_once('/etc/inc/auth.i...')
#7 /etc/inc/filter.inc(30): require_once('/etc/inc/openvp...')
#8 /etc/inc/ipsec.inc(25): require_once('/etc/inc/filter...')
#9 /etc/inc/gwlb.inc(27): require_once('/etc/inc/ipsec....')
#10 /etc/inc/functions.inc(35): require_once('/etc/inc/gwlb.i...')
#11 /etc/inc/notices.inc(26): require_once('/etc/inc/functi...')
#12 /etc/inc/config.inc(51): require_once('/etc/inc/notice...')
#13 /etc/rc.banner(2 in /etc/inc/xmlparse.inc on line 89
PHP ERROR: Type: 1, File: /etc/inc/xmlparse.inc, Line: 89, Message: Uncaught Exception: XML error: SSHDATA at line 7349 cannot occur more than once
 in /etc/inc/xmlparse.inc:89
Stack trace:
#0 [internal function]: startElement(Resource id #26, 'SSHDATA', Array)
#1 /etc/inc/xmlparse.inc(188): xml_parse(Resource id #26, 'aEK1LX9+3feLBOO...', false)
#2 /etc/inc/xmlparse.inc(149): parse_xml_config_raw('/conf/config.xm...', Array, 'false')
#3 /etc/inc/config.lib.inc(134): parse_xml_config('/conf/config.xm...', Array)
#4 /etc/inc/config.gui.inc(56): parse_config()
#5 /etc/inc/auth.inc(33): require_once('/etc/inc/config...')
#6 /etc/inc/openvpn.inc(35): require_once('/etc/inc/auth.i...')
#7 /etc/inc/filter.inc(30): require_once('/etc/inc/openvp...')
#8 /etc/inc/ipsec.inc(25): require_once('/etc/inc/filter...')
#9 /etc/inc/gwlb.inc(27): require_once('/etc/inc/ipsec....')
#10 /etc/inc/functions.inc(35): require_once('/etc/inc/gwlb.i...')
#11 /etc/inc/notices.inc(26): require_once('/etc/inc/functi...')
#12 /etc/inc/config.inc(51): require_once('/etc/inc/notice...')
#13 /etc/rc.banner(2

Same error message when loading any page in the webConfigurator.

rcoleman-netgate

@hayescompatible said in pfSense Plus generating corrupted backups:

ror: SSHDATA at line 7349 cannot occur more than once
in /etc/inc/xmlparse.inc:89

There's a known bug in the SSHDATA issue (https://redmine.pfsense.org/issues/13132) Check the redmine for details