OpenVPN config corrupted after edit/save

harmv

I want to report a problem, of what I suspect is a bug in pfSense.

I have an openvpn setup where the client and server certificates have different intermediate certificates.
To properly configure this, openvpn provides the extra-certs option. I tested this using a plain openvpn server + client, this works fine.

The problem arises, when trying to configure this setup in a pfSense appliance.
'extra-certs' is not configurable directly, but I managed to configure it using the "Custom options" in pfSense web UI.
This work.. except...
When, after that, re-opening the openvpn GUI config page, and hitting "save" again (without editing anything !) the configuration is corrupted. The webUI bothes up the extra-certs fields.

How to reproduce

1. Add a extra-certs (must be inline) to the openvpn config as follows

<extra-certs>
-----BEGIN CERTIFICATE-----
MIIFQjCCAyqgAwIBAgIQP6Tdl7EBoQnVn+1YdSAzWTANBgkqhkiG9w0BAQ0FADAS

.... manually snipped certificate contents from example for 

RiWYZptGd4vlEJyH0OGj7/iP/A6u6siBJQrX0dj0xEkHUu7Ih9E/MbUdTrPOIiwY
MUlIHByS
-----END CERTIFICATE-----
</extra-certs>

2. Hit save
3. The configuration is active and it actually works as expected. So far so good...
4. Open the config page again
5. Hit Save

Result

1. The "Custom Options" have newlines removed, corrupting the configuration

<extra-certs>-----BEGIN CERTIFICATE-----
MIIFQjCCAyqgAwIBAgIQP6Tdl7EBoQnVn+1YdSAzWTANBgkqhkiG9w0BAQ0FADAS

.... manually snipped certificate contents from example for 

RiWYZptGd4vlEJyH0OGj7/iP/A6u6siBJQrX0dj0xEkHUu7Ih9E/MbUdTrPOIiwY
MUlIHByS
-----END CERTIFICATE-----</extra-certs>

And the openvpn no longer starts
and openvpn.log gives:
openvpn[52574]: Options error: Unrecognized option or missing or extra parameter(s) in /var/etc/openvpn/server5/config.ovpn:39: <extra-certs>-----BEGIN (2.6.4)

Note: Adding semi-colons and/or extra newlines does not help here. newlines are removed, semi colons are moved directly after <extra-certs>

<extra-certs>
; extra lines
;

-----BEGIN CERTIFICATE-----

end up, after save -> open config page, beeing

<extra-certs>; extra lines
;
-----BEGIN CERTIFICATE-----

harmv

pfSense Community Edition
version: 2.7.0-RELEASE, built on Wed Jun 28 03:53:34 UTC 2023

harmv

NB: this is not a dup of https://redmine.pfsense.org/issues/2800

The intermediate certificate should not be added the ca chain.
(The CA chain is used to validate the remote side, this particular intermediate certificate is intended to let the remote side validate us! It is actually send during the TLS handshake by the server)
For this to work you have pass it to openvpn via the extra-certs option. Not by concatenating it to any of the other certificate params.

Ideally, this should be configurable, not via "Custom options", but rather in the UI directly. Select the required extra-certs an uploaded certificate in the pfsense. (one or more)
But if thats not feasible to implement, at least, it should possible using the "Custom options" without corrupting itself after an (empty) Edit/Save cycle.

harmv

The problem is actually a bit worse than initially reported.
The problem does not only happen after edit/save, but also after restarting the service.

Steps to reproduce

1. configure correctly (manually add newlines)
2. Save

Now the openvpn server runs correctly, with the extra-certs option

3. Go to openvpn status page (/status_openvpn.php#)
4. Click "restart" on the openvpn service

Result

The service does not restart, openvpn.log shows

Aug 23 17:11:05 fw openvpn[84943]: SIGTERM[hard,] received, process exiting
Aug 23 17:11:06 fw openvpn[1001]: ERROR: Endtag </extra-certs> missing
Aug 23 17:11:06 fw openvpn[1001]: Exiting due to fatal error

To fix again, go the the openvpn config page, manually add the newlines (2x), save -> service runs.