Certificates missing for new users after upgrading to 2.4.3-RELEASE-p1
-
We recently upgraded to 2.4.3-RELEASE-p1 .
When I add a new user and select create certificate, the resulting certificate is zero bytes and there is no key. Openvpn Client Export configuration reports server.crt missing. Any help would be appreciated. -
I get the below error when I try to add an internal certificate, seems like a related symptom:
The following input errors were detected:openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line
openssl library returns: error:0906D06C:PEM routines:PEM_read_bio:no start line -
Seems to be the same issue here as well https://forum.netgate.com/topic/129341/error-creating-new-internal-certificate
-
What version did you upgrade from?
There could be a problem with your original CA. It's also possible there is a problem with your installation in general.
We have seen before where users that have customized some portions of pfSense incorrectly (e.g. just changing
product_name
to something other thanpfSense
without making other necessary changes). It could end up without a proper openssl configuration in this case which may lead to the errors you see. -
Thanks for the response. It was upgraded from the latest 2.3 release. We didn't customize pfsense, we purchased the commercial appliances from pfsense, now netgate. The product name changed from pfsense to netgate at least from the webui perspective.
-
The actual global declaration for
$g['product_name']
is stillpfSense
even on Netgate devices, so it wouldn't be that.Anything special about the way this system was installed? Did it use a custom disk layout or was it just a plain/stock install using the typical defaults? Or is it still running the original factory install, but updated?
-
@jimp
It should be the original factory install with upgrade. That said, we DID have an issue running the upgrade with the primary set as a standby in a HA pair. A different issue I'd been meaning to look at. We were finally able to get it to upgrade by disabling CARP on the secondary system and upgrading while the primary was active... -
OK. Next step is to check the OpenSSL config file. Try the following commands and compare the output.
: ls -l /usr/local/share/pfSense/ssl/openssl.cnf -rw-r--r-- 1 root wheel 12017 May 29 13:09 /usr/local/share/pfSense/ssl/openssl.cnf : ls -l /etc/ssl/openssl.cnf -rw-r--r-- 1 root wheel 12017 Jul 23 10:22 /etc/ssl/openssl.cnf : ls -l /usr/local/openssl/openssl.cnf lrwxr-xr-x 1 root wheel 20 Jul 23 10:22 /usr/local/openssl/openssl.cnf -> /etc/ssl/openssl.cnf
Note that the copy under
/usr/local/share/pfSense
should be identical in size and content to the one in/etc/ssl/
:: sha256 /usr/local/share/pfSense/ssl/openssl.cnf SHA256 (/usr/local/share/pfSense/ssl/openssl.cnf) = ab6e9dfea7b9b94848724f87abf5e1d58fe14c8ea48b13c92dea5d2f57364fd2 : sha256 /etc/ssl/openssl.cnf SHA256 (/etc/ssl/openssl.cnf) = ab6e9dfea7b9b94848724f87abf5e1d58fe14c8ea48b13c92dea5d2f57364fd2
The above commands are from a 2.4.4 snapshot so the exact hash may be different on yours. It's OK so long as they match and are not zero bytes.
-
@jimp
They seem to be different:[2.4.3-RELEASE][ro@]/root: ls -l /usr/local/share/pfSense/ssl/openssl.cnf -rw-r--r-- 1 root wheel 12017 May 9 10:43 /usr/local/share/pfSense/ssl/openssl.cnf [2.4.3-RELEASE][ro@]/root: ls -l /etc/ssl/openssl.cnf -rw-r--r-- 1 root wheel 10847 May 10 20:08 /etc/ssl/openssl.cnf [2.4.3-RELEASE][ro@]/root: ls -l /usr/local/openssl/openssl.cnf lrwxr-xr-x 1 root wheel 28 May 3 2017 /usr/local/openssl/openssl.cnf -> ../../../etc/ssl/openssl.cnf [2.4.3-RELEASE][ro@]/root: cd /usr/local/openssl/ [2.4.3-RELEASE][ro@]/usr/local/openssl: ls -l ../../../etc/ssl/openssl.cnf -rw-r--r-- 1 root wheel 10847 May 10 20:08 ../../../etc/ssl/openssl.cnf
-
[2.4.3-RELEASE][ro]/usr/local/openssl: diff /usr/local/share/pfSense/ssl/openssl.cnf /etc/ssl/openssl.cnf 12,15d11 < # pfSense: default SAN value if $ENV::SAN is not defined < # < SAN = < 23c19 < # extensions = --- > # extensions = 36,38c32,34 < # tsa_policy1 = 1.2.3.4.1 < # tsa_policy2 = 1.2.3.4.5.6 < # tsa_policy3 = 1.2.3.4.5.7 --- > tsa_policy1 = 1.2.3.4.1 > tsa_policy2 = 1.2.3.4.5.6 > tsa_policy3 = 1.2.3.4.5.7 57c53 < #crlnumber = $dir/crlnumber # the current crl number --- > crlnumber = $dir/crlnumber # the current crl number 76c72 < crl_extensions = crl_ext --- > # crl_extensions = crl_ext 111d106 < prompt = no 122c117 < # This sets a mask for permitted string types. There are several options. --- > # This sets a mask for permitted string types. There are several options. 129c124 < string_mask = nombstr --- > string_mask = utf8only 131c126 < req_extensions = v3_req # The extensions to add to a certificate request --- > # req_extensions = v3_req # The extensions to add to a certificate request 134,137c129,132 < countryName = US < #countryName_default = AU < #countryName_min = 2 < #countryName_max = 2 --- > countryName = Country Name (2 letter code) > countryName_default = AU > countryName_min = 2 > countryName_max = 2 139,140c134,135 < stateOrProvinceName = Some-State < #stateOrProvinceName_default = Some-State --- > stateOrProvinceName = State or Province Name (full name) > stateOrProvinceName_default = Some-State 142c137 < localityName = Somecity --- > localityName = Locality Name (eg, city) 144,145c139,140 < 0.organizationName = CompanyName < #0.organizationName_default = Internet Widgits Pty Ltd --- > 0.organizationName = Organization Name (eg, company) > 0.organizationName_default = Internet Widgits Pty Ltd 155c150 < #commonName_max = 64 --- > commonName_max = 64 158c153 < #emailAddress_max = 64 --- > emailAddress_max = 64 164,165c159,160 < #challengePassword_min = 4 < #challengePassword_max = 20 --- > challengePassword_min = 4 > challengePassword_max = 20 171,250c166,216 < basicConstraints = CA:FALSE < keyUsage = nonRepudiation, digitalSignature, keyEncipherment < nsComment = "OpenSSL Generated User Certificate" < subjectKeyIdentifier = hash < authorityKeyIdentifier = keyid,issuer:always < extendedKeyUsage = clientAuth < < [ usr_cert_san ] < < # copy of [ usr_cert ] plus nonempty Subject Alternative Names < basicConstraints = CA:FALSE < keyUsage = nonRepudiation, digitalSignature, keyEncipherment < nsComment = "OpenSSL Generated User Certificate" < subjectKeyIdentifier = hash < authorityKeyIdentifier = keyid,issuer:always < extendedKeyUsage = clientAuth < subjectAltName = $ENV::SAN < < [ server ] < < # Make a cert with nsCertType=server < basicConstraints = CA:FALSE < nsCertType = server < keyUsage = digitalSignature, keyEncipherment < nsComment = "OpenSSL Generated Server Certificate" < subjectKeyIdentifier = hash < authorityKeyIdentifier = keyid,issuer:always < extendedKeyUsage = serverAuth,1.3.6.1.5.5.8.2.2 < < [ server_san ] < < # copy of [ server ] plus nonempty Subject Alternative Names < basicConstraints = CA:FALSE < nsCertType = server < keyUsage = digitalSignature, keyEncipherment < nsComment = "OpenSSL Generated Server Certificate" < subjectKeyIdentifier = hash < authorityKeyIdentifier = keyid,issuer:always < extendedKeyUsage = serverAuth,1.3.6.1.5.5.8.2.2 < subjectAltName = $ENV::SAN < < [ req_usr_cert ] < < # Copy of [ usr_cert ] for CSR < basicConstraints = CA:FALSE < keyUsage = nonRepudiation, digitalSignature, keyEncipherment < nsComment = "OpenSSL Generated User Certificate" < subjectKeyIdentifier = hash < extendedKeyUsage = clientAuth < < [ req_usr_cert_san ] < < # Copy of [ usr_cert_san ] for CSR < basicConstraints = CA:FALSE < keyUsage = nonRepudiation, digitalSignature, keyEncipherment < nsComment = "OpenSSL Generated User Certificate" < subjectKeyIdentifier = hash < extendedKeyUsage = clientAuth < subjectAltName = $ENV::SAN < < [ req_server ] < < # Copy of [ server ] for CSR < basicConstraints = CA:FALSE < nsCertType = server < keyUsage = digitalSignature, keyEncipherment < nsComment = "OpenSSL Generated Server Certificate" < subjectKeyIdentifier = hash < extendedKeyUsage = serverAuth,1.3.6.1.5.5.8.2.2 < < [ req_server_san ] < < # Copy of [ server_san ] for CSR < basicConstraints = CA:FALSE < nsCertType = server < keyUsage = digitalSignature, keyEncipherment < nsComment = "OpenSSL Generated Server Certificate" < subjectKeyIdentifier = hash < extendedKeyUsage = serverAuth,1.3.6.1.5.5.8.2.2 < subjectAltName = $ENV::SAN --- > # These extensions are added when 'ca' signs a request. > > # This goes against PKIX guidelines but some CAs do it and some software > # requires this to avoid interpreting an end user certificate as a CA. > > basicConstraints=CA:FALSE > > # Here are some examples of the usage of nsCertType. If it is omitted > # the certificate can be used for anything *except* object signing. > > # This is OK for an SSL server. > # nsCertType = server > > # For an object signing certificate this would be used. > # nsCertType = objsign > > # For normal client use this is typical > # nsCertType = client, email > > # and for everything including object signing: > # nsCertType = client, email, objsign > > # This is typical in keyUsage for a client certificate. > # keyUsage = nonRepudiation, digitalSignature, keyEncipherment > > # This will be displayed in Netscape's comment listbox. > nsComment = "OpenSSL Generated Certificate" > > # PKIX recommendations harmless if included in all certificates. > subjectKeyIdentifier=hash > authorityKeyIdentifier=keyid,issuer > > # This stuff is for subjectAltName and issuerAltname. > # Import the email address. > # subjectAltName=email:copy > # An alternative to produce certificates that aren't > # deprecated according to PKIX. > # subjectAltName=email:move > > # Copy subject details > # issuerAltName=issuer:copy > > #nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem > #nsBaseUrl > #nsRevocationUrl > #nsRenewalUrl > #nsCaPolicyUrl > #nsSslServerName > > # This is required for TSA certificates. > # extendedKeyUsage = critical,timeStamping 259d224 < 261a227 > 269c235 < authorityKeyIdentifier=keyid:always,issuer:always --- > authorityKeyIdentifier=keyid:always,issuer 280c246 < keyUsage = cRLSign, keyCertSign --- > # keyUsage = cRLSign, keyCertSign 296,303d261 < [ v3_ca_san ] < < # copy of [ v3_ca ] plus nonempty Subject Alternative Names < subjectKeyIdentifier=hash < authorityKeyIdentifier=keyid:always,issuer:always < basicConstraints=CA:true < subjectAltName=$ENV::SAN < 310c268 < authorityKeyIdentifier=keyid:always,issuer:always --- > authorityKeyIdentifier=keyid:always
-
Seem to have fixed it by copying it over:
cp /usr/local/share/pfSense/ssl/openssl.cnf /etc/ssl/openssl.cnf
THANK YOU -
Well, that solves why it wasn't generating the certificates, but not why that copy didn't happen when it should. That should be done at every boot automatically, and for some reason it didn't happen for you. It should be OK between reboots, but you may want to confirm that for certain. Upgrades may also be questionable there, but that harder to confirm since we haven't changed that file in a while.
-
Yes, related to the(reverse NAT?) issue with upgrading the standby; the first attempt at upgrading did not complete before timing out. I believe I got a "upgrade already in progress" when I ran a subsequent upgrade from shell and then wound up rebooting...