PHP Error Trying to Add to Revoked Certificates List

mRedm · Jan 29, 2020, 5:35 PM

@jimp Forget that, got confused on that, creating a CA worked in two other tries.
But creating a CRL gives exactly the same error message.

Deleting Certs, CAs CRLs works flawlessly, by the way.

PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: 
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
 #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #25, false) 
#2 /etc/inc/openvpn.inc(1929): crl_update(Array) 
#3 /usr/local/www/system_crlmanager.php(247): openvpn_refresh_crls() 
#4 {main} thrown

mRedm · Jan 29, 2020, 5:46 PM

Exported CRL data of one created throwing an error seems to be fine

-----BEGIN X509 CRL-----
MIICXzCCA...tjmd+/P6X970=
-----END X509 CRL-----

Exported OpenVPN config shows correct/valid CRL and CA ref ids

jimp · Jan 29, 2020, 5:52 PM

Is the <crl>...</crl> block above the only one in your config? Does there happen to be an empty one (Like <crl/> or <crl></crl>) above or below it in config.xml? Or maybe an empty <cert/> or <ca/> tag?

mRedm · Jan 29, 2020, 6:39 PM

@jimp Two crl blocks, lock the same apart from different refs. No empty ca, cert or crl.

Did a reboot, it's a SG-3100 btw.
Problem got worse, OpenVPNserver didn't restart on boot, network clients behind firewall couldn't connect to the internet, webconfigurator didn't start.
Started webconfig through ssh connection, removed CRL from OpenVPN server config (2 OpenVPN servers running!), saved, rebooted, all fine.

Error on failed bootup:

PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
Stack trace:
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
#1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #1639, false)
#2 /etc/inc/openvpn.inc(1181): crl_update(Array)
#3 /etc/inc/openvpn.inc(1320): openvpn_reconfigure('server', Array)
#4 /etc/inc/openvpn.inc(1543): openvpn_restart('server', Array)
#5 /etc/inc/openvpn.inc(1583): openvpn_resync('server', Array)
#6 /etc/rc.newwanip(250): openvpn_resync_all('opt1')
#7 {main}

jimp · Jan 29, 2020, 6:51 PM

I figured something like that might happen if it was failing to update.

I have tried several different things here and still can't reproduce anything like it, however. It works 100% every time for me.

The line it's crashing on and the error still suggest that something the function is being fed is null when it shouldn't be. But I don't see how that might be possible unless there is something really unusual about the CA.

jimp · Jan 29, 2020, 8:16 PM

Still not able to reproduce any issue here. If you don't mind, I'd like to see copies of your CA and the certificate you are attempting to revoke. You don't have to post them here, you can mail them to me privately, <my forum username> (at) netgate.com. I shouldn't need the keys, hopefully just seeing the structure of both might let me find a way to reproduce it. Or at least suppress the errors if it is working OK otherwise aside from the error condition.

jimp · Jan 30, 2020, 6:43 PM

I got the files you sent but parts I needed were not there. I need the certificate data, but not the key. There wouldn't be anything private/secret in the certificate file / <crt>...</crt> tag.

I was at least able to see the CN of the CA and guessed what it might have been for the user cert you mentioned, but I was still unable to replicate the error using the values I tried.

mRedm · Jan 31, 2020, 10:19 AM

Ok, will send that out to you. Whole certificate and content between crt-Tags in config.

jimp · Jan 31, 2020, 1:44 PM

Still no luck reproducing any error here. I've tried on SG-3100, a VM, Factory, CE, on 2.4.5 and 2.5.0. I can't find any combination of CA/Cert/CRL actions which result in an error here.

Can you try the change in the attached patch to see if it helps? It doesn't explain why you are getting the errors, but it may help prevent them from causing you problems since it actually seems to work aside from generating the error.

suppress-crl-error.diff

mRedm · Jan 31, 2020, 2:22 PM

@jimp Ok, applied that change to /etc/inc/certs.inc and restarted the whole device. Didn't help unfortunately. Neither did the error disappear nor does adding the certificate to the CRL work.

jimp · Jan 31, 2020, 5:59 PM

The error is exactly the same with that applied?

mRedm · Feb 3, 2020, 2:14 PM

@jimp Yes, exactly the same error message. I wondered myself how this can happen, with that error suppressor added.

But I was able to solve the issue. I figured out, that something was wrong with that CA.
I exported the CA from the Windows server it stems from and imported it into pfSense again. Immediately it showed all certificates as belonging to the just imported CA.
Somehow that fixed something.
Revoking a certificate worked after that.
Still don't know, why things didn't work with a fresh new internal CA plus certificates.

jimp · Feb 3, 2020, 7:59 PM

Does your Windows CA have the same subject as your internal certificate? Maybe it's getting confused about which certificates were issued by a given CA since they have identical subjects.

mRedm · Mar 23, 2020, 11:03 AM

Sorry, can't check anything regarding that any more. Company went bankrupt and was bought by another one. Moved over to their building.