PHP Error Trying to Add to Revoked Certificates List
-
I figured something like that might happen if it was failing to update.
I have tried several different things here and still can't reproduce anything like it, however. It works 100% every time for me.
The line it's crashing on and the error still suggest that something the function is being fed is null when it shouldn't be. But I don't see how that might be possible unless there is something really unusual about the CA.
-
Still not able to reproduce any issue here. If you don't mind, I'd like to see copies of your CA and the certificate you are attempting to revoke. You don't have to post them here, you can mail them to me privately,
<my forum username> (at) netgate.com
. I shouldn't need the keys, hopefully just seeing the structure of both might let me find a way to reproduce it. Or at least suppress the errors if it is working OK otherwise aside from the error condition. -
I got the files you sent but parts I needed were not there. I need the certificate data, but not the key. There wouldn't be anything private/secret in the certificate file /
<crt>...</crt>
tag.I was at least able to see the CN of the CA and guessed what it might have been for the user cert you mentioned, but I was still unable to replicate the error using the values I tried.
-
Ok, will send that out to you. Whole certificate and content between crt-Tags in config.
-
Still no luck reproducing any error here. I've tried on SG-3100, a VM, Factory, CE, on 2.4.5 and 2.5.0. I can't find any combination of CA/Cert/CRL actions which result in an error here.
Can you try the change in the attached patch to see if it helps? It doesn't explain why you are getting the errors, but it may help prevent them from causing you problems since it actually seems to work aside from generating the error.
-
@jimp Ok, applied that change to /etc/inc/certs.inc and restarted the whole device. Didn't help unfortunately. Neither did the error disappear nor does adding the certificate to the CRL work.
-
The error is exactly the same with that applied?
-
@jimp Yes, exactly the same error message. I wondered myself how this can happen, with that error suppressor added.
But I was able to solve the issue. I figured out, that something was wrong with that CA.
I exported the CA from the Windows server it stems from and imported it into pfSense again. Immediately it showed all certificates as belonging to the just imported CA.
Somehow that fixed something.
Revoking a certificate worked after that.
Still don't know, why things didn't work with a fresh new internal CA plus certificates. -
Does your Windows CA have the same subject as your internal certificate? Maybe it's getting confused about which certificates were issued by a given CA since they have identical subjects.
-
Sorry, can't check anything regarding that any more. Company went bankrupt and was bought by another one. Moved over to their building.