Bug. Please fix it.

emammadov

Hello,

There is a situation in pfSense that I create a user in User Manager and then create a user certificate for that user to use in OpenVPN. If a username begins with the letter "a." (for example a.john), it's certificate doesn't work in OpenVPN.
Normally, if I export OpenVPN files, it forms so:
pfSense-UDP4-1194-e.mammadov.ovpn
pfSense-UDP4-1194-e.mammadov.p12
pfSense-UDP4-1194-e.mammadov-tls.key

But if I export the user for example a.john, its vpn files are without username:
pfsense-UDP4-1194.ovpn
pfsense-UDP4-1194.p12
pfsense-UDP4-1194-tls.key

Beside this, when I add user certificate under User Certificates in System / User Manager / Users / Edit and click save it goes immediately to System / Certificate Manager / Certificates page instead of System / User Manager / Users.

I please you to check this issue and fix it in pfSense 2.4.4 release.

jimp

Looks like that had nothing specifically to do with the format of the username, only that they ended up being first in the list. And it was not a problem in the base system, only the export package.

https://redmine.pfsense.org/issues/8918

The behavior of creating user certificates is correct. When you create a user it has a shortcut to do it in a simple form. If the user already exists, it redirects to the certificate manager where it pre-fills info rather than using the short/simple form.

emammadov

I saw it just happens on usernames beginning with only a. john, not b.john, c.john, d.john and etc.
I usually create a user in User Manager and then create a certificate in Certificate Manager and after that add ceritificate to the user.
Page goes to Certificate Manager instead of staying in User Manager only when username beginning with a. It doesn't happen when username begins with b. c. d. and etc.
Please follow the steps I did in sequence, then you will exactly see the problem.

jimp

Yes, as I said it is due to the alphabetical order you see them in. The first user in the entire list is indexed as 0, and if you export for that user (index 0) or the first certificate (index 0) it would have omitted things from the filename.

Users with b, c, d, would be after admin in the user list so they wouldn't be at index 0 when ordered alphabetically.

It would also happen with any user starting with "a" that sorts before "admin".

jimp

I can't reproduce any problem with creating user certificates though. I made two users "a.test" and "b.test" and the behavior is the same on both of them when clicking the button to add a cert to the user.

emammadov

I will record the screen and will paste here for exact diagnose.
Beside this, is it possible to place a separator in User Manager like in Firewall rules, so that I can separate users on page. Because we have many users, head and remote office users.

jimp

That's unlikely to happen. If you need that many users the user manager is not ideal. You should be using an external authentication setup in those cases, like RADIUS or LDAP.

emammadov

It would be great to have separator in user manager anyway. I will record the screen of that problem and paste here soon.

jimp

I tried again on another box and this time I was able to see what you said. If you go through the entire process of adding a certificate to a user, normally it redirects you back to editing the user once the certificate has been added. But for that first user it does not perform that redirect.

It had a very similar test to the export package there that failed when the user index was 0.

I'll push a fix for that as well.

emammadov

Great, Just in case I recorded my screen and upload a video to google drive and pasting url here for your review.

https://drive.google.com/open?id=1Kp2x3iiWW8BTsoKT_UsWXj2Y-C223XtP

Hope it will be fixed in pfSense 2.4.4.

jimp

It will either be in 2.4.4-RELEASE or 2.4.4-p1 which will follow not terribly far behind. Either way you can apply the fix using the System Patches package if you want to have it sooner.

emammadov

Actually, I want it to be fixed soon. How can I have System Patches package?

jimp

https://www.netgate.com/docs/pfsense/development/system-patches.html

The commit ID you feed to the package can be found on github or referenced in the redmine entries for the issues, such as https://redmine.pfsense.org/issues/8920

emammadov

Thank you. Actually, I didn't get clear so every pfsense user has to use system patches for the solution of this issue? Or it will be fixed in the next updates? Sorry, i got confused.

jimp

If you want the fix right now -- today -- use System Patches to apply it.

I have committed the fix into the pfSense repository but we are in the process of preparing 2.4.4-RELEASE. The commits may have missed the cutoff to be included in that release. If so, they will be in 2.4.4-RELEASE-p1 which will be coming in the near future.

emammadov

Thank you very much. Once these 2 issues have been fixed in the next updates, then will I be able to delete that system patch from pfsense?

jimp

Once the fixes are in you will no longer need the patch.

The OpenVPN Client Export fix will be in 2.4.4-RELEASE for sure, it's the user manager redirect issue that may not make it.

emammadov

Great. I love pfSense. Then OpenVPN cliemt export issue will be fixed in 2.4.4 and User Manager issue be fixed in 2.4.4p1, right?

jimp

Yes. Or if we need another rebuild of 2.4.4, the other fix may sneak in. Either way it's coming.

emammadov

Thank you very much.