certmanager error - Cannot generate new certificate



  • Hello guys,

    I have a pfSense box (2.4.4 amd64) running for a while, and today I tried to import a new certificate to the system but I faced the error below when I hit the [Add/Sign] button on the Certicates tab ( in the Certmanager's page).

    Fatal error: Uncaught Error: Cannot use assign-op operators with string offsets in /usr/local/www/system_certmanager.php:947 Stack trace: #0 {main} thrown in /usr/local/www/system_certmanager.php on line 947 PHP ERROR: Type: 1, File: /usr/local/www/system_certmanager.php, Line: 947, Message: Uncaught Error: Cannot use assign-op operators with string offsets in /usr/local/www/system_certmanager.php:947 Stack trace: #0 {main} thrown
    

    The system is updated:

    amd64
    11.2-RELEASE-p3
    FreeBSD 11.2-RELEASE-p3 #17 e6b497fa0a3(RELENG_2_4_4): Thu Sep 20 09:04:45 EDT 2018     root@buildbot3:/crossbuild/ce-244/obj/amd64/WvDslnYb/crossbuild/ce-244/pfSense/tmp/FreeBSD-src/sys/pfSense
    

    I have a few packages installed on this system (all updated):

    • haproxy
    • Openvpn-client-export
    • zabbix-agent

    I tried to generate a new CA just to test and see what would happen, and the process finishes as expected, no error.
    So the problem seems to be related only with Add/Sign new certificates.

    This box is running for sometime (maybe a year now), and recently it was updated to 2.4.4 but I only saw this error now because I had to deal with a new certificate, so I've no idea when the problem really started.

    Any tips on this would be much appreciated.


  • Rebel Alliance Developer Netgate

    Can you share the contents of the <cert>...</cert> sections of your config.xml file? You can remove any crt/prv strings or other private info.

    Mostly I'm curious if you have any empty tags, like a <cert></cert> entry.


  • Rebel Alliance Global Moderator

    So your getting this error when you hit save on your import after putting in the cert info, or just upon clicking add?

    I just tested this on sg3100 that was updated to 2.4.4 and not able to duplicate this problem



  • @jimp

    @jimp thanks for you reply, there is in fact an empty <cert> tag.

    Any suggestion on how to remove it?

    <ca>
    	<refid>544518d056778</refid>
    	<descr><![CDATA[CA]]></descr>
    	<crt>XXXXXXXXXXXXXXXXXXXXXXXX</crt>
    	<serial></serial>
    </ca>
    <ca>
    	<refid>57f35e149c332</refid>
    	<descr><![CDATA[fw_ca]]></descr>
    	<crt>XXXXXXXXXXXXXXXXXXXXXXXX</crt>
    	<prv>XXXXXXXXXXXXXXXXXXXXXXXX</prv>
    	<serial>4</serial>
    </ca>
    <cert></cert>
    <cert>
    	<refid>580e235c0223b</refid>
    	<descr><![CDATA[*.domain.com]]></descr>
    	<crt>XXXXXXXXXXXXXXXXXXXXXXXX</crt>
    	<prv>XXXXXXXXXXXXXXXXXXXXXXXX</prv>
    	<caref>544518d056778</caref>
    </cert>
    <cert>
    	<refid>583b10cb4e57c</refid>
    	<descr><![CDATA[fw.me.com-vpn]]></descr>
    	<type>server</type>
    	<caref>57f35e149c332</caref>
    	<crt>XXXXXXXXXXXXXXXXXXXXXXXX</crt>
    	<prv>XXXXXXXXXXXXXXXXXXXXXXXX</prv>
    </cert>
    

  • Rebel Alliance Developer Netgate

    OK, that's probably the culprit. I can work from there to try to reproduce and find a fix.

    You can edit that out of your config.xml in a few ways:

    • From the shell with viconfig if you are comfortable in vi.
    • Download a backup, edit it out, and then restore it (will take a reboot)
    • Edit the file some other way (e.g. Diag > Edit File) and then rm /tmp/config.cache.


  • @johnpoz

    Hello @johnpoz , thanks for your reply.

    I get this error message right after clicking [Add/Sign] button.



  • @jimp

    @jimp removing the empty tag really did the trick (I used viconfig).
    Now the Add/Sign new Certificate page is being shown and I was able to add import a new certificate.

    Thanks a lot for you help.


  • Rebel Alliance Developer Netgate

    I was able to reproduce it fairly easily, and I just pushed a fix.

    https://redmine.pfsense.org/issues/9099