certmanager error - Cannot generate new certificate

  • Hello guys,

    I have a pfSense box (2.4.4 amd64) running for a while, and today I tried to import a new certificate to the system but I faced the error below when I hit the [Add/Sign] button on the Certicates tab ( in the Certmanager's page).

    Fatal error: Uncaught Error: Cannot use assign-op operators with string offsets in /usr/local/www/system_certmanager.php:947 Stack trace: #0 {main} thrown in /usr/local/www/system_certmanager.php on line 947 PHP ERROR: Type: 1, File: /usr/local/www/system_certmanager.php, Line: 947, Message: Uncaught Error: Cannot use assign-op operators with string offsets in /usr/local/www/system_certmanager.php:947 Stack trace: #0 {main} thrown

    The system is updated:

    FreeBSD 11.2-RELEASE-p3 #17 e6b497fa0a3(RELENG_2_4_4): Thu Sep 20 09:04:45 EDT 2018     root@buildbot3:/crossbuild/ce-244/obj/amd64/WvDslnYb/crossbuild/ce-244/pfSense/tmp/FreeBSD-src/sys/pfSense

    I have a few packages installed on this system (all updated):

    • haproxy
    • Openvpn-client-export
    • zabbix-agent

    I tried to generate a new CA just to test and see what would happen, and the process finishes as expected, no error.
    So the problem seems to be related only with Add/Sign new certificates.

    This box is running for sometime (maybe a year now), and recently it was updated to 2.4.4 but I only saw this error now because I had to deal with a new certificate, so I've no idea when the problem really started.

    Any tips on this would be much appreciated.

  • Rebel Alliance Developer Netgate

    Can you share the contents of the <cert>...</cert> sections of your config.xml file? You can remove any crt/prv strings or other private info.

    Mostly I'm curious if you have any empty tags, like a <cert></cert> entry.

  • LAYER 8 Global Moderator

    So your getting this error when you hit save on your import after putting in the cert info, or just upon clicking add?

    I just tested this on sg3100 that was updated to 2.4.4 and not able to duplicate this problem

  • @jimp

    @jimp thanks for you reply, there is in fact an empty <cert> tag.

    Any suggestion on how to remove it?


  • Rebel Alliance Developer Netgate

    OK, that's probably the culprit. I can work from there to try to reproduce and find a fix.

    You can edit that out of your config.xml in a few ways:

    • From the shell with viconfig if you are comfortable in vi.
    • Download a backup, edit it out, and then restore it (will take a reboot)
    • Edit the file some other way (e.g. Diag > Edit File) and then rm /tmp/config.cache.

  • @johnpoz

    Hello @johnpoz , thanks for your reply.

    I get this error message right after clicking [Add/Sign] button.

  • @jimp

    @jimp removing the empty tag really did the trick (I used viconfig).
    Now the Add/Sign new Certificate page is being shown and I was able to add import a new certificate.

    Thanks a lot for you help.

  • Rebel Alliance Developer Netgate

    I was able to reproduce it fairly easily, and I just pushed a fix.


Log in to reply