certmanager error - Cannot generate new certificate

sokr · Nov 6, 2018, 1:55 AM

Hello guys,

I have a pfSense box (2.4.4 amd64) running for a while, and today I tried to import a new certificate to the system but I faced the error below when I hit the [Add/Sign] button on the Certicates tab ( in the Certmanager's page).

Fatal error: Uncaught Error: Cannot use assign-op operators with string offsets in /usr/local/www/system_certmanager.php:947 Stack trace: #0 {main} thrown in /usr/local/www/system_certmanager.php on line 947 PHP ERROR: Type: 1, File: /usr/local/www/system_certmanager.php, Line: 947, Message: Uncaught Error: Cannot use assign-op operators with string offsets in /usr/local/www/system_certmanager.php:947 Stack trace: #0 {main} thrown

The system is updated:

amd64
11.2-RELEASE-p3
FreeBSD 11.2-RELEASE-p3 #17 e6b497fa0a3(RELENG_2_4_4): Thu Sep 20 09:04:45 EDT 2018     root@buildbot3:/crossbuild/ce-244/obj/amd64/WvDslnYb/crossbuild/ce-244/pfSense/tmp/FreeBSD-src/sys/pfSense

I have a few packages installed on this system (all updated):

haproxy
Openvpn-client-export
zabbix-agent

I tried to generate a new CA just to test and see what would happen, and the process finishes as expected, no error.
So the problem seems to be related only with Add/Sign new certificates.

This box is running for sometime (maybe a year now), and recently it was updated to 2.4.4 but I only saw this error now because I had to deal with a new certificate, so I've no idea when the problem really started.

Any tips on this would be much appreciated.

jimp · Nov 6, 2018, 3:56 PM

Can you share the contents of the <cert>...</cert> sections of your config.xml file? You can remove any crt/prv strings or other private info.

Mostly I'm curious if you have any empty tags, like a <cert></cert> entry.

johnpoz · Nov 6, 2018, 4:01 PM

So your getting this error when you hit save on your import after putting in the cert info, or just upon clicking add?

I just tested this on sg3100 that was updated to 2.4.4 and not able to duplicate this problem

sokr · Nov 6, 2018, 4:12 PM

@jimp

@jimp thanks for you reply, there is in fact an empty <cert> tag.

Any suggestion on how to remove it?

<ca>
	<refid>544518d056778</refid>
	<descr><![CDATA[CA]]></descr>
	<crt>XXXXXXXXXXXXXXXXXXXXXXXX</crt>
	<serial></serial>
</ca>
<ca>
	<refid>57f35e149c332</refid>
	<descr><![CDATA[fw_ca]]></descr>
	<crt>XXXXXXXXXXXXXXXXXXXXXXXX</crt>
	<prv>XXXXXXXXXXXXXXXXXXXXXXXX</prv>
	<serial>4</serial>
</ca>
<cert></cert>
<cert>
	<refid>580e235c0223b</refid>
	<descr><![CDATA[*.domain.com]]></descr>
	<crt>XXXXXXXXXXXXXXXXXXXXXXXX</crt>
	<prv>XXXXXXXXXXXXXXXXXXXXXXXX</prv>
	<caref>544518d056778</caref>
</cert>
<cert>
	<refid>583b10cb4e57c</refid>
	<descr><![CDATA[fw.me.com-vpn]]></descr>
	<type>server</type>
	<caref>57f35e149c332</caref>
	<crt>XXXXXXXXXXXXXXXXXXXXXXXX</crt>
	<prv>XXXXXXXXXXXXXXXXXXXXXXXX</prv>
</cert>

jimp · Nov 6, 2018, 4:14 PM

OK, that's probably the culprit. I can work from there to try to reproduce and find a fix.

You can edit that out of your config.xml in a few ways:

From the shell with viconfig if you are comfortable in vi.
Download a backup, edit it out, and then restore it (will take a reboot)
Edit the file some other way (e.g. Diag > Edit File) and then rm /tmp/config.cache.

sokr · Nov 6, 2018, 4:15 PM

@johnpoz

Hello @johnpoz , thanks for your reply.

I get this error message right after clicking [Add/Sign] button.

sokr · Nov 6, 2018, 4:45 PM

@jimp

@jimp removing the empty tag really did the trick (I used viconfig).
Now the Add/Sign new Certificate page is being shown and I was able to add import a new certificate.

Thanks a lot for you help.

jimp · Nov 6, 2018, 4:46 PM

I was able to reproduce it fairly easily, and I just pushed a fix.

https://redmine.pfsense.org/issues/9099