Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    PHP Error Trying to Add to Revoked Certificates List

    General pfSense Questions
    4
    23
    763
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SenzFan last edited by

      Hi,

      I am trying to delete all the certificates I created during my OpenVPN testing and when I click on the Add button under the Choose a Certificate to Revoke section I get the following error:

      Fatal error: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: #0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('') #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #14, false) #2 /etc/inc/certs.inc(1018): crl_update(Array) #3 /usr/local/www/system_crlmanager.php(145): cert_revoke(Array, Array, '5') #4 {main} thrown in /usr/local/share/openssl_x509_crl/X509_CERT.php on line 56 PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: #0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('') #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #14, false) #2 /etc/inc/certs.inc(1018): crl_update(Array) #3 /usr/local/www/system_crlmanager.php(145): cert_revoke(Array, Array, '5') #4 {main} thrown
      
      1 Reply Last reply Reply Quote 0
      • Gertjan
        Gertjan last edited by

        Check out https://forum.netgate.com/topic/143536/what-is-wrong-with-pfsense

        What are you trying to do ?

        Probably related, or not : the openvpn_client package was upgraded a couple of hours ago.

        No "help me" PM's please. Use the forum.

        1 Reply Last reply Reply Quote 0
        • M
          mRedm last edited by mRedm

          Same problem here when trying to add a certificate to a CRL (in Certificate Manager / Certificate revocation / Edit CRL), immediately when clicking the 'Add' button.
          Error occurs independent of cert and CRL chosen.

          pfsense version 2.4.4-RELEASE-p3 (arm), all packages up-to-date
          Here's the code again

          Fatal error: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
          Stack trace: 
          #0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('') 
          #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #13, false) 
          #2 /etc/inc/certs.inc(1018): crl_update(Array) 
          #3 /usr/local/www/system_crlmanager.php(145): cert_revoke(Array, Array, '3') 
          #4 {main} thrown in /usr/local/share/openssl_x509_crl/X509_CERT.php on line 56
          
          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            Anything weird about the CA or certificate you're trying to revoke? Were they both created on pfSense or imported?

            It looks like it can't parse some part of it out.

            It doesn't appear to be a general issue, I can add new CRLs and revoke certs without any errors here.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              mRedm last edited by mRedm

              Same error when trying to add a CRL to the OpenVPN server config.

              Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
              

              User certs were created on pfSense, but the CA was imported I think.

              Tried something...even get a similar error on creating a CRL for the pfSense CA.

              But the creation itself works, the CRL is there afterwards.
              Same for the OPenVPN server config, the CRL is added to it, and shown 'in use' afterwards.

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                It may show created/selected in the config but I have to wonder if the text of the CRL is updating properly. If you try to export the CRL contents it may be empty (or contain just this error).

                Since the error is coming from the system attempting to update the CRL, anything which triggers a CRL update would result in this error (so adding a CRL entry, selecting the CRL for use, saving/applying a service which uses the CRL, etc).

                But at the heart of it, there is some part of the CRL or cert which is coming out null.

                Can you share the contents of the <crl> tags in your config.xml? You don't need to include the full crt or prv tag contents, it's enough to know that it's there and has something in it (vs being missing or empty)

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                M 1 Reply Last reply Reply Quote 0
                • M
                  mRedm last edited by

                  Will try to get that for you

                  In the meantime...
                  Created a new CA on pfSense -> PHP Error but worked
                  Created CRL for it -> PHP Error but worked
                  Created new cert for above CA -> worked
                  Adding above cert to new CRL -> failed

                  1 Reply Last reply Reply Quote 0
                  • M
                    mRedm @jimp last edited by

                    @jimp
                    The CRL I tried first:

                    	<crl>
                    		<refid>5d5...</refid>
                    		<descr><![CDATA[User certificate revocation list]]></descr>
                    		<caref>5b4...</caref>
                    		<method>internal</method>
                    		<serial>9999</serial>
                    		<lifetime>3650</lifetime>
                    	</crl>
                    
                    1 Reply Last reply Reply Quote 0
                    • jimp
                      jimp Rebel Alliance Developer Netgate last edited by

                      @mRedm said in PHP Error Trying to Add to Revoked Certificates List:

                      Created a new CA on pfSense -> PHP Error but worked

                      The exact same PHP error or a different one?

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        mRedm @jimp last edited by

                        @jimp Forget that, got confused on that, creating a CA worked in two other tries.
                        But creating a CRL gives exactly the same error message.

                        Deleting Certs, CAs CRLs works flawlessly, by the way.

                        PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: 
                        #0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
                         #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #25, false) 
                        #2 /etc/inc/openvpn.inc(1929): crl_update(Array) 
                        #3 /usr/local/www/system_crlmanager.php(247): openvpn_refresh_crls() 
                        #4 {main} thrown
                        
                        1 Reply Last reply Reply Quote 0
                        • M
                          mRedm last edited by mRedm

                          Exported CRL data of one created throwing an error seems to be fine

                          -----BEGIN X509 CRL-----
                          MIICXzCCA...tjmd+/P6X970=
                          -----END X509 CRL-----
                          

                          Exported OpenVPN config shows correct/valid CRL and CA ref ids

                          1 Reply Last reply Reply Quote 0
                          • jimp
                            jimp Rebel Alliance Developer Netgate last edited by

                            Is the <crl>...</crl> block above the only one in your config? Does there happen to be an empty one (Like <crl/> or <crl></crl>) above or below it in config.xml? Or maybe an empty <cert/> or <ca/> tag?

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            M 1 Reply Last reply Reply Quote 0
                            • M
                              mRedm @jimp last edited by

                              @jimp Two crl blocks, lock the same apart from different refs. No empty ca, cert or crl.

                              Did a reboot, it's a SG-3100 btw.
                              Problem got worse, OpenVPNserver didn't restart on boot, network clients behind firewall couldn't connect to the internet, webconfigurator didn't start.
                              Started webconfig through ssh connection, removed CRL from OpenVPN server config (2 OpenVPN servers running!), saved, rebooted, all fine.

                              Error on failed bootup:

                              PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
                              Stack trace:
                              #0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
                              #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #1639, false)
                              #2 /etc/inc/openvpn.inc(1181): crl_update(Array)
                              #3 /etc/inc/openvpn.inc(1320): openvpn_reconfigure('server', Array)
                              #4 /etc/inc/openvpn.inc(1543): openvpn_restart('server', Array)
                              #5 /etc/inc/openvpn.inc(1583): openvpn_resync('server', Array)
                              #6 /etc/rc.newwanip(250): openvpn_resync_all('opt1')
                              #7 {main}
                              
                              1 Reply Last reply Reply Quote 0
                              • jimp
                                jimp Rebel Alliance Developer Netgate last edited by

                                I figured something like that might happen if it was failing to update.

                                I have tried several different things here and still can't reproduce anything like it, however. It works 100% every time for me.

                                The line it's crashing on and the error still suggest that something the function is being fed is null when it shouldn't be. But I don't see how that might be possible unless there is something really unusual about the CA.

                                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • jimp
                                  jimp Rebel Alliance Developer Netgate last edited by

                                  Still not able to reproduce any issue here. If you don't mind, I'd like to see copies of your CA and the certificate you are attempting to revoke. You don't have to post them here, you can mail them to me privately, <my forum username> (at) netgate.com. I shouldn't need the keys, hopefully just seeing the structure of both might let me find a way to reproduce it. Or at least suppress the errors if it is working OK otherwise aside from the error condition.

                                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • jimp
                                    jimp Rebel Alliance Developer Netgate last edited by

                                    I got the files you sent but parts I needed were not there. I need the certificate data, but not the key. There wouldn't be anything private/secret in the certificate file / <crt>...</crt> tag.

                                    I was at least able to see the CN of the CA and guessed what it might have been for the user cert you mentioned, but I was still unable to replicate the error using the values I tried.

                                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      mRedm last edited by

                                      Ok, will send that out to you. Whole certificate and content between crt-Tags in config.

                                      1 Reply Last reply Reply Quote 0
                                      • jimp
                                        jimp Rebel Alliance Developer Netgate last edited by

                                        Still no luck reproducing any error here. I've tried on SG-3100, a VM, Factory, CE, on 2.4.5 and 2.5.0. I can't find any combination of CA/Cert/CRL actions which result in an error here.

                                        Can you try the change in the attached patch to see if it helps? It doesn't explain why you are getting the errors, but it may help prevent them from causing you problems since it actually seems to work aside from generating the error.

                                        suppress-crl-error.diff

                                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                        Need help fast? Netgate Global Support!

                                        Do not Chat/PM for help!

                                        M 1 Reply Last reply Reply Quote 0
                                        • M
                                          mRedm @jimp last edited by

                                          @jimp Ok, applied that change to /etc/inc/certs.inc and restarted the whole device. Didn't help unfortunately. Neither did the error disappear nor does adding the certificate to the CRL work.

                                          1 Reply Last reply Reply Quote 0
                                          • jimp
                                            jimp Rebel Alliance Developer Netgate last edited by

                                            The error is exactly the same with that applied?

                                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                            Need help fast? Netgate Global Support!

                                            Do not Chat/PM for help!

                                            1 Reply Last reply Reply Quote 0
                                            • M
                                              mRedm last edited by

                                              @jimp Yes, exactly the same error message. I wondered myself how this can happen, with that error suppressor added.

                                              But I was able to solve the issue. I figured out, that something was wrong with that CA.
                                              I exported the CA from the Windows server it stems from and imported it into pfSense again. Immediately it showed all certificates as belonging to the just imported CA.
                                              Somehow that fixed something.
                                              Revoking a certificate worked after that. โœŒ
                                              Still don't know, why things didn't work with a fresh new internal CA plus certificates.

                                              1 Reply Last reply Reply Quote 0
                                              • jimp
                                                jimp Rebel Alliance Developer Netgate last edited by

                                                Does your Windows CA have the same subject as your internal certificate? Maybe it's getting confused about which certificates were issued by a given CA since they have identical subjects.

                                                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                Need help fast? Netgate Global Support!

                                                Do not Chat/PM for help!

                                                1 Reply Last reply Reply Quote 0
                                                • M
                                                  mRedm last edited by

                                                  Sorry, can't check anything regarding that any more. Company went bankrupt and was bought by another one. Moved over to their building.

                                                  1 Reply Last reply Reply Quote 0
                                                  • First post
                                                    Last post