PHP Error Trying to Add to Revoked Certificates List

SenzFan

Hi,

I am trying to delete all the certificates I created during my OpenVPN testing and when I click on the Add button under the Choose a Certificate to Revoke section I get the following error:

Fatal error: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: #0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('') #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #14, false) #2 /etc/inc/certs.inc(1018): crl_update(Array) #3 /usr/local/www/system_crlmanager.php(145): cert_revoke(Array, Array, '5') #4 {main} thrown in /usr/local/share/openssl_x509_crl/X509_CERT.php on line 56 PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: #0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('') #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #14, false) #2 /etc/inc/certs.inc(1018): crl_update(Array) #3 /usr/local/www/system_crlmanager.php(145): cert_revoke(Array, Array, '5') #4 {main} thrown

Gertjan

Check out https://forum.netgate.com/topic/143536/what-is-wrong-with-pfsense

What are you trying to do ?

Probably related, or not : the openvpn_client package was upgraded a couple of hours ago.

mRedm

Same problem here when trying to add a certificate to a CRL (in Certificate Manager / Certificate revocation / Edit CRL), immediately when clicking the 'Add' button.
Error occurs independent of cert and CRL chosen.

pfsense version 2.4.4-RELEASE-p3 (arm), all packages up-to-date
Here's the code again

Fatal error: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
Stack trace: 
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('') 
#1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #13, false) 
#2 /etc/inc/certs.inc(1018): crl_update(Array) 
#3 /usr/local/www/system_crlmanager.php(145): cert_revoke(Array, Array, '3') 
#4 {main} thrown in /usr/local/share/openssl_x509_crl/X509_CERT.php on line 56

jimp

Anything weird about the CA or certificate you're trying to revoke? Were they both created on pfSense or imported?

It looks like it can't parse some part of it out.

It doesn't appear to be a general issue, I can add new CRLs and revoke certs without any errors here.

mRedm

Same error when trying to add a CRL to the OpenVPN server config.

Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56

User certs were created on pfSense, but the CA was imported I think.

Tried something...even get a similar error on creating a CRL for the pfSense CA.

But the creation itself works, the CRL is there afterwards.
Same for the OPenVPN server config, the CRL is added to it, and shown 'in use' afterwards.

jimp

It may show created/selected in the config but I have to wonder if the text of the CRL is updating properly. If you try to export the CRL contents it may be empty (or contain just this error).

Since the error is coming from the system attempting to update the CRL, anything which triggers a CRL update would result in this error (so adding a CRL entry, selecting the CRL for use, saving/applying a service which uses the CRL, etc).

But at the heart of it, there is some part of the CRL or cert which is coming out null.

Can you share the contents of the <crl> tags in your config.xml? You don't need to include the full crt or prv tag contents, it's enough to know that it's there and has something in it (vs being missing or empty)

mRedm

Will try to get that for you

In the meantime...
Created a new CA on pfSense -> PHP Error but worked
Created CRL for it -> PHP Error but worked
Created new cert for above CA -> worked
Adding above cert to new CRL -> failed

mRedm

@jimp
The CRL I tried first:

	<crl>
		<refid>5d5...</refid>
		<descr><![CDATA[User certificate revocation list]]></descr>
		<caref>5b4...</caref>
		<method>internal</method>
		<serial>9999</serial>
		<lifetime>3650</lifetime>
	</crl>

jimp

@mRedm said in PHP Error Trying to Add to Revoked Certificates List:

Created a new CA on pfSense -> PHP Error but worked

The exact same PHP error or a different one?

mRedm

@jimp Forget that, got confused on that, creating a CA worked in two other tries.
But creating a CRL gives exactly the same error message.

Deleting Certs, CAs CRLs works flawlessly, by the way.

PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: 
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
 #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #25, false) 
#2 /etc/inc/openvpn.inc(1929): crl_update(Array) 
#3 /usr/local/www/system_crlmanager.php(247): openvpn_refresh_crls() 
#4 {main} thrown

mRedm

Exported CRL data of one created throwing an error seems to be fine

-----BEGIN X509 CRL-----
MIICXzCCA...tjmd+/P6X970=
-----END X509 CRL-----

Exported OpenVPN config shows correct/valid CRL and CA ref ids

jimp

Is the <crl>...</crl> block above the only one in your config? Does there happen to be an empty one (Like <crl/> or <crl></crl>) above or below it in config.xml? Or maybe an empty <cert/> or <ca/> tag?

mRedm

@jimp Two crl blocks, lock the same apart from different refs. No empty ca, cert or crl.

Did a reboot, it's a SG-3100 btw.
Problem got worse, OpenVPNserver didn't restart on boot, network clients behind firewall couldn't connect to the internet, webconfigurator didn't start.
Started webconfig through ssh connection, removed CRL from OpenVPN server config (2 OpenVPN servers running!), saved, rebooted, all fine.

Error on failed bootup:

PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
Stack trace:
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
#1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #1639, false)
#2 /etc/inc/openvpn.inc(1181): crl_update(Array)
#3 /etc/inc/openvpn.inc(1320): openvpn_reconfigure('server', Array)
#4 /etc/inc/openvpn.inc(1543): openvpn_restart('server', Array)
#5 /etc/inc/openvpn.inc(1583): openvpn_resync('server', Array)
#6 /etc/rc.newwanip(250): openvpn_resync_all('opt1')
#7 {main}

jimp

I figured something like that might happen if it was failing to update.

I have tried several different things here and still can't reproduce anything like it, however. It works 100% every time for me.

The line it's crashing on and the error still suggest that something the function is being fed is null when it shouldn't be. But I don't see how that might be possible unless there is something really unusual about the CA.

jimp

Still not able to reproduce any issue here. If you don't mind, I'd like to see copies of your CA and the certificate you are attempting to revoke. You don't have to post them here, you can mail them to me privately, <my forum username> (at) netgate.com. I shouldn't need the keys, hopefully just seeing the structure of both might let me find a way to reproduce it. Or at least suppress the errors if it is working OK otherwise aside from the error condition.

jimp

I got the files you sent but parts I needed were not there. I need the certificate data, but not the key. There wouldn't be anything private/secret in the certificate file / <crt>...</crt> tag.

I was at least able to see the CN of the CA and guessed what it might have been for the user cert you mentioned, but I was still unable to replicate the error using the values I tried.

mRedm

Ok, will send that out to you. Whole certificate and content between crt-Tags in config.

jimp

Still no luck reproducing any error here. I've tried on SG-3100, a VM, Factory, CE, on 2.4.5 and 2.5.0. I can't find any combination of CA/Cert/CRL actions which result in an error here.

Can you try the change in the attached patch to see if it helps? It doesn't explain why you are getting the errors, but it may help prevent them from causing you problems since it actually seems to work aside from generating the error.

suppress-crl-error.diff

mRedm

@jimp Ok, applied that change to /etc/inc/certs.inc and restarted the whole device. Didn't help unfortunately. Neither did the error disappear nor does adding the certificate to the CRL work.

jimp

The error is exactly the same with that applied?

mRedm

@jimp Yes, exactly the same error message. I wondered myself how this can happen, with that error suppressor added.

But I was able to solve the issue. I figured out, that something was wrong with that CA.
I exported the CA from the Windows server it stems from and imported it into pfSense again. Immediately it showed all certificates as belonging to the just imported CA.
Somehow that fixed something.
Revoking a certificate worked after that.
Still don't know, why things didn't work with a fresh new internal CA plus certificates.

jimp

Does your Windows CA have the same subject as your internal certificate? Maybe it's getting confused about which certificates were issued by a given CA since they have identical subjects.

mRedm

Sorry, can't check anything regarding that any more. Company went bankrupt and was bought by another one. Moved over to their building.