PHP Error Trying to Add to Revoked Certificates List

SenzFan · May 30, 2019, 3:14 PM

Hi,

I am trying to delete all the certificates I created during my OpenVPN testing and when I click on the Add button under the Choose a Certificate to Revoke section I get the following error:

Fatal error: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: #0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('') #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #14, false) #2 /etc/inc/certs.inc(1018): crl_update(Array) #3 /usr/local/www/system_crlmanager.php(145): cert_revoke(Array, Array, '5') #4 {main} thrown in /usr/local/share/openssl_x509_crl/X509_CERT.php on line 56 PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: #0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('') #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #14, false) #2 /etc/inc/certs.inc(1018): crl_update(Array) #3 /usr/local/www/system_crlmanager.php(145): cert_revoke(Array, Array, '5') #4 {main} thrown

Gertjan · May 30, 2019, 3:24 PM

Check out https://forum.netgate.com/topic/143536/what-is-wrong-with-pfsense

What are you trying to do ?

Probably related, or not : the openvpn_client package was upgraded a couple of hours ago.

mRedm · Jan 29, 2020, 4:49 PM

Same problem here when trying to add a certificate to a CRL (in Certificate Manager / Certificate revocation / Edit CRL), immediately when clicking the 'Add' button.
Error occurs independent of cert and CRL chosen.

pfsense version 2.4.4-RELEASE-p3 (arm), all packages up-to-date
Here's the code again

Fatal error: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
Stack trace: 
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('') 
#1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #13, false) 
#2 /etc/inc/certs.inc(1018): crl_update(Array) 
#3 /usr/local/www/system_crlmanager.php(145): cert_revoke(Array, Array, '3') 
#4 {main} thrown in /usr/local/share/openssl_x509_crl/X509_CERT.php on line 56

jimp · Jan 29, 2020, 4:57 PM

Anything weird about the CA or certificate you're trying to revoke? Were they both created on pfSense or imported?

It looks like it can't parse some part of it out.

It doesn't appear to be a general issue, I can add new CRLs and revoke certs without any errors here.

mRedm · Jan 29, 2020, 5:08 PM

Same error when trying to add a CRL to the OpenVPN server config.

Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56

User certs were created on pfSense, but the CA was imported I think.

Tried something...even get a similar error on creating a CRL for the pfSense CA.

But the creation itself works, the CRL is there afterwards.
Same for the OPenVPN server config, the CRL is added to it, and shown 'in use' afterwards.

jimp · Jan 29, 2020, 5:16 PM

It may show created/selected in the config but I have to wonder if the text of the CRL is updating properly. If you try to export the CRL contents it may be empty (or contain just this error).

Since the error is coming from the system attempting to update the CRL, anything which triggers a CRL update would result in this error (so adding a CRL entry, selecting the CRL for use, saving/applying a service which uses the CRL, etc).

But at the heart of it, there is some part of the CRL or cert which is coming out null.

Can you share the contents of the <crl> tags in your config.xml? You don't need to include the full crt or prv tag contents, it's enough to know that it's there and has something in it (vs being missing or empty)

mRedm · Jan 29, 2020, 5:19 PM

Will try to get that for you

In the meantime...
Created a new CA on pfSense -> PHP Error but worked
Created CRL for it -> PHP Error but worked
Created new cert for above CA -> worked
Adding above cert to new CRL -> failed

mRedm · Jan 29, 2020, 5:23 PM

@jimp
The CRL I tried first:

	<crl>
		<refid>5d5...</refid>
		<descr><![CDATA[User certificate revocation list]]></descr>
		<caref>5b4...</caref>
		<method>internal</method>
		<serial>9999</serial>
		<lifetime>3650</lifetime>
	</crl>

jimp · Jan 29, 2020, 5:27 PM

@mRedm said in PHP Error Trying to Add to Revoked Certificates List:

Created a new CA on pfSense -> PHP Error but worked

The exact same PHP error or a different one?

mRedm · Jan 29, 2020, 5:35 PM

@jimp Forget that, got confused on that, creating a CA worked in two other tries.
But creating a CRL gives exactly the same error message.

Deleting Certs, CAs CRLs works flawlessly, by the way.

PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: 
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
 #1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #25, false) 
#2 /etc/inc/openvpn.inc(1929): crl_update(Array) 
#3 /usr/local/www/system_crlmanager.php(247): openvpn_refresh_crls() 
#4 {main} thrown

mRedm · Jan 29, 2020, 5:46 PM

Exported CRL data of one created throwing an error seems to be fine

-----BEGIN X509 CRL-----
MIICXzCCA...tjmd+/P6X970=
-----END X509 CRL-----

Exported OpenVPN config shows correct/valid CRL and CA ref ids

jimp · Jan 29, 2020, 5:52 PM

Is the <crl>...</crl> block above the only one in your config? Does there happen to be an empty one (Like <crl/> or <crl></crl>) above or below it in config.xml? Or maybe an empty <cert/> or <ca/> tag?

mRedm · Jan 29, 2020, 6:39 PM

@jimp Two crl blocks, lock the same apart from different refs. No empty ca, cert or crl.

Did a reboot, it's a SG-3100 btw.
Problem got worse, OpenVPNserver didn't restart on boot, network clients behind firewall couldn't connect to the internet, webconfigurator didn't start.
Started webconfig through ssh connection, removed CRL from OpenVPN server config (2 OpenVPN servers running!), saved, rebooted, all fine.

Error on failed bootup:

PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56
Stack trace:
#0 /usr/local/share/openssl_x509_crl/X509_CRL.php(100): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('')
#1 /etc/inc/certs.inc(1000): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #1639, false)
#2 /etc/inc/openvpn.inc(1181): crl_update(Array)
#3 /etc/inc/openvpn.inc(1320): openvpn_reconfigure('server', Array)
#4 /etc/inc/openvpn.inc(1543): openvpn_restart('server', Array)
#5 /etc/inc/openvpn.inc(1583): openvpn_resync('server', Array)
#6 /etc/rc.newwanip(250): openvpn_resync_all('opt1')
#7 {main}

jimp · Jan 29, 2020, 6:51 PM

I figured something like that might happen if it was failing to update.

I have tried several different things here and still can't reproduce anything like it, however. It works 100% every time for me.

The line it's crashing on and the error still suggest that something the function is being fed is null when it shouldn't be. But I don't see how that might be possible unless there is something really unusual about the CA.

jimp · Jan 29, 2020, 8:16 PM

Still not able to reproduce any issue here. If you don't mind, I'd like to see copies of your CA and the certificate you are attempting to revoke. You don't have to post them here, you can mail them to me privately, <my forum username> (at) netgate.com. I shouldn't need the keys, hopefully just seeing the structure of both might let me find a way to reproduce it. Or at least suppress the errors if it is working OK otherwise aside from the error condition.

jimp · Jan 30, 2020, 6:43 PM

I got the files you sent but parts I needed were not there. I need the certificate data, but not the key. There wouldn't be anything private/secret in the certificate file / <crt>...</crt> tag.

I was at least able to see the CN of the CA and guessed what it might have been for the user cert you mentioned, but I was still unable to replicate the error using the values I tried.

mRedm · Jan 31, 2020, 10:19 AM

Ok, will send that out to you. Whole certificate and content between crt-Tags in config.

jimp · Jan 31, 2020, 1:44 PM

Still no luck reproducing any error here. I've tried on SG-3100, a VM, Factory, CE, on 2.4.5 and 2.5.0. I can't find any combination of CA/Cert/CRL actions which result in an error here.

Can you try the change in the attached patch to see if it helps? It doesn't explain why you are getting the errors, but it may help prevent them from causing you problems since it actually seems to work aside from generating the error.

suppress-crl-error.diff

mRedm · Jan 31, 2020, 2:22 PM

@jimp Ok, applied that change to /etc/inc/certs.inc and restarted the whole device. Didn't help unfortunately. Neither did the error disappear nor does adding the certificate to the CRL work.

jimp · Jan 31, 2020, 5:59 PM

The error is exactly the same with that applied?