Issue with certificates after 2.5 upgrade

sbs · Feb 23, 2021, 12:50 PM

After 2.5 upgrade, there was a crash, and now when going to the cert screen, I can only see a subset of my certs.
the displayed cert list stops on a certificate with the follinwg error stack :

unknown Fatal error: Uncaught Exception: DateTime::__construct(): Failed to parse time string (@) at position 0 (@): Unexpected character in /etc/inc/certs.inc:712 
Stack trace: 
#0 /etc/inc/certs.inc(712): DateTime->__construct('@', Object(DateTimeZone)) 
#1 /etc/inc/certs.inc(730): cert_format_date(NULL, NULL, false) #2 /etc/inc/certs.inc(1975): cert_get_dates('-----BEGIN CERT...', true, false) 
#3 /etc/inc/certs.inc(2188): cert_get_lifetime(Array) 
#4 /usr/local/www/system_certmanager.php(1406): cert_print_infoblock(Array) 
#5 {main} thrown in /etc/inc/certs.inc on line 712 PHP ERROR: Type: 1, File: /etc/inc/certs.inc, Line: 712, Message: Uncaught Exception: DateTime::__construct(): Failed to parse time string (@) at position 0 (@): Unexpected character in /etc/inc/certs.inc:712 Stack trace: #0 /etc/inc/certs.inc(712): DateTime->__construct('@', Object(DateTimeZone)) #1 /etc/inc/certs.inc(730): cert_format_date(NULL, NULL, false) #2 /etc/inc/certs.inc(1975): cert_get_dates('-----BEGIN CERT...', true, false) #3 /etc/inc/certs.inc(2188): cert_get_lifetime(Array) #4 /usr/local/www/system_certmanager.php(1406): cert_print_infoblock(Array) #5 {main} thrown

How can I recover my cert list?

jimp · Feb 23, 2021, 4:48 PM

I'm working on a fix for that right now, but we don't have a resolution yet. The short explanation is that one of the certificates is not valid in some way.

https://redmine.pfsense.org/issues/11489

sbs · Feb 23, 2021, 5:02 PM

@jimp : Ok kewl. I'll wait for the fix. Will you post a notification here when it is available or you I listen to some other channel?
Is there a way to manually delete/fix the faulty crt in the mean time?
As far as I can see this cert can be use to auth for VPN. Is there any security issue with this?

jimp · Feb 23, 2021, 6:41 PM

Any fix will show up on that Redmine link above, so keep an eye on it there.

sbs · Feb 24, 2021, 11:14 AM

Hi,

Patch applied, and I can now see the page no issue. However, there are quite a few corrupted certificates. Is there a way to reimport them from the users crt file?

Regards,

jimp · Feb 24, 2021, 2:37 PM

Did the certificates appear OK in the list on 2.4.5-p1?

The test certificate I received from another user showed "unknown" on 2.4.5-p1 so was also not working there.

On 21.02/2.5.0 you can edit a certificate and re-paste the certificate data, so if you have a copy of the user certificate you could restore it from that.

sbs · Feb 24, 2021, 2:42 PM

@jimp : The certificates show as "unknown" after the update. I have tried exporting it and the data is actually corrupted. It will not base64 decode to the original certificate.

Thus my question to reimport them from the correct certificate that my user has. Otherwise I will need to revoke and reissue all corrupted certificates (which I'd rather not have to perform).

jimp · Feb 24, 2021, 3:22 PM

That's what happened with the one I received from the other user as well, I couldn't base64 decode it even on other systems.

You don't need those certs on the firewall unless you need to use them for export in some way, though. If the users have them already, they can keep using them. If they need to get a new copy you could use that opportunity to give them a new one.

As long as you know the cert serials you can revoke them without the certs being present in the GUI, too.