• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Issue with certificates after 2.5 upgrade

Scheduled Pinned Locked Moved General pfSense Questions
8 Posts 2 Posters 1.2k Views 2 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S Offline
    sbs
    last edited by sbs Feb 23, 2021, 12:50 PM Feb 23, 2021, 12:50 PM

    After 2.5 upgrade, there was a crash, and now when going to the cert screen, I can only see a subset of my certs.
    the displayed cert list stops on a certificate with the follinwg error stack :

    unknown Fatal error: Uncaught Exception: DateTime::__construct(): Failed to parse time string (@) at position 0 (@): Unexpected character in /etc/inc/certs.inc:712 
    Stack trace: 
    #0 /etc/inc/certs.inc(712): DateTime->__construct('@', Object(DateTimeZone)) 
    #1 /etc/inc/certs.inc(730): cert_format_date(NULL, NULL, false) #2 /etc/inc/certs.inc(1975): cert_get_dates('-----BEGIN CERT...', true, false) 
    #3 /etc/inc/certs.inc(2188): cert_get_lifetime(Array) 
    #4 /usr/local/www/system_certmanager.php(1406): cert_print_infoblock(Array) 
    #5 {main} thrown in /etc/inc/certs.inc on line 712 PHP ERROR: Type: 1, File: /etc/inc/certs.inc, Line: 712, Message: Uncaught Exception: DateTime::__construct(): Failed to parse time string (@) at position 0 (@): Unexpected character in /etc/inc/certs.inc:712 Stack trace: #0 /etc/inc/certs.inc(712): DateTime->__construct('@', Object(DateTimeZone)) #1 /etc/inc/certs.inc(730): cert_format_date(NULL, NULL, false) #2 /etc/inc/certs.inc(1975): cert_get_dates('-----BEGIN CERT...', true, false) #3 /etc/inc/certs.inc(2188): cert_get_lifetime(Array) #4 /usr/local/www/system_certmanager.php(1406): cert_print_infoblock(Array) #5 {main} thrown
    

    How can I recover my cert list?

    1 Reply Last reply Reply Quote 1
    • J Offline
      jimp Rebel Alliance Developer Netgate
      last edited by Feb 23, 2021, 4:48 PM

      I'm working on a fix for that right now, but we don't have a resolution yet. The short explanation is that one of the certificates is not valid in some way.

      https://redmine.pfsense.org/issues/11489

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      S 1 Reply Last reply Feb 23, 2021, 5:02 PM Reply Quote 0
      • S Offline
        sbs @jimp
        last edited by Feb 23, 2021, 5:02 PM

        @jimp : Ok kewl. I'll wait for the fix. Will you post a notification here when it is available or you I listen to some other channel?
        Is there a way to manually delete/fix the faulty crt in the mean time?
        As far as I can see this cert can be use to auth for VPN. Is there any security issue with this?

        1 Reply Last reply Reply Quote 0
        • J Offline
          jimp Rebel Alliance Developer Netgate
          last edited by Feb 23, 2021, 6:41 PM

          Any fix will show up on that Redmine link above, so keep an eye on it there.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          S 1 Reply Last reply Feb 24, 2021, 11:14 AM Reply Quote 0
          • S Offline
            sbs @jimp
            last edited by sbs Feb 24, 2021, 11:14 AM Feb 24, 2021, 11:14 AM

            Hi,

            Patch applied, and I can now see the page no issue. However, there are quite a few corrupted certificates. Is there a way to reimport them from the users crt file?

            Regards,

            1 Reply Last reply Reply Quote 0
            • J Offline
              jimp Rebel Alliance Developer Netgate
              last edited by Feb 24, 2021, 2:37 PM

              Did the certificates appear OK in the list on 2.4.5-p1?

              The test certificate I received from another user showed "unknown" on 2.4.5-p1 so was also not working there.

              On 21.02/2.5.0 you can edit a certificate and re-paste the certificate data, so if you have a copy of the user certificate you could restore it from that.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              S 1 Reply Last reply Feb 24, 2021, 2:42 PM Reply Quote 0
              • S Offline
                sbs @jimp
                last edited by Feb 24, 2021, 2:42 PM

                @jimp : The certificates show as "unknown" after the update. I have tried exporting it and the data is actually corrupted. It will not base64 decode to the original certificate.

                Thus my question to reimport them from the correct certificate that my user has. Otherwise I will need to revoke and reissue all corrupted certificates (which I'd rather not have to perform).

                1 Reply Last reply Reply Quote 0
                • J Offline
                  jimp Rebel Alliance Developer Netgate
                  last edited by Feb 24, 2021, 3:22 PM

                  That's what happened with the one I received from the other user as well, I couldn't base64 decode it even on other systems.

                  You don't need those certs on the firewall unless you need to use them for export in some way, though. If the users have them already, they can keep using them. If they need to get a new copy you could use that opportunity to give them a new one.

                  As long as you know the cert serials you can revoke them without the certs being present in the GUI, too.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  8 out of 8
                  • First post
                    8/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received