CRL Errors using externally signed CA
-
version effected: pfsense CE 2.5.0-RELEASE (amd64)
Fatal error: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: #0 /usr/local/share/openssl_x509_crl/X509_CRL.php(98): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('') #1 /etc/inc/certs.inc(1044): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #61, false) #2 /etc/inc/openvpn.inc(1250): crl_update(Array) #3 /etc/inc/openvpn.inc(1448): openvpn_reconfigure('server', Array) #4 /etc/inc/openvpn.inc(1675): openvpn_restart('server', Array) #5 /usr/local/www/vpn_openvpn_server.php(736): openvpn_resync('server', Array) #6 {main} thrown in /usr/local/share/openssl_x509_crl/X509_CERT.php on line 56 PHP ERROR: Type: 1, File: /usr/local/share/openssl_x509_crl/X509_CERT.php, Line: 56, Message: Uncaught Error: Call to a member function findContext() on null in /usr/local/share/openssl_x509_crl/X509_CERT.php:56 Stack trace: #0 /usr/local/share/openssl_x509_crl/X509_CRL.php(98): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_Subject('') #1 /etc/inc/certs.inc(1044): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Resource id #61, false) #2 /etc/inc/openvpn.inc(1250): crl_update(Array) #3 /etc/inc/openvpn.inc(1448): openvpn_reconfigure('server', Array) #4 /etc/inc/openvpn.inc(1675): openvpn_restart('server', Array) #5 /usr/local/www/vpn_openvpn_server.php(736): openvpn_resync('server', Array) #6 {main} thrown
Receiving the above fatal error when adding a CRL to an OpenVPN Server or when attempting to revoke certificates.
The CRL was created internally (within pfsense) using an externally signed CA cert/key (which was previously imported into pfsense).
As a test I created a self-signed CA certificate, created a CRL using it and added it to the OpenVPN server, and do not receive any critical errors. For this test CRL, I can create and revoke certificates without error.
So it seems the CRL on my pfsense functions properly with a self-signed CA cert/key, but not an externally signed CA Cert/key.
The externally signed CA certificate and key includes the trust chain (intermediate and root certs) and contains the following parameters:
Signature Digest: RSA-SHA384 KU: Certificate Sign, CRL Sign Key Type: RSA Key Size: 3072
-
You should test in 2.5.2. However it looks like this known issue: https://redmine.pfsense.org/issues/9889
Also see: https://redmine.pfsense.org/issues/12327
Steve