• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Fatal Error PHP Acme Certificates in Renew Column

Scheduled Pinned Locked Moved ACME
17 Posts 3 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jpvonhemel
    last edited by Feb 18, 2023, 10:49 PM

    Hello,

    Since updating to 23.01, I am now seeing the following PHP error associated with ACME/Let's Encrypt. I searched around the forum and redmine, but do not see anything like this error reported. Not sure if this is isolated to my system or a wider issue. Appreciate any guidance on this error.

    Thank you very much~!

    Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/acme/acme_certificates.php:261 Stack trace: #0 {main} thrown in /usr/local/www/acme/acme_certificates.php on line 261 PHP ERROR: Type: 1, File: /usr/local/www/acme/acme_certificates.php, Line: 261, Message: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/acme/acme_certificates.php:261 Stack trace: #0 {main} thrown

    1 Reply Last reply Reply Quote 0
    • J
      jpvonhemel
      last edited by jpvonhemel Feb 19, 2023, 12:06 AM Feb 18, 2023, 11:01 PM

      I am using HAProxy for SSL offloading, and noticed that my let's encrypt certificate expires on April 16, 2023, and I have the cron entry checked to renew the certificate. Not sure if HAProxy SSL offloading is part of this issue, so I figured I should note it here.

      1 Reply Last reply Reply Quote 0
      • J
        jpvonhemel
        last edited by jpvonhemel Feb 19, 2023, 12:06 AM Feb 19, 2023, 12:03 AM

        @jpvonhemel Thinking there is a problem with my certificate, but the error has removed the ability for me to delete the certificate and create a new one.

        f45bd6c0-05e1-4679-9b9e-5944399e9aa4-image.png

        1 Reply Last reply Reply Quote 0
        • J
          jpvonhemel
          last edited by Feb 19, 2023, 4:24 PM

          Here is the crash report from pfSense. I did a reinstall to 22.04 and restored my backup config and the issue is continuing.

          Crash report begins. Anonymous machine information:

          amd64
          14.0-CURRENT
          FreeBSD 14.0-CURRENT #0 plus-RELENG_23_01-n256037-6e914874a5e: Fri Feb 10 20:30:29 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/obj/amd64/VDZvZksF/var/jenkins/workspace/pfSense-Plus-snapshots-23_01-main/sources/FreeBS

          Crash report details:

          PHP Errors:
          [19-Feb-2023 05:33:58 America/Denver] PHP Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/acme/acme_certificates.php:261
          Stack trace:
          #0 {main}
          thrown in /usr/local/www/acme/acme_certificates.php on line 261

          No FreeBSD crash data found.

          1 Reply Last reply Reply Quote 0
          • K
            kapranos
            last edited by Mar 24, 2023, 2:02 PM

            I have the same proble as you, I can not delete the certificate, I have accessed by SSH and do not see it in the certificate folders, you were able to solve it? thanks

            J 1 Reply Last reply Mar 24, 2023, 2:27 PM Reply Quote 0
            • J
              jpvonhemel @kapranos
              last edited by Mar 24, 2023, 2:27 PM

              @kapranos Sorry to hear, but glad it wasn't just me. Unfortunately my post did not gain any traction with Netgate, so I figured it was a problem unique to me. After a few days of frustration with the unstable upgrade, I nuked the firewall install, installed a clean image and reconfigured the firewall.

              I was able to import most of the settings from backup. For me, that was mostly DCHP reservations, nat and firewall rules, so it wasn't the end of the world. Going foward, I will be more careful with updates and backups. I believe there is a way to leverage the zfs file system to retain and boot from an old install, so I do need to look into that a bit more.

              I honestly do not know how it happened, but chalked it up to some sort of corruption on update or a really odd bug.

              K 1 Reply Last reply Mar 27, 2023, 9:03 AM Reply Quote 1
              • K
                kapranos @jpvonhemel
                last edited by Mar 27, 2023, 9:03 AM

                @jpvonhemel said in Fatal Error PHP Acme Certificates in Renew Column:

                @kapranos Sorry to hear, but glad it wasn't just me. Unfortunately my post did not gain any traction with Netgate, so I figured it was a problem unique to me. After a few days of frustration with the unstable upgrade, I nuked the firewall install, installed a clean image and reconfigured the firewall.

                I was able to import most of the settings from backup. For me, that was mostly DCHP reservations, nat and firewall rules, so it wasn't the end of the world. Going foward, I will be more careful with updates and backups. I believe there is a way to leverage the zfs file system to retain and boot from an old install, so I do need to look into that a bit more.

                I honestly do not know how it happened, but chalked it up to some sort of corruption on update or a really odd bug.

                Thanks, for the moment I will live with the error, it doesn't bother me so much, I hope it will be solved with an update.

                thanks

                1 Reply Last reply Reply Quote 0
                • J
                  jimp Rebel Alliance Developer Netgate
                  last edited by Mar 28, 2023, 8:08 PM

                  Can you open an issue for this under https://redmine.pfsense.org/projects/pfsense-packages?

                  I'm not seeing that on anything here, so it must be something unique about the settings for that entry in your config.xml. If you could, please include the ACME sections of your config.xml when creating the redmine issue. You can redact whatever information you want just make sure you put something in place (e.g. place mypassword with xxx or similar so we can distinguish entries with data from empty entries!)

                  Something must be wrong in the domain list of that entry but it's not clear how it would be empty and yet still working.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  K 1 Reply Last reply Mar 28, 2023, 9:55 PM Reply Quote 0
                  • K
                    kapranos @jimp
                    last edited by Mar 28, 2023, 9:55 PM

                    @jimp said in Fatal Error PHP Acme Certificates in Renew Column:

                    config.xml

                    Thanks @jimp ,raised ticket https://redmine.pfsense.org/issues/14199

                    1 Reply Last reply Reply Quote 0
                    • J
                      jimp Rebel Alliance Developer Netgate
                      last edited by Mar 29, 2023, 4:54 PM

                      How did your configuration get into that state? I can't even trick it to make it save an incomplete entry like you have in the configuration there. The domain list is empty so it would never have created a cert or renewed one.

                      I suppose it could be an old entry from before validation was added, but that still couldn't have been doing anything useful.

                      It's probably best if you download a config backup, edit out this whole entry and then restore it:

                      			<certificates>
                      				<item>
                      					<a_domainlist></a_domainlist>
                      					<a_actionlist></a_actionlist>
                      					<keypaste></keypaste>
                      					<name>wildcard</name>
                      					<descr><![CDATA[Wildcard Cert]]></descr>
                      					<status>active</status>
                      					<acmeaccount>HomeCert</acmeaccount>
                      					<keylength>2048</keylength>
                      					<ocspstaple></ocspstaple>
                      					<preferredchain></preferredchain>
                      					<dnssleep></dnssleep>
                      					<renewafter></renewafter>
                      				</item>
                      			</certificates>
                      

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      J 1 Reply Last reply Mar 30, 2023, 2:56 PM Reply Quote 0
                      • K
                        kapranos
                        last edited by Mar 29, 2023, 10:25 PM

                        I don't quite remember, I was trying to create a certificate in ACME for the Pfsense webui and at some point it got saved wrong and stayed in that state.

                        At the moment I don't want to restore a backup because it doesn't bother me too much, I can live with this if it doesn't have a solution.

                        thanks

                        1 Reply Last reply Reply Quote 0
                        • J
                          jimp Rebel Alliance Developer Netgate
                          last edited by Mar 30, 2023, 12:22 PM

                          The code could be fixed to account for that sort of error, and likely will be, but whenever we do the next ACME update which could be a while yet. But since it's apparently difficult (and should be impossible) to get into that state with normal usage it isn't a priority.

                          If you are comfortable with vi and working in the shell you could ssh into the firewall and use viconfig to edit that problem entry out live. The backup method is safer, but more disruptive.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • J
                            jpvonhemel @jimp
                            last edited by jpvonhemel Mar 30, 2023, 2:56 PM Mar 30, 2023, 2:56 PM

                            @jimp I uploaded the acme section of the xml to redmine a few days ago. I don't think this is from @kapranos . I do not remember seeing his to compare against.

                            ACME was setup in conjunction with SSL ofloading using HAProxy/LetsEncrypt following a Lawrence Systems youtube guide. HAProxy was working and the system was stable prior to the Feb update.

                            When I posted the original issue, I noticed no one else had the same problem, so figured I was unique and since pfsense would hang, decided to just nuke and pave, then reconfigure from the other parts of the XML. I went back through Tom's video on HAProxy and things are fine. I pulled and posted a today's Acme section redacted and I anticipate this is now normal.

                            I am not sure if there is any hope for @kapranos install/issue can be salvaged.

                            <acme>
                            			<certificates>
                            				<item>
                            					<lastrenewal>1677002752</lastrenewal>
                            					<a_domainlist>
                            						<item>
                            							<status>enable</status>
                            							<name>*.REDACTED</name>
                            							<method>dns_namecom</method>
                            							<dns_namecomnamecom_username>REDACTED</dns_namecomnamecom_username>
                            							<dns_namecomnamecom_token>REDACTED</dns_namecomnamecom_token>
                            							<_index></_index>
                            						</item>
                            					</a_domainlist>
                            					<a_actionlist>
                            						<item>
                            							<status>enable</status>
                            							<command>/usr/local/etc/rc.d/haproxy.sh restart</command>
                            							<method>shellcommand</method>
                            							<_index></_index>
                            						</item>
                            					</a_actionlist>
                            					<keypaste></keypaste>
                            					<name>wildcardredacted</name>
                            					<descr><![CDATA[Wildcard Cert REDACTED.com]]></descr>
                            					<status>active</status>
                            					<acmeaccount>HomeCert</acmeaccount>
                            					<keylength>2048</keylength>
                            					<ocspstaple></ocspstaple>
                            					<preferredchain></preferredchain>
                            					<dnssleep></dnssleep>
                            					<renewafter></renewafter>
                            				</item>
                            			</certificates>
                            			<accountkeys>
                            				<item>
                            					<accountkey>REDACTED</accountkey>
                            					<name>HomeCert</name>
                            					<descr><![CDATA[REDACTED.com Lets Encrypt Account]]></descr>
                            					<email><![CDATA[REDACTED]]></email>
                            					<acmeserver>letsencrypt-production-2</acmeserver>
                            					<renewafter></renewafter>
                            				</item>
                            			</accountkeys>
                            			<enable>yes</enable>
                            			<writecerts></writecerts>
                            		</acme>
                            
                            1 Reply Last reply Reply Quote 0
                            • J
                              jimp Rebel Alliance Developer Netgate
                              last edited by Mar 30, 2023, 5:01 PM

                              If the error was the same, then it was probably similar enough. The line at which it failed was trying to process items in the domain list, which was empty. I still can't figure out how it might have ended up in that state, but it's good to know when you started over again it worked that time.

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • K
                                kapranos
                                last edited by Apr 12, 2023, 10:41 AM

                                Attached PHP error log PHP_errors (1).log.zip

                                1 Reply Last reply Reply Quote 0
                                • K
                                  kapranos
                                  last edited by Apr 12, 2023, 10:44 AM

                                  Redmine report tracker https://redmine.pfsense.org/issues/14199

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kapranos
                                    last edited by Jun 3, 2023, 12:31 PM

                                    Problem continues after upgrading to Pfsense 23.05 and ACME 0.7.3_2, I haven't had any response in the Redmine thread either :(

                                    Crash report begins.  Anonymous machine information:
                                    
                                    amd64
                                    14.0-CURRENT
                                    FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05-n256102-7cd3d043045: Mon May 22 06:35:01 UTC 2023     root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05-main/obj/amd64/LkEyii3W/var/jenkins/workspace/pfSense-Plus-snapshots-23_05-main/sources/FreeBS
                                    
                                    Crash report details:
                                    
                                    PHP Errors:
                                    [03-Jun-2023 14:28:36 Europe/Madrid] PHP Fatal error:  Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/acme/acme_certificates.php:261
                                    Stack trace:
                                    #0 {main}
                                      thrown in /usr/local/www/acme/acme_certificates.php on line 261
                                    
                                    
                                    
                                    No FreeBSD crash data found.
                                    			
                                    
                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                      This community forum collects and processes your personal information.
                                      consent.not_received