Error while upgrading to 23.01

vajonam · May 16, 2023, 6:41 PM

Got this error when upgrading to 23.01, to resolve I had to stop the OpenVPN service and delete the interface, without with there was not external connectivity.

this was working in the previous release. all the certs were built / generated using the pfsense cert manager.

I have moved over to WireGuard for the most part, so this is not a deal beaker for me, but didn't find any reports of this in redmine either.

[16-May-2023 08:35:39 America/Toronto] PHP Fatal error:  Uncaught TypeError: preg_match(): Argument #2 ($subject) must be of type string, array given in /usr/local/share/openssl_x509_crl/ASN1_OCTETSTRING.php:25
    Stack trace:
    #0 /usr/local/share/openssl_x509_crl/ASN1_OCTETSTRING.php(25): preg_match('|^[0-9A-Fa-f]{2...', Array)
    #1 /usr/local/share/openssl_x509_crl/X509_CERT.php(89): Ukrbublik\openssl_x509_crl\ASN1_OCTETSTRING->__construct(Array)
    #2 /usr/local/share/openssl_x509_crl/X509_CRL.php(161): Ukrbublik\openssl_x509_crl\X509_CERT::getExtVal_SubjectKeyIdentifier(Object(Ukrbublik\openssl_x509_crl\ASN1_SEQUENCE))
    #3 /etc/inc/certs.inc(1086): Ukrbublik\openssl_x509_crl\X509_CRL::create(Array, Object(OpenSSLAsymmetricKey), '0\x82\x04m0\x82\x03U\xA0\x03\x02\x01\x02\x02\x01...')
    #4 /etc/inc/openvpn.inc(1389): crl_update(Array)
    #5 /etc/inc/openvpn.inc(1658): openvpn_reconfigure('server', Array)
    #6 /etc/inc/openvpn.inc(1865): openvpn_restart('server', Array)
    #7 /etc/inc/openvpn.inc(1907): openvpn_resync('server', Array)
    #8 /etc/rc.newwanip(261): openvpn_resync_all('wan', 'inet')
    #9 {main}
    thrown in /usr/local/share/openssl_x509_crl/ASN1_OCTETSTRING.php on line ``

vajonam · May 16, 2023, 6:50 PM

@vajonam

seems to have something with CRLs, I do have one defined with a couple of certificates in it.

jimp · May 16, 2023, 6:56 PM

That is close to https://redmine.pfsense.org/issues/14022

You can install the System Patches package and then create an entry for the following diff to apply the fix:

--- a/src/usr/local/share/openssl_x509_crl/ASN1_OCTETSTRING.php.orig    2023-02-23 13:30:25.173127000 +0000
+++ b/src/usr/local/share/openssl_x509_crl/ASN1_OCTETSTRING.php    2023-02-23 13:30:30.254299000 +0000
@@ -22,7 +22,7 @@
     public function __construct($str = "", $twodots = false) {
         if($str === false) {
             $this->content = array();
-        } else if(preg_match("|^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2})+$|s", $str) /* || $twodots*/) {
+        } else if(preg_match("|^[0-9A-Fa-f]{2}(:[0-9A-Fa-f]{2})+$|s", (string) $str) /* || $twodots*/) {
             $octets = explode(':', $str);
             foreach($octets as &$v) {
                 $v = chr(hexdec($v));

vajonam · May 16, 2023, 8:15 PM

@jimp Thanks, that seemed to get rid the error. However since I am moved on from OpenVPN to WG, this was bit of a forcing function for me.