Certificate import error?


  • trying to import user certificate and private key (for Openvpn..witopia) and I get
    Warning: openssl_x509_parse(): unable to parse time string 1610141749Z correctly in /etc/inc/certs.inc on line 416 Warning: openssl_x509_parse(): unable to parse time string 1610141749Z correctly in /etc/inc/certs.inc on line 466 Warning: openssl_

    Any suggestion?
    Thanks
    rocx


  • Warning: openssl_x509_parse(): unable to parse time string 1610141749Z correctly

    My guess would be to check the time synchronization on the pfSense server that created that certficiate.

    I think that points to 2016/10/14 17:49 Zulu (some time in the future).

    But that's just a guess without more info.

    How did you create that certificate, and what version of pfSense are you using?


  • Looks similar to a couple older PHP bugs. This.
    http://permalink.gmane.org/gmane.comp.php.cvs.general/66918

    and one where a cert with an end date past 2038 where there was a Y2K38 issue. But those both look like they should be fixed in the PHP version in 2.2.x and 2.3.

    It probably isn't system time/date relevant. In that case it should still import it fine, it just wouldn't work probably with an error along the lines of it being expired, or not yet valid, depending on which direction the clock was off.


  • Thank you both for trying to help .. The cert was not created by a pfsense.. it was created by witopia (www.witopia.net) for their openvpn service. I was trying to configure my vpn to use the openvpn client feature.. (follow the docs from https://chubbable.com/setup-pfsense-as-openvpn-client


  • is there a way to import these certs from shell? not using the php?
    Thanks
    ROcx


  • Openssl is alive and running on a standard pfSense install, lot's of how-to's out there for the brave of heart (and patient).

    You could try a manual import to see if there's something wrong with your certificate (or your pfSense install).

    What version of pfSense are you running?


  • You'd have to mess with base64. Could you send me a copy of the certificate file? No need for the key portion, and the cert on its own isn't usable for anything.