Project

General

Profile

Actions

Bug #11489

closed

Invalid certificate data can cause a PHP error

Added by Simon Brezovnik 7 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
02/21/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

I get the following message on the main admin page.

pfSense has detected a crash report or programming bug. Click here for more information.

This error keeps coming back after I have cleared the crash report. I have attached the log.


Files

PHP_errors.log (641 Bytes) PHP_errors.log Simon Brezovnik, 02/20/2021 11:02 PM
Screenshot-20210223195035-1160x287.png (103 KB) Screenshot-20210223195035-1160x287.png Simon Brezovnik, 02/23/2021 06:13 AM
Actions #1

Updated by Jim Pingle 7 months ago

  • Subject changed from PHP crash to Invalid certificate date can lead to a PHP crash
  • Status changed from New to Feedback
  • Affected Version set to 2.5.0

One or more of your certificate entries has an invalid or a date field that cannot be read. The code could handle this more gracefully, but I can't replicate it here.

[21-Feb-2021 03:01:00 Australia/Perth] PHP Fatal error:  Uncaught Exception: DateTime::__construct(): Failed to parse time string (@) at position 0 (@): Unexpected character in /etc/inc/certs.inc:712
Stack trace:
#0 /etc/inc/certs.inc(712): DateTime->__construct('@', Object(DateTimeZone))
#1 /etc/inc/certs.inc(730): cert_format_date(NULL, NULL, false)
#2 /etc/inc/certs.inc(1975): cert_get_dates('-----BEGIN CERT...', true, false)
#3 /etc/inc/certs.inc(2254): cert_get_lifetime(Array, true)
#4 /etc/inc/periodic.inc(31): cert_notify_expiring()
#5 /etc/rc.periodic(27): periodic_daily()
#6 {main}
  thrown in /etc/inc/certs.inc on line 712

If you can identify the certificate which is causing the problem, and don't mind sending it to us, that would go a long way toward replicating and fixing the problem.

Actions #2

Updated by Simon Brezovnik 7 months ago

I have identified the certificate causing the problem. How would you like me to send it to you? The crt was created in and older version of pfSense.

Actions #3

Updated by Simon Brezovnik 7 months ago

I get the following error in the GUI with know way to delete the offending cert, screen shot attached. Is reloading the config the best way to resolve this issue?

Actions #4

Updated by Jim Pingle 7 months ago

  • Assignee set to Jim Pingle
  • Target version set to CE-Next

You can send the certificate to jimp (a.t.) netgate (d|o|t) com

Once I can reproduce the problem and work up a patch for the error, you can apply it and then it should work normally.

Actions #5

Updated by Jim Pingle 7 months ago

OK, with the cert you sent I can reproduce the error. The problem is that the certificate data in that snippet is corrupted. About halfway through it becomes gibberish binary data and not PEM format cert data.

I pushed a patch to more gracefully handle the broken certificate in this case, which avoids the error.

I saw the same behavior on 2.4.5 with the config chunk you sent.

It wouldn't have been generated that way, so perhaps something went wrong along the way like minor filesystem corruption.

Actions #6

Updated by Jim Pingle 7 months ago

You can use the system patches package to apply cb17faca3b07197db4b1eb1502a876873ddc222c and that should stop the error from breaking the cert page.

Actions #7

Updated by Jim Pingle 7 months ago

  • % Done changed from 0 to 100
Actions #8

Updated by Simon Brezovnik 7 months ago

I have applied the patch and the problem is fixed. I have deleted the offending cert. Thanks.

Actions #9

Updated by Danilo Zrenjanin 7 months ago

  • Status changed from Feedback to Resolved
Actions #10

Updated by Jim Pingle 7 months ago

  • Target version changed from CE-Next to 2.5.1
Actions #11

Updated by Jim Pingle 7 months ago

  • Status changed from Resolved to Feedback

Needs testing on snapshots.

To test, add an obviously broken/unparseable cert to the config:

        <cert>
                <refid>6035688b64c82</refid>
                <descr><![CDATA[Broken]]></descr>
                <crt>broken</crt>
                <prv></prv>
        </cert>

Before this fix, it will generate a PHP error and cause other problems (JS breaks, can't hit menus, no way to remove the cert, etc).

After this fix, the cert will display "unknown" and nothing else breaks. No PHP error, can delete the cert, etc.

Actions #12

Updated by Jim Pingle 7 months ago

  • Subject changed from Invalid certificate date can lead to a PHP crash to Invalid certificate data can cause a PHP error

Updating subject for release notes.

Actions #13

Updated by Max Leighton 6 months ago

  • Status changed from Feedback to Resolved

Tested on

2.5.1-RC (amd64)
built on Thu Mar 18 03:04:03 EDT 2021
FreeBSD 12.2-STABLE

It works. The broken cert is now able to be deleted, navigation menus work, no PHP errors, etc. Marking the ticket back to resolved.

Actions

Also available in: Atom PDF