Bug #11489
closedInvalid certificate data can cause a PHP error
100%
Description
I get the following message on the main admin page.
pfSense has detected a crash report or programming bug. Click here for more information.
This error keeps coming back after I have cleared the crash report. I have attached the log.
Files
Updated by Jim Pingle almost 4 years ago
- Subject changed from PHP crash to Invalid certificate date can lead to a PHP crash
- Status changed from New to Feedback
- Affected Version set to 2.5.0
One or more of your certificate entries has an invalid or a date field that cannot be read. The code could handle this more gracefully, but I can't replicate it here.
[21-Feb-2021 03:01:00 Australia/Perth] PHP Fatal error: Uncaught Exception: DateTime::__construct(): Failed to parse time string (@) at position 0 (@): Unexpected character in /etc/inc/certs.inc:712 Stack trace: #0 /etc/inc/certs.inc(712): DateTime->__construct('@', Object(DateTimeZone)) #1 /etc/inc/certs.inc(730): cert_format_date(NULL, NULL, false) #2 /etc/inc/certs.inc(1975): cert_get_dates('-----BEGIN CERT...', true, false) #3 /etc/inc/certs.inc(2254): cert_get_lifetime(Array, true) #4 /etc/inc/periodic.inc(31): cert_notify_expiring() #5 /etc/rc.periodic(27): periodic_daily() #6 {main} thrown in /etc/inc/certs.inc on line 712
If you can identify the certificate which is causing the problem, and don't mind sending it to us, that would go a long way toward replicating and fixing the problem.
Updated by Simon Brezovnik almost 4 years ago
I have identified the certificate causing the problem. How would you like me to send it to you? The crt was created in and older version of pfSense.
Updated by Simon Brezovnik almost 4 years ago
I get the following error in the GUI with know way to delete the offending cert, screen shot attached. Is reloading the config the best way to resolve this issue?
Updated by Jim Pingle almost 4 years ago
- Assignee set to Jim Pingle
- Target version set to CE-Next
You can send the certificate to jimp
(a.t.) netgate
(d|o|t) com
Once I can reproduce the problem and work up a patch for the error, you can apply it and then it should work normally.
Updated by Jim Pingle almost 4 years ago
OK, with the cert you sent I can reproduce the error. The problem is that the certificate data in that snippet is corrupted. About halfway through it becomes gibberish binary data and not PEM format cert data.
I pushed a patch to more gracefully handle the broken certificate in this case, which avoids the error.
I saw the same behavior on 2.4.5 with the config chunk you sent.
It wouldn't have been generated that way, so perhaps something went wrong along the way like minor filesystem corruption.
Updated by Jim Pingle almost 4 years ago
You can use the system patches package to apply cb17faca3b07197db4b1eb1502a876873ddc222c and that should stop the error from breaking the cert page.
Updated by Jim Pingle almost 4 years ago
- % Done changed from 0 to 100
Applied in changeset 29804b9e6ff07d0224d9396b063f88f486f0d231.
Updated by Simon Brezovnik almost 4 years ago
I have applied the patch and the problem is fixed. I have deleted the offending cert. Thanks.
Updated by Danilo Zrenjanin almost 4 years ago
- Status changed from Feedback to Resolved
Updated by Jim Pingle almost 4 years ago
- Target version changed from CE-Next to 2.5.1
Updated by Jim Pingle almost 4 years ago
- Status changed from Resolved to Feedback
Needs testing on snapshots.
To test, add an obviously broken/unparseable cert to the config:
<cert> <refid>6035688b64c82</refid> <descr><![CDATA[Broken]]></descr> <crt>broken</crt> <prv></prv> </cert>
Before this fix, it will generate a PHP error and cause other problems (JS breaks, can't hit menus, no way to remove the cert, etc).
After this fix, the cert will display "unknown" and nothing else breaks. No PHP error, can delete the cert, etc.
Updated by Jim Pingle almost 4 years ago
- Subject changed from Invalid certificate date can lead to a PHP crash to Invalid certificate data can cause a PHP error
Updating subject for release notes.
Updated by Max Leighton almost 4 years ago
- Status changed from Feedback to Resolved
Tested on
2.5.1-RC (amd64)
built on Thu Mar 18 03:04:03 EDT 2021
FreeBSD 12.2-STABLE
It works. The broken cert is now able to be deleted, navigation menus work, no PHP errors, etc. Marking the ticket back to resolved.