Project

General

Profile

Actions
Copy link

Bug #11489

closed

Invalid certificate data can cause a PHP error

Added by Simon Brezovnik almost 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
Certificates
Target version:
2.5.1
Start date:
02/21/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

I get the following message on the main admin page.

pfSense has detected a crash report or programming bug. Click here for more information.

This error keeps coming back after I have cleared the crash report. I have attached the log.

Files

Download all files
PHP_errors.log (641 Bytes) PHP_errors.log Simon Brezovnik, 02/20/2021 11:02 PM
Screenshot-20210223195035-1160x287.png (103 KB) Screenshot-20210223195035-1160x287.png Simon Brezovnik, 02/23/2021 06:13 AM
Actions
Copy link
 #1

Updated by Jim Pingle almost 4 years ago

  • Subject changed from PHP crash to Invalid certificate date can lead to a PHP crash
  • Status changed from New to Feedback
  • Affected Version set to 2.5.0

One or more of your certificate entries has an invalid or a date field that cannot be read. The code could handle this more gracefully, but I can't replicate it here.

[21-Feb-2021 03:01:00 Australia/Perth] PHP Fatal error:  Uncaught Exception: DateTime::__construct(): Failed to parse time string (@) at position 0 (@): Unexpected character in /etc/inc/certs.inc:712
Stack trace:
#0 /etc/inc/certs.inc(712): DateTime->__construct('@', Object(DateTimeZone))
#1 /etc/inc/certs.inc(730): cert_format_date(NULL, NULL, false)
#2 /etc/inc/certs.inc(1975): cert_get_dates('-----BEGIN CERT...', true, false)
#3 /etc/inc/certs.inc(2254): cert_get_lifetime(Array, true)
#4 /etc/inc/periodic.inc(31): cert_notify_expiring()
#5 /etc/rc.periodic(27): periodic_daily()
#6 {main}
  thrown in /etc/inc/certs.inc on line 712

If you can identify the certificate which is causing the problem, and don't mind sending it to us, that would go a long way toward replicating and fixing the problem.

Actions
Copy link
 #2

Updated by Simon Brezovnik over 3 years ago

I have identified the certificate causing the problem. How would you like me to send it to you? The crt was created in and older version of pfSense.

Actions
Copy link
 #3

Updated by Simon Brezovnik over 3 years ago

I get the following error in the GUI with know way to delete the offending cert, screen shot attached. Is reloading the config the best way to resolve this issue?

Actions
Copy link
 #4

Updated by Jim Pingle over 3 years ago

  • Assignee set to Jim Pingle
  • Target version set to CE-Next

You can send the certificate to jimp (a.t.) netgate (d|o|t) com

Once I can reproduce the problem and work up a patch for the error, you can apply it and then it should work normally.

Actions
Copy link
 #5

Updated by Jim Pingle over 3 years ago

OK, with the cert you sent I can reproduce the error. The problem is that the certificate data in that snippet is corrupted. About halfway through it becomes gibberish binary data and not PEM format cert data.

I pushed a patch to more gracefully handle the broken certificate in this case, which avoids the error.

I saw the same behavior on 2.4.5 with the config chunk you sent.

It wouldn't have been generated that way, so perhaps something went wrong along the way like minor filesystem corruption.

Actions
Copy link
 #6

Updated by Jim Pingle over 3 years ago

You can use the system patches package to apply cb17faca3b07197db4b1eb1502a876873ddc222c and that should stop the error from breaking the cert page.

Actions
Copy link
 #7

Updated by Jim Pingle over 3 years ago

  • % Done changed from 0 to 100
Actions
Copy link
 #8

Updated by Simon Brezovnik over 3 years ago

I have applied the patch and the problem is fixed. I have deleted the offending cert. Thanks.

Actions
Copy link
 #9

Updated by Danilo Zrenjanin over 3 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #10

Updated by Jim Pingle over 3 years ago

  • Target version changed from CE-Next to 2.5.1
Actions
Copy link
 #11

Updated by Jim Pingle over 3 years ago

  • Status changed from Resolved to Feedback

Needs testing on snapshots.

To test, add an obviously broken/unparseable cert to the config:

        <cert>
                <refid>6035688b64c82</refid>
                <descr><![CDATA[Broken]]></descr>
                <crt>broken</crt>
                <prv></prv>
        </cert>

Before this fix, it will generate a PHP error and cause other problems (JS breaks, can't hit menus, no way to remove the cert, etc).

After this fix, the cert will display "unknown" and nothing else breaks. No PHP error, can delete the cert, etc.

Actions
Copy link
 #12

Updated by Jim Pingle over 3 years ago

  • Subject changed from Invalid certificate date can lead to a PHP crash to Invalid certificate data can cause a PHP error

Updating subject for release notes.

Actions
Copy link
 #13

Updated by Max Leighton over 3 years ago

  • Status changed from Feedback to Resolved

Tested on

2.5.1-RC (amd64)
built on Thu Mar 18 03:04:03 EDT 2021
FreeBSD 12.2-STABLE

It works. The broken cert is now able to be deleted, navigation menus work, no PHP errors, etc. Marking the ticket back to resolved.

Actions
Copy link

Also available in: Atom PDF