Project

General

Profile

Actions
Copy link

Regression #13988

open

PHP error with OpenVPN if the server certificate subject has duplicate components

Added by Marcos M about 1 year ago. Updated about 1 year ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
OpenVPN
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.7.0
Affected Architecture:

Description

Saving an OpenVPN Server configuration results in the following error:

PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1658): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1865): openvpn_restart('server', Array)
#3 /etc/inc/openvpn.inc(1907): openvpn_resync('server', Array)
#4 /etc/rc.bootup(270): openvpn_resync_all()
#5 {main}
  thrown in /etc/inc/openvpn.inc on line 1197

config.xml

    <cert>
        <refid>5c116b60e0bdf</refid>
        <descr><![CDATA[webConfigurator default (5c116b60e0bdf)]]></descr>
        <type>server</type>
        <crt>xxxxx</crt>
        <prv>xxxxx</prv>
    </cert>
    <cert>
        <refid>60566761859b5</refid>
        <descr><![CDATA[vpn.domain.com]]></descr>
        <crt>xxxxx==</crt>
        <prv>xxxxx</prv>
        <caref>5cb13825d3349</caref>
    </cert>
    <cert>
        <refid>62f793e6736f6</refid>
        <descr><![CDATA[*.domain.com]]></descr>
        <crt>xxxxx</crt>
        <prv>xxxxx</prv>
        <caref>5cb13825d3349</caref>
    </cert>

Actions
Copy link
 #1

Updated by Jim Pingle about 1 year ago

  • Subject changed from PHP error with OpenVPN to PHP error with OpenVPN if the server certificate subject has duplicate components
  • Status changed from New to Feedback

That would have to be an issue in the certificate data. Somehow one of those certificates is triggering a return of multiple common name values in an array instead of a single CN as a string, but that shouldn't be possible as far as I can tell (unless maybe it was generated outside of pfSense in some non-standard way?).

To replicate this and investigate a solution we'll need the certificate "crt" PEM data (not the private key, just the cert) for whichever one of those is the OpenVPN server certificate.

Actions
Copy link
 #2

Updated by Marcos M about 1 year ago

  • Status changed from Feedback to Confirmed

The issue looks to be that the cert used for the OpenVPN server contains multiple CN fields/values (which indicates the cert was not created in the pfSense GUI). It was reported that if the OpenVPN server config using this cert is not deleted, the system will not boot properly resulting in no connectivity.

Actions
Copy link

Also available in: Atom PDF