Bug #14585
closed
Fatal error editing acme certificates
0%
Description
After updating pfSense from 2.6.0 to 2.7.0, cannot manage acme certificates IF the certificate has NO actions.
Acme package version 0.7.4.
If the certificate does have any actions, it works.
If cert has no actions, web gui returns the following:
PHP ERROR: Type: 1, File: /usr/local/www/acme/acme_certificates_edit.php, Line: 156, Message: Uncaught TypeError: Cannot access offset of type string on string in /usr/local/www/acme/acme_certificates_edit.php:156
Stack trace:
#0 {main}
Updated by Jim Pingle about 2 years ago
- Status changed from New to Feedback
Sounds like you have a corrupted/incomplete certificate entry in the configuration that is leading to the errors, but the error doesn't line up with any code that seems like it would cause that if you're on a current version.
Can you check your config.xml file and look for the ACME settings, and see what is in the certificate entry that leads to this error. I can't reproduce it here, so it would help to have the entry from your configuration which can trigger the error.
There was a similar issue with corrupted entries on #14199 but that should be solved in 0.7.4.
Something else to try is to remove the ACME package and install it again to ensure it is completely up-to-date. We had reports from some users that certain packages didn't update properly during the upgrade to CE 2.7.0.
Updated by Phil Tull about 2 years ago
Yes, I'm in the config.xml and it looks perfectly normal to me. I'll attach an example entry.
Consider this...
if (isset($id) && $a_certificates[$id]) {
$a_domains = $a_certificates[$id]['a_domainlist']['item'];
$a_actions = $a_certificates[$id]['a_actionlist']['item']; <<<-- line 156
$pconfig["lastrenewal"] = $a_certificates[$id]["lastrenewal"];
$pconfig['keypaste'] = base64_decode($a_certificates[$id]['keypaste']);
foreach($simplefields as $stat) {
$pconfig[$stat] = $a_certificates[$id][$stat];
}
}
Some of my certs have actions like this. They all work.
<a_actionlist>
<item>
<status>enable</status>
<command>/usr/local/etc/rc.d/haproxy.sh restart</command>
<method>shellcommand</method>
<_index></_index>
<item>
</a_actionlist>
5 certs have no actions, like this.
They return the error.
<a_actionlist></a_actionlist>
Here is a complete example item that fails.
<item>
<a_domainlist>
<item>
<status>enable</status>
<name>emitime.com</name>
<method>dns_cf</method>
<dns_cfcf_key>XXXXX</dns_cfcf_key>
<dns_cfcf_email>XXXXX</dns_cfcf_email>
<dns_cfcf_token>XXXXX</dns_cfcf_token>
<dns_cfcf_account_id>XXXXX</dns_cfcf_account_id>
<dns_cfcf_zone_id>XXXXX</dns_cfcf_zone_id>
<_index></_index>
</item>
<item>
<status>enable</status>
<name>*.emitime.com</name>
<method>dns_cf</method>
<dns_cfcf_key>XXXXX</dns_cfcf_key>
<dns_cfcf_email>XXXXX</dns_cfcf_email>
<dns_cfcf_token>XXXXX</dns_cfcf_token>
<dns_cfcf_account_id>XXXXX</dns_cfcf_account_id>
<dns_cfcf_zone_id>XXXXX</dns_cfcf_zone_id>
<_index></_index>
</item>
</a_domainlist>
<a_actionlist></a_actionlist>
<keypaste></keypaste>
<name>emitime.com</name>
<descr><![CDATA[emitime]]></descr>
<status>active</status>
<acmeaccount>Aquila Production</acmeaccount>
<keylength>2048</keylength>
<ocspstaple></ocspstaple>
<preferredchain></preferredchain>
<dnssleep></dnssleep>
<renewafter></renewafter>
<lastrenewal>1687667827</lastrenewal>
</item>
Updated by Jim Pingle about 2 years ago
- Status changed from Feedback to New
- Assignee set to Jim Pingle
OK, you mean no actions defined in the list in the cert entry -- I thought you meant they showed no action icons in the certificate list.
Updated by Phil Tull about 2 years ago
I'm considering your suggestion to reinstall acme.
Would that require me to rebuild all my acme settings?
I wonder if there would be any downtime.
Updated by Jim Pingle about 2 years ago
Phil Tull wrote in #note-4:
I'm considering your suggestion to reinstall acme.
In this case I doubt it would make a difference.
Would that require me to rebuild all my acme settings?
I wonder if there would be any downtime.
No downtime, settings would stay. Uninstall/reinstall of the package is functionally the same as upgrading it in-place.
Updated by Phil Tull about 2 years ago
ok one more question please.
Is it possible for me to edit the live config.xml and put in the actions (presumable to make those entries work again)?
Is there a recommendation? Do I restart pfSense to get it to pick up the changes?
I have no problem doing this, I'm comfortable with vi and command line.
Updated by Jim Pingle about 2 years ago
Phil Tull wrote in #note-6:
ok one more question please.
Is it possible for me to edit the live config.xml and put in the actions (presumable to make those entries work again)?Is there a recommendation? Do I restart pfSense to get it to pick up the changes?
I have no problem doing this, I'm comfortable with vi and command line.
Updated by Phil Tull about 2 years ago
Thanks. I'm going to try this tonight.
Perfect.
Updated by Phil Tull about 2 years ago
I just edited config.xml and added actions to my items.
It worked. I immediately got access to those items in pfSense.
Updated by Jim Pingle about 2 years ago
- Status changed from New to Closed
Looking at the PHP code blocks you showed above, something must not have updated in your setup. Lines were added to initialize the arrays almost a year ago in ACME pkg v0.7.1_2 and they aren't in the block you show there. They are there on all my 2.7.0 installations, however.
I can't reproduce the problem on 2.7.0 (or Plus 23.05.1, or dev snapshots of either Plus or CE), even without actions there are no errors as you show.
Removing and reinstalling the package should take care of that in most cases, unless there is a deeper problem with your installation/hardware.