pfSense » pfSense Packages

There are some problems with private key handling in the ACME package that appear to have been ongoing for a while.

• The ACME package code attempts to generate a private key based on the current entry settings, but this may be skipped if the key file already exists, even if the settings changed.
• When issuing or renewing a certificate, the pre-generated key can be ignored, defaulting to a 2048-bit RSA key no matter what settings are present in the ACME certificate entry.
• If the certificate manager entry corresponding to an ACME certificate entry is missing its private key, it can lead to a PHP error: https://forum.netgate.com/topic/181346/acme-certificate-php-fatal-error

PHP Fatal error:  Uncaught TypeError: openssl_pkey_get_details(): Argument #1 ($key) must be of type OpenSSLAsymmetricKey, bool given in /usr/local/pkg/acme/acme.inc:1732
Stack trace:
#0 /usr/local/pkg/acme/acme.inc(1732): openssl_pkey_get_details(false)
#1 /usr/local/pkg/acme/acme.inc(1884): pfsense_pkg\acme\getCertificatePSK('https://acme-st...', Array, 'pfsense.ionutda...')
#2 /usr/local/www/acme/acme_certificates.php(61): pfsense_pkg\acme\issue_certificate('pfsense.ionutda...', true)
#3 {main}
  thrown in /usr/local/pkg/acme/acme.inc on line 1732

I have a fix prepared for all of these, will be committed shortly and be available as ACME pkg v0.7.5