Bug #15133
closed
PHP error with OpenVPN server certificate verification if the certificate has multiple ``CN`` attributes
100%
Description
PHP ERROR: Type: 1, File: /etc/inc/openvpn.inc, Line: 1197, Message: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown
after looking at code, this seems to be related to certificate depth. I disabled check (do not check), and no more errors.
Related issues
Updated by Clément PAPPALARDO 11 months ago
(but users cant connect without certificate verification)
Updated by Jim Pingle 11 months ago
- Status changed from New to Feedback
Is there something unusual about your server certificate? Was it created on pfSense or imported from elsewhere?
The CN property of the server certificate should never be an array, and yet somehow in your case it is.
Updated by Clément PAPPALARDO 11 months ago
I don't think so. I'm using it on 3 same other appliance without problems. My CA is a Windows CA imported.
On this Appliance, this problems appeared yesterday when I changed IPv6 settings several times, without reboot. Errors popped, but not a problem at the moment, VPN was still ok (I was connected to it)
Very first error about this :
pfSense
PHP ERROR: Type: 1, File: /etc/inc/openvpn.inc, Line: 1197, Message: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /etc/inc/openvpn.inc(1909): openvpn_resync('server', Array)
#4 /etc/inc/interfaces.inc(7458): openvpn_resync_all('opt1')
#5 /usr/local/www/interfaces.php(491): restart_interface_services('opt1', 'dhcp6')
#6 {main}
thrown
Then as I was unsuccessfull with my IPv6 settings, I tried to reboot appliance at night.
And then, appliance was broken, no dhcp service started, no VPN (remote access or remote site), but appliance was replying to ping from outside and sending me Telegram notifications :
pfSense
PHP ERROR: Type: 1, File: /etc/inc/openvpn.inc, Line: 1197, Message: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /etc/inc/openvpn.inc(1909): openvpn_resync('server', Array)
#4 /etc/rc.bootup(282): openvpn_resync_all()
#5 {main}
thrown
I tried to reboot wan access, but no more luck. Then at the morning customer tried to reboot too, no more success.
I had to connect with ssh from internal LAN to appliance LAN IP, delete my IPv6 LAN and WAN settings, restart appliance, ssh again, restart webinterface and then I gained access back
But still this error only for VPN Remote Users Access. VPN Remote Site is ok (with same CA).
Thanks for your help
Updated by Clément PAPPALARDO 11 months ago
I have 2 WAN, I tried switching WAN source for this VPN server, not ok
I deleted vpn server and recreated it (same values), not ok
after appliance get back to life this morning, I tried everything, and current errors are about vpn_openvpn_server.php line 892 (and at line 879 there is mention of tunnel_networkv6) :
[03-Jan-2024 10:47:15 Europe/Paris] PHP Fatal error: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 10:48:00 Europe/Paris] PHP Fatal error: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:16:57 Europe/Paris] PHP Fatal error: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:17:28 Europe/Paris] PHP Fatal error: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:18:43 Europe/Paris] PHP Fatal error: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:23:29 Europe/Paris] PHP Fatal error: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:25:04 Europe/Paris] PHP Fatal error: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:25:29 Europe/Paris] PHP Fatal error: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:25:51 Europe/Paris] PHP Fatal error: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:27:36 Europe/Paris] PHP Fatal error: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:28:19 Europe/Paris] PHP Fatal error: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:28:39 Europe/Paris] PHP Fatal error: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:38:48 Europe/Paris] PHP Fatal error: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
thrown in /etc/inc/openvpn.inc on line 1197
Updated by Jim Pingle 11 months ago
The error you are seeing is not relevant to the tunnel network and so on that's just a coincidence, the bulk of the stack trace is always the same. It's from the server certificate having multiple CN properties, which it shouldn't. None of the settings in OpenVPN can fix that, but disabling some of the certificate protections appears to work around it because in that case it doesn't use the server CN when generating the configuration.
While the code could handle this better, the root cause is your server certificate not being properly formed. If you made that in a Windows CA, you should make a new server certificate and ensure it only has one CN entry. Alternately, if you have imported the CA key into pfSense you can make a new server certificate in the pfSense GUI certificate manager.
Changing the sever certificate to another from the same CA is harmless and won't affect current clients.
Updated by Clément PAPPALARDO 11 months ago
ok, it makes sense.
I recreated the certificate for this appliance (you were right, there was 2 CN), and now VPN Server started without errors, and I'm connected to it.
Thank you very much
Updated by Jim Pingle 11 months ago
- Project changed from pfSense Plus to pfSense
- Subject changed from Bug about OpenVPN which makes pfsense not starting properly to PHP error with OpenVPN Server certificate verification if the certificate has multiple CN attributes
- Category changed from OpenVPN to OpenVPN
- Status changed from Feedback to New
- Priority changed from Normal to Low
- Target version set to CE-Next
- Affected Plus Version deleted (
23.09.1) - Plus Target Version set to Plus-Next
OK, good to know that worked.
We can fix the PHP error in the future but you may hit other issues with that sort of problematic certificate, so it's best to swap it out like you did.
Updated by Marcos M 6 months ago
- Status changed from New to Pull Request Review
- Assignee set to Marcos M
- Target version changed from CE-Next to 2.8.0
- Plus Target Version changed from Plus-Next to 24.08
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/1156
We can handle multiple CNs by simply only using the first CN available in the cert. Multiple CNs will not be supported however, see RFC9525 and RFC5280.
Updated by Marcos M 6 months ago
- Has duplicate Regression #13988: PHP error with OpenVPN if the server certificate subject has duplicate components added
Updated by Marcos M 6 months ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset 70defd0f1a465b46754faecdc2fc96a0ef7cd279.
Updated by Georgiy Tyutyunnik 6 months ago
reproduced on 23.09, 24.03
tested on
24.08-DEVELOPMENT (amd64)
built on Fri Jun 14 9:02:00 +03 2024
FreeBSD 15.0-CURRENT
this version fixes the issue.
Updated by Jim Pingle about 2 months ago
- Subject changed from PHP error with OpenVPN Server certificate verification if the certificate has multiple CN attributes to PHP error with OpenVPN server certificate verification if the certificate has multiple ``CN`` attributes
Updated by Jim Pingle about 2 months ago
- Plus Target Version changed from 24.08 to 24.11