Project

General

Profile

Actions

Bug #15133

closed

PHP error with OpenVPN server certificate verification if the certificate has multiple ``CN`` attributes

Added by Clément PAPPALARDO 9 months ago. Updated 3 days ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
OpenVPN
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
24.08
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

PHP ERROR: Type: 1, File: /etc/inc/openvpn.inc, Line: 1197, Message: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown

after looking at code, this seems to be related to certificate depth. I disabled check (do not check), and no more errors.


Related issues

Has duplicate Regression #13988: PHP error with OpenVPN if the server certificate subject has duplicate componentsDuplicate

Actions
Actions #1

Updated by Clément PAPPALARDO 9 months ago

(but users cant connect without certificate verification)

Actions #2

Updated by Jim Pingle 9 months ago

  • Status changed from New to Feedback

Is there something unusual about your server certificate? Was it created on pfSense or imported from elsewhere?

The CN property of the server certificate should never be an array, and yet somehow in your case it is.

Actions #3

Updated by Clément PAPPALARDO 9 months ago

I don't think so. I'm using it on 3 same other appliance without problems. My CA is a Windows CA imported.

On this Appliance, this problems appeared yesterday when I changed IPv6 settings several times, without reboot. Errors popped, but not a problem at the moment, VPN was still ok (I was connected to it)
Very first error about this :

pfSense
PHP ERROR: Type: 1, File: /etc/inc/openvpn.inc, Line: 1197, Message: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /etc/inc/openvpn.inc(1909): openvpn_resync('server', Array)
#4 /etc/inc/interfaces.inc(7458): openvpn_resync_all('opt1')
#5 /usr/local/www/interfaces.php(491): restart_interface_services('opt1', 'dhcp6')
#6 {main}
  thrown

Then as I was unsuccessfull with my IPv6 settings, I tried to reboot appliance at night.
And then, appliance was broken, no dhcp service started, no VPN (remote access or remote site), but appliance was replying to ping from outside and sending me Telegram notifications :

pfSense
PHP ERROR: Type: 1, File: /etc/inc/openvpn.inc, Line: 1197, Message: Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /etc/inc/openvpn.inc(1909): openvpn_resync('server', Array)
#4 /etc/rc.bootup(282): openvpn_resync_all()
#5 {main}
  thrown

I tried to reboot wan access, but no more luck. Then at the morning customer tried to reboot too, no more success.

I had to connect with ssh from internal LAN to appliance LAN IP, delete my IPv6 LAN and WAN settings, restart appliance, ssh again, restart webinterface and then I gained access back

But still this error only for VPN Remote Users Access. VPN Remote Site is ok (with same CA).

Thanks for your help

Actions #4

Updated by Clément PAPPALARDO 9 months ago

I have 2 WAN, I tried switching WAN source for this VPN server, not ok
I deleted vpn server and recreated it (same values), not ok

after appliance get back to life this morning, I tried everything, and current errors are about vpn_openvpn_server.php line 892 (and at line 879 there is mention of tunnel_networkv6) :

[03-Jan-2024 10:47:15 Europe/Paris] PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 10:48:00 Europe/Paris] PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:16:57 Europe/Paris] PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:17:28 Europe/Paris] PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:18:43 Europe/Paris] PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:23:29 Europe/Paris] PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:25:04 Europe/Paris] PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:25:29 Europe/Paris] PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:25:51 Europe/Paris] PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:27:36 Europe/Paris] PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:28:19 Europe/Paris] PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:28:39 Europe/Paris] PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown in /etc/inc/openvpn.inc on line 1197
[03-Jan-2024 11:38:48 Europe/Paris] PHP Fatal error:  Uncaught TypeError: urlencode(): Argument #1 ($string) must be of type string, array given in /etc/inc/openvpn.inc:1197
Stack trace:
#0 /etc/inc/openvpn.inc(1197): urlencode(Array)
#1 /etc/inc/openvpn.inc(1660): openvpn_reconfigure('server', Array)
#2 /etc/inc/openvpn.inc(1867): openvpn_restart('server', Array)
#3 /usr/local/www/vpn_openvpn_server.php(892): openvpn_resync('server', Array)
#4 {main}
  thrown in /etc/inc/openvpn.inc on line 1197
Actions #5

Updated by Jim Pingle 9 months ago

The error you are seeing is not relevant to the tunnel network and so on that's just a coincidence, the bulk of the stack trace is always the same. It's from the server certificate having multiple CN properties, which it shouldn't. None of the settings in OpenVPN can fix that, but disabling some of the certificate protections appears to work around it because in that case it doesn't use the server CN when generating the configuration.

While the code could handle this better, the root cause is your server certificate not being properly formed. If you made that in a Windows CA, you should make a new server certificate and ensure it only has one CN entry. Alternately, if you have imported the CA key into pfSense you can make a new server certificate in the pfSense GUI certificate manager.

Changing the sever certificate to another from the same CA is harmless and won't affect current clients.

Actions #6

Updated by Clément PAPPALARDO 9 months ago

ok, it makes sense.

I recreated the certificate for this appliance (you were right, there was 2 CN), and now VPN Server started without errors, and I'm connected to it.

Thank you very much

Actions #7

Updated by Jim Pingle 9 months ago

  • Project changed from pfSense Plus to pfSense
  • Subject changed from Bug about OpenVPN which makes pfsense not starting properly to PHP error with OpenVPN Server certificate verification if the certificate has multiple CN attributes
  • Category changed from OpenVPN to OpenVPN
  • Status changed from Feedback to New
  • Priority changed from Normal to Low
  • Target version set to CE-Next
  • Affected Plus Version deleted (23.09.1)
  • Plus Target Version set to Plus-Next

OK, good to know that worked.

We can fix the PHP error in the future but you may hit other issues with that sort of problematic certificate, so it's best to swap it out like you did.

Actions #8

Updated by Marcos M 4 months ago

  • Status changed from New to Pull Request Review
  • Assignee set to Marcos M
  • Target version changed from CE-Next to 2.8.0
  • Plus Target Version changed from Plus-Next to 24.08

https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/1156

We can handle multiple CNs by simply only using the first CN available in the cert. Multiple CNs will not be supported however, see RFC9525 and RFC5280.

Actions #9

Updated by Marcos M 4 months ago

  • Has duplicate Regression #13988: PHP error with OpenVPN if the server certificate subject has duplicate components added
Actions #10

Updated by Marcos M 4 months ago

  • Status changed from Pull Request Review to Feedback
  • % Done changed from 0 to 100
Actions #11

Updated by Georgiy Tyutyunnik 4 months ago

reproduced on 23.09, 24.03

tested on
24.08-DEVELOPMENT (amd64)
built on Fri Jun 14 9:02:00 +03 2024
FreeBSD 15.0-CURRENT
this version fixes the issue.

Actions #12

Updated by Marcos M 4 months ago

  • Status changed from Feedback to Resolved
Actions #13

Updated by Jim Pingle 3 days ago

  • Subject changed from PHP error with OpenVPN Server certificate verification if the certificate has multiple CN attributes to PHP error with OpenVPN server certificate verification if the certificate has multiple ``CN`` attributes
Actions

Also available in: Atom PDF