Bug #15304
closed
After update to latest stable (23.09.1), cert issuance was issuing blank certs, and a signing request not working.
0%
Description
My pfsense instance is a negate appliance on version:
23.09.1-RELEASE (amd64)
built on Wed Feb 28 16:16:00 UTC 2024
FreeBSD 14.0-CURRENT
Right after update to 23.09.1, I decided to fix my expired cert for webconfigurator. I created a CA, then issued a server cert from it. I navigated to: System / Advanced / Admin Access, and tried to find the newly generated cert in the SSL/TLS Certificate dropdown list. The newly generated server cert was not in the list.
I then inspected the newly generated cert (using edit) to see that the key data and certificate data are empty. I then tried a newly generated a pkcs7 request and tried to submit it but the page would not submit, it would just reload the same data I just entered and not save it. I then rebooted the pfsense appliance/host and tried to submit the pkcs7 request again, and the cert had a private key and public cert info, and I was able to use the new certificate in webconfigurator without issue.
Not sure if this is considered a bug or not, but I thought the info would be welcome. Having found old posts on it w/ no repeatability (https://redmine.pfsense.org/issues/7995), I can say that I have repeated the issue w/ the latest stable version. A reboot fixed it. To possibly repeat, install the previous version, upgrade to the latest stable, do not restart, and try to generate a ca and and use it in webconfigurator to replace the existing web configurator cert. Or perhaps, after creating a new CA, a restart of some service or reboot is necessary?
-Pete
Updated by Kris Phillips about 1 year ago
Tested on 23.09.1 and unable to recreate this issue. CAs and Certificates, when attempting to create and issue them multiple times, did not produce any blank data.
Pete,
Are you certain your file system is in good health? Did the actual file data on these "blank" certificates show blank or just the webConfigurator?
Updated by Jim Pingle about 1 year ago
- Status changed from New to Rejected
I can't replicate anything like this either. Last time someone reported a problem like this, they were trying to generate certs using a CA created elsewhere and imported into pfSense software, but the CA was broken/invalid in some way.
Post on the forum for assistance in diagnosing your issue.
Updated by Pete Ziu about 1 year ago
Kris Phillips wrote in #note-1:
Tested on 23.09.1 and unable to recreate this issue. CAs and Certificates, when attempting to create and issue them multiple times, did not produce any blank data.
Pete,
Are you certain your file system is in good health? Did the actual file data on these "blank" certificates show blank or just the webConfigurator?
I am sorry Kris, I did not look at the file system.
Kris Phillips wrote in #note-1:
Tested on 23.09.1 and unable to recreate this issue. CAs and Certificates, when attempting to create and issue them multiple times, did not produce any blank data.
Pete,
Are you certain your file system is in good health? Did the actual file data on these "blank" certificates show blank or just the webConfigurator?
Updated by Pete Ziu about 1 year ago
Pete Ziu wrote in #note-3:
Kris Phillips wrote in #note-1:
Tested on 23.09.1 and unable to recreate this issue. CAs and Certificates, when attempting to create and issue them multiple times, did not produce any blank data.
Pete,
Are you certain your file system is in good health? Did the actual file data on these "blank" certificates show blank or just the webConfigurator?
I am sorry Kris, I did not look at the file system.
Kris Phillips wrote in #note-1:
Tested on 23.09.1 and unable to recreate this issue. CAs and Certificates, when attempting to create and issue them multiple times, did not produce any blank data.
Pete,
Are you certain your file system is in good health? Did the actual file data on these "blank" certificates show blank or just the webConfigurator?
Pete Ziu wrote in #note-3:
Kris Phillips wrote in #note-1:
Tested on 23.09.1 and unable to recreate this issue. CAs and Certificates, when attempting to create and issue them multiple times, did not produce any blank data.
Pete,
Are you certain your file system is in good health? Did the actual file data on these "blank" certificates show blank or just the webConfigurator?
I am sorry Kris, I did not look at the file system.
Kris Phillips wrote in #note-1:
Tested on 23.09.1 and unable to recreate this issue. CAs and Certificates, when attempting to create and issue them multiple times, did not produce any blank data.
Pete,
Are you certain your file system is in good health? Did the actual file data on these "blank" certificates show blank or just the webConfigurator?
Pete Ziu wrote in #note-3:
Kris Phillips wrote in #note-1:
Tested on 23.09.1 and unable to recreate this issue. CAs and Certificates, when attempting to create and issue them multiple times, did not produce any blank data.
Pete,
Are you certain your file system is in good health? Did the actual file data on these "blank" certificates show blank or just the webConfigurator?
I am sorry Kris, I did not look at the file system.
Kris Phillips wrote in #note-1:
Tested on 23.09.1 and unable to recreate this issue. CAs and Certificates, when attempting to create and issue them multiple times, did not produce any blank data.
Pete,
Are you certain your file system is in good health? Did the actual file data on these "blank" certificates show blank or just the webConfigurator?
Jim Pingle wrote in #note-2:
I can't replicate anything like this either. Last time someone reported a problem like this, they were trying to generate certs using a CA created elsewhere and imported into pfSense software, but the CA was broken/invalid in some way.
Post on the forum for assistance in diagnosing your issue.
Jim, I tried both methods. I first was trying to stay inside of pfsense and generate a CA and then a key and cert from it. I then tried outside of pfsense, generating a private key and pkcs7 request using openssl, and then tried to import the pkcs7 request into pfsense using the interface. Both failed until I rebooted. After reboot, I was able to import the same pkcs7 request and it successfully generated a cert (and I imported the private key too successfully).
Perhaps in the future if this raises its head again, this entry may help.