Bug #3580
closed
Stunnel mangled cert on upgrade
0%
Description
I had pfsense 2.1 installed with stunnel 4.43 installed and added a certificate.
I upgraded to 2.1.1-RELEASE and now the certificate I had installed that was valid is showing as "Invalid key/cert!"
The key section is filled out with garbage and the cert section is completely empty.
Anything I can add to help with this issue?
Updated by jeffrey Smith about 10 years ago
https://forum.pfsense.org/index.php?topic=60009.msg322825#msg322825
I raised the above post on the forum over a year ago and its seems like the same issue here.
/usr/local/etc/stunnel/stunnel.conf only has just the standard
cert = /usr/local/etc/stunnel/stunnel.pem chroot = /var/tmp/stunnel setuid = stunnel setgid = stunnel
/cf/conf/config.xml still has the configuration with my keys and cert still present. It does actually say the cert is invalid which it never used to before the upgrade. The Certs do include the intermediate cert but that should not be a problem.
<installedpackages>
<stunnelcerts>
<config>
<description><![CDATA[WildcardCompany]]></description>
<filename>cd7cd467</filename>
<subject>XXXXXX</subject>
<expiry>2017-03-22</expiry>
<cert_key>Private key was here</cert_key>
<cert_chain>Public key was here</cert_chain>
<status><font color="#AA0000"><b>Invalid key/cert!</b></font></status>
</config>
<savemsg/>
</stunnelcerts>
<stunnel/>
<package>
<name>stunnel</name>
<website>http://www.stunnel.org/</website>
<descr><![CDATA[An SSL encryption wrapper between remote client and local or remote servers.]]></descr>
<category>Network Management</category>
<depends_on_package_base_url>https://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url>
<depends_on_package>stunnel-4.43.tbz</depends_on_package>
<depends_on_package_pbi>stunnel-4.54-amd64.pbi</depends_on_package_pbi>
<version>4.43</version>
<status>Stable</status>
<pkginfolink>https://doc.pfsense.org/index.php/Stunnel_package</pkginfolink>
<required_version>1.2.1</required_version>
<config_file>https://packages.pfsense.org/packages/config/stunnel.xml</config_file>
<configurationfile>stunnel.xml</configurationfile>
<build_port_path>/usr/ports/security/stunnel</build_port_path>
<build_options>WITHOUT_FORK=true;WITH_PTHREAD=true;WITHOUT_UCONTEXT=true;WITHOUT_IPV6=true;WITH_LIBWRAP=true;WITHOUT_SSL_PORT=true</build_options>
</package>
<menu>
<name>STunnel</name>
<tooltiptext>The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. It will negotiate an SSL connection using the OpenSSL or SSLeay libraries. It calls the underlying crypto libraries, so stunnel supports whatever cryptographic algorithms you compiled into your crypto package.</tooltiptext>
<section>Services</section>
<configfile>stunnel.xml</configfile>
</menu>
<tab>
<text>Tunnels</text>
<url>/pkg.php?xml=stunnel.xml</url>
<active/>
</tab>
<service>
<name>stunnel</name>
<rcfile>/usr/local/etc/rc.d/stunnel.sh</rcfile>
<executable>stunnel</executable>
</service>
</installedpackages>
Updated by jeffrey Smith about 10 years ago
I have just upgraded to 2.1.2-RELEASE (amd64) and the certificates look fine this time so possibly something else got fixed between 2.1.1 and 2.1.2
You should be able to close this now.
Updated by