Project

General

Profile

Actions

Bug #3580

closed

Stunnel mangled cert on upgrade

Added by jeffrey Smith over 10 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
04/07/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.1
Affected Plus Version:
Affected Architecture:
amd64

Description

I had pfsense 2.1 installed with stunnel 4.43 installed and added a certificate.

I upgraded to 2.1.1-RELEASE and now the certificate I had installed that was valid is showing as "Invalid key/cert!"

The key section is filled out with garbage and the cert section is completely empty.

Anything I can add to help with this issue?

Actions #1

Updated by jeffrey Smith over 10 years ago

https://forum.pfsense.org/index.php?topic=60009.msg322825#msg322825

I raised the above post on the forum over a year ago and its seems like the same issue here.

/usr/local/etc/stunnel/stunnel.conf only has just the standard

cert = /usr/local/etc/stunnel/stunnel.pem
chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel

/cf/conf/config.xml still has the configuration with my keys and cert still present. It does actually say the cert is invalid which it never used to before the upgrade. The Certs do include the intermediate cert but that should not be a problem.

<installedpackages>
                <stunnelcerts>
                        <config>
                                <description><![CDATA[WildcardCompany]]></description>
                                <filename>cd7cd467</filename>
                                <subject>XXXXXX</subject>
                                <expiry>2017-03-22</expiry>
                                <cert_key>Private key was here</cert_key>
                                <cert_chain>Public key was here</cert_chain>
                                <status>&lt;font color=&quot;#AA0000&quot;&gt;&lt;b&gt;Invalid key/cert!&lt;/b&gt;&lt;/font&gt;</status>
                        </config>
                        <savemsg/>
                </stunnelcerts>
                <stunnel/>
                <package>
                        <name>stunnel</name>
                        <website>http://www.stunnel.org/</website>
                        <descr><![CDATA[An SSL encryption wrapper between remote client and local or remote servers.]]></descr>
                        <category>Network Management</category>
                        <depends_on_package_base_url>https://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url>
                        <depends_on_package>stunnel-4.43.tbz</depends_on_package>
                        <depends_on_package_pbi>stunnel-4.54-amd64.pbi</depends_on_package_pbi>
                        <version>4.43</version>
                        <status>Stable</status>
                        <pkginfolink>https://doc.pfsense.org/index.php/Stunnel_package</pkginfolink>
                        <required_version>1.2.1</required_version>
                        <config_file>https://packages.pfsense.org/packages/config/stunnel.xml</config_file>
                        <configurationfile>stunnel.xml</configurationfile>
                        <build_port_path>/usr/ports/security/stunnel</build_port_path>
                        <build_options>WITHOUT_FORK=true;WITH_PTHREAD=true;WITHOUT_UCONTEXT=true;WITHOUT_IPV6=true;WITH_LIBWRAP=true;WITHOUT_SSL_PORT=true</build_options>
                </package>
                <menu>
                        <name>STunnel</name>
                        <tooltiptext>The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. It will negotiate an SSL connection using the OpenSSL or SSLeay libraries. It calls the underlying crypto libraries, so stunnel supports whatever cryptographic algorithms you compiled into your crypto package.</tooltiptext>
                        <section>Services</section>
                        <configfile>stunnel.xml</configfile>
                </menu>
                <tab>
             <text>Tunnels</text>
                        <url>/pkg.php?xml=stunnel.xml</url>
                        <active/>
                </tab>
                <service>
                        <name>stunnel</name>
                        <rcfile>/usr/local/etc/rc.d/stunnel.sh</rcfile>
                        <executable>stunnel</executable>
                </service>
</installedpackages>

Actions #2

Updated by jeffrey Smith over 10 years ago

I have just upgraded to 2.1.2-RELEASE (amd64) and the certificates look fine this time so possibly something else got fixed between 2.1.1 and 2.1.2

You should be able to close this now.

Actions #3

Updated by Chris Buechler over 10 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF