Bug #3580
closed
Stunnel mangled cert on upgrade
Added by jeffrey Smith about 10 years ago.
Updated about 10 years ago.
Affected Architecture:
amd64
Description
I had pfsense 2.1 installed with stunnel 4.43 installed and added a certificate.
I upgraded to 2.1.1-RELEASE and now the certificate I had installed that was valid is showing as "Invalid key/cert!"
The key section is filled out with garbage and the cert section is completely empty.
Anything I can add to help with this issue?
https://forum.pfsense.org/index.php?topic=60009.msg322825#msg322825
I raised the above post on the forum over a year ago and its seems like the same issue here.
/usr/local/etc/stunnel/stunnel.conf only has just the standard
cert = /usr/local/etc/stunnel/stunnel.pem
chroot = /var/tmp/stunnel
setuid = stunnel
setgid = stunnel
/cf/conf/config.xml still has the configuration with my keys and cert still present. It does actually say the cert is invalid which it never used to before the upgrade. The Certs do include the intermediate cert but that should not be a problem.
<installedpackages>
<stunnelcerts>
<config>
<description><![CDATA[WildcardCompany]]></description>
<filename>cd7cd467</filename>
<subject>XXXXXX</subject>
<expiry>2017-03-22</expiry>
<cert_key>Private key was here</cert_key>
<cert_chain>Public key was here</cert_chain>
<status><font color="#AA0000"><b>Invalid key/cert!</b></font></status>
</config>
<savemsg/>
</stunnelcerts>
<stunnel/>
<package>
<name>stunnel</name>
<website>http://www.stunnel.org/</website>
<descr><![CDATA[An SSL encryption wrapper between remote client and local or remote servers.]]></descr>
<category>Network Management</category>
<depends_on_package_base_url>https://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url>
<depends_on_package>stunnel-4.43.tbz</depends_on_package>
<depends_on_package_pbi>stunnel-4.54-amd64.pbi</depends_on_package_pbi>
<version>4.43</version>
<status>Stable</status>
<pkginfolink>https://doc.pfsense.org/index.php/Stunnel_package</pkginfolink>
<required_version>1.2.1</required_version>
<config_file>https://packages.pfsense.org/packages/config/stunnel.xml</config_file>
<configurationfile>stunnel.xml</configurationfile>
<build_port_path>/usr/ports/security/stunnel</build_port_path>
<build_options>WITHOUT_FORK=true;WITH_PTHREAD=true;WITHOUT_UCONTEXT=true;WITHOUT_IPV6=true;WITH_LIBWRAP=true;WITHOUT_SSL_PORT=true</build_options>
</package>
<menu>
<name>STunnel</name>
<tooltiptext>The stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server. It can be used to add SSL functionality to commonly used inetd daemons like POP2, POP3, and IMAP servers without any changes in the programs' code. It will negotiate an SSL connection using the OpenSSL or SSLeay libraries. It calls the underlying crypto libraries, so stunnel supports whatever cryptographic algorithms you compiled into your crypto package.</tooltiptext>
<section>Services</section>
<configfile>stunnel.xml</configfile>
</menu>
<tab>
<text>Tunnels</text>
<url>/pkg.php?xml=stunnel.xml</url>
<active/>
</tab>
<service>
<name>stunnel</name>
<rcfile>/usr/local/etc/rc.d/stunnel.sh</rcfile>
<executable>stunnel</executable>
</service>
</installedpackages>
I have just upgraded to 2.1.2-RELEASE (amd64) and the certificates look fine this time so possibly something else got fixed between 2.1.1 and 2.1.2
You should be able to close this now.
- Status changed from New to Closed
Also available in: Atom
PDF
Updated by 
Updated by