Project

General

Profile

Bug #5633

system_certmanager.php - Cannot import certificate

Added by Razvan Resteantu over 3 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Low
Assignee:
-
Category:
Certificates
Target version:
Start date:
12/13/2015
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.3
Affected Architecture:

Description

In System / Certificate Manager / Certificates, when trying to import a certificate by "Import an existing Certificate", after putting all the data in all the input boxes, the Save button does nothing... Not saving, nor generating any error...

pfSense_CertManager.mp4 (1.65 MB) pfSense_CertManager.mp4 Razvan Resteantu, 12/16/2015 06:14 PM

Associated revisions

History

#1 Updated by Steve Beaver over 3 years ago

Unable to reproduce.

Navigated to system_certmanager.php
Clicked "Add"
Typed in a name and pasted a certificate into the text areas.

New certificate saved correctly and appears in the list of certs.

Tested with FireFox, Safari and Chrome.

#2 Updated by Razvan Resteantu over 3 years ago

OK... After more testing, it seems that is working, but...
If after clicking "Add" I enter a name, and paste certificate and private key data and click "Save", nothing happens. Save button does nothing, no action.
If after clicking "Add" I select other option (Ex. "Create an internal Certificate") and after that select back "Import an existing Certificate", after pasting all the required data the "Save" button works correctly and indeed it saves the certificate.
I tested this behavior both in IE and Chrome.

In Firefox, doing the same, I get an balloon popup saying "Please enter an email address."

You can test it by navigating to System / Certificate Manager / Certificates, click "Add" and in the new window, without inputting anything, click "Save". In IE and Chrome you'll get no action and in Firefox you'll get the "Please enter an email address." balloon.

#3 Updated by Steve Beaver over 3 years ago

Could others test and confirm this please? I am still unable to reproduce.

#4 Updated by Razvan Resteantu over 3 years ago

What is the default option selected when you enter "Add" in the system_certmanager.php menu?
When I enter it, on "Method" dropdown list I have "Import an existing Certificate", but it's like this value is not "selected" in the code...
Furthermore, if i enter System > Certificate Manager > Certificates > Add and directly click on "Save" (without doing anything else), in Chrome debug window I get "An invalid form control with name='dn_email' is not focusable." in system_certmanager.php?act=new:1

#5 Updated by Steve Beaver over 3 years ago

  • Subject changed from Cannot import certificate to system_certmanager.php - Cannot import certificate

#6 Updated by Steve Beaver over 3 years ago

  • Status changed from New to Feedback
  • Assignee set to Razvan Resteantu
  • Priority changed from High to Low

I have asked colleagues to test and they cannot reproduce either. Is it possible you have an adblocker, noscript or other plugin that is interfering with the action of the page?

#7 Updated by Chris Buechler over 3 years ago

also been unable to replicate this anywhere with a variety of browsers on Windows, Linux and OS X.

Razvan: please clear the cache in your browser, close it out, reopen and start over trying to replicate the issue. Then if you can still replicate, the exact steps would be helpful.

#8 Updated by Razvan Resteantu over 3 years ago

I cleared cache, tried IE, Chrome and Firefox, tried on 3 different computers (2 win7 and 1 win10) and the same thing is happening every time.
Maybe it's something related with other setting in pfSense (theme, http/https, etc), but I played with the settings and I cannot make it work...
I attached a little movie to see exactly the issue and the steps I take...
As you can see, when entering the Add Certificate page, the Save button does nothing. I have to select another "Method" and then select back "Import an existing Certificate", in order to work.

There is no adblocker or other plugin running.

Please let me know if there is anything else that I can do in order to help debug this issue.

#9 Updated by Phillip Davis over 3 years ago

Might be a red herring, but is the certificate a response to a Certificate Signing Request that you generated using the 2.3 code?
I just saw an issue with the External Signing Request code: https://github.com/pfsense/pfsense/pull/2257

#10 Updated by Chris Buechler over 3 years ago

Thanks for the video, that at least makes it clearer. Still can't replicate with either theme though. Maybe was an issue with the dark theme earlier that's since been fixed, or something else that's since been fixed.

Are you still seeing this on the latest version Razvan?

#11 Updated by Razvan Resteantu over 3 years ago

Hello and Happy New Year!

@Phillip Davis: I didn't generate any of the certificates through pfSense interface. All of them were imported, so I don't think the issue you posted is related.

@Chris Buechler: I'm now on 2.3-ALPHA (amd64) built on Mon Jan 04 22:46:20 CST 2016, and I'm seeing the same behavior. It's not from the theme, because I tried it with different themes and it's doing the same. Also tried changing different settings that could have any relation with the behavior, but couldn't make it work...
Maybe the problem is from the CA certificate that I imported, who's name contains "&" (ampersand) character, but I cannot change it now because there are a lot of settings to be changed...
I saw that when creating a new certificate from pfSense interface, I'm not allowed to use "&" in the name of the certificate, but when importing a certificate, I can use it... Maybe this is related to the issue I'm seeing.

I'll try to install a fresh copy of pfSense in a virtual machine and test if the issue is still present on a clean installation. If it's not, I'll start making the settings one by one, to try to identify when the issue appear.
It will take some time though, because right now I'm full at my day job...

#12 Updated by Razvan Resteantu over 3 years ago

OK... After making some tests, I can now reliably replicate the issue...

The problem is when the first CA's name in system_camanager.php contains "&" (ampersand).
When you create a new CA by "Create an Internal Certificate Authority", you cannot use "&" in the name of the certificate (Descriptive name), but if you use the option "Import an Existing Certificate Authority", you can use "&" in the CA name.
My problem is that my CA name contains &, and when this CA is the first one in the list, or is the only one, then the issue that I reported earlier appears.

In order to replicate the issue you have to follow these steps:
1. Import a CA and use "&" in the name;
2. Delete any other CA that may exist, so that the one with "&" in the name is the only CA defined;
3. Go to system_certmanager.php and try to add a new certificate. The reported bug will manifest...

I think that you'll resolve this bug easily by restricting the use of "&" in the CA name when importing CAs, but I don't think this is right...
Why is the use of & not allowed in certificates names?
I think the code should be adjusted in order to allow this. I don't want to change my Organization name, or my certificate that I was using for years without a problem...

Please let me know if you need more info.

#13 Updated by Steve Beaver over 3 years ago

Thanks for the detective work. I'll take a look at this later this week. There is a possibility that it is a character encoding issue I suppose.

#14 Updated by Steve Beaver over 3 years ago

  • Status changed from Feedback to Assigned
  • Assignee changed from Razvan Resteantu to Steve Beaver

#15 Updated by Steve Beaver over 3 years ago

  • Status changed from Assigned to Feedback
  • Assignee changed from Steve Beaver to Razvan Resteantu

#16 Updated by Steve Beaver over 3 years ago

Testing this with Firefox, I found that when following your instructions (thank you for that) I got a pop-up message telling me I needed to enter an email address. Looking at the source there are two input fields that specify the attribute type="email" so I suspect this is what is causing the problem for you.

The long-term fix is to get rid of the toggle() action and to use Javascript instead. This in turn will allow elements not required by a particular action to be disabled.

For now, however, I have changed the element type to "text" and for me at least, this seems to work around the issue.

Would you give it a try please?

#17 Updated by Steve Beaver over 3 years ago

  • % Done changed from 0 to 100

#18 Updated by Razvan Resteantu over 3 years ago

Hi Steve,

Indeed, that change did the trick.
Now everything is OK.

#19 Updated by Steve Beaver over 3 years ago

  • Status changed from Feedback to Resolved
  • Assignee deleted (Razvan Resteantu)

Also available in: Atom PDF