Project

General

Profile

Actions
Copy link

Bug #7348

closed

Import certificate doesn't verify syntax resulting in loss of web gui

Added by Isaac McDonald almost 9 years ago. Updated almost 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Web Interface
Target version:
-
Start date:
03/04/2017
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

Web GUI doesn't check syntax when importing SSL certificates resulting in loss of web gui.

Steps to reproduce:
1. Navigate to System ---> Certificate Manager---> Certificates
2. Click the green "Add" button to add a new certificate
3. Choose "import and existing certificate" for method
4. Enter a descriptive name
5. Paste a certificate in certificate data. Example:
-----BEGIN CERTIFICATE-----
MIIFDDCCA/SgAwIBAgISA8B88ZIzvGUYp9dQVvWS7mllMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAyMjQyMjU1MDBaFw0x
NzA1MjUyMjU1MDBaMB8xHTAbBgNVBAMTFGFwaXRlc3RpbmcuZHludjYubmV0MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxNfaqh5dsGYRxdN+LLnfns15
vLehooRPDLsTmZU0ZC9wdxst1MtBfGnEZxCSXIYglV/Z1E9pqNooiD8rII1TOxB9
MySMCT00PfUsWz11NUAvPFmvzyh5TpmikVdJCHqn0AralVoMuizEnx3KAjoz8jIM
IgoIyvApNoFtOI7x2WJf0IwXn/dJ43vw9wx6V7mSRxKpvcu50b+Lpsaxa0agf9Gb
6k1+G0QmfszbkraKWiwWi38osxrSlsZn7VO2pZp/ZdvAbB6iGgaWGxUpuZnFaebG
CUPhFWtyObZSZWoBmQ43xhADME7D1cRf+vDUIFLoiQqchB1LGz1+ikw8JRrFIwID
AQABo4ICFTCCAhEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQWFvzufW2aUnMqBG9L
uo1UxtA/iDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBwBggrBgEF
BQcBAQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
cnlwdC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnLzAfBgNVHREEGDAWghRhcGl0ZXN0aW5nLmR5bnY2Lm5ldDCB/gYD
VR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUH
AgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyB
m1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVs
eWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2Vy
dGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3Jn
L3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQCBQT9Qe9++ZmSMSqMY6HlU
eT9PkUMcRu6bs/HiCeVnjzofAhs5PgJwI9JFrYKq8NL7k8nVqYyQ85+2ZjpPzZ+I
ix9PUx+ug8bUQJ0XXnq66575z7auGVbE+zANkZZaoCupJJOYr2yTLgUm1B4FiuQF
JLxIMfjmVhJ+qr3jzUpAlRZEuVbCfrxI2YqQ1tOBvMqk+Xp4nS0MgB8oFMiThbjD
V5i/eHP4921lxEqlnLcr3Ag1YwAi6xm524Caf1d/K9yMv3FPLjbVqqyiutK/yc6J
Z29YLJe2DRERCZASQ++VSKvlgxtsWAUI7CaxjYes9NMdOtDj9MxdmqdoA1UNXjDb
-----END CERTIFICATE-----

6. Paste the private key in private key data leaving off "-----END PRIVATE KEY-----" Example:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDE19qqHl2wZhHF
034sud+ezXm8t6GihE8MuxOZlTRkL3B3Gy3Uy0F8acRnEJJchiCVX9nUT2mo2iiI
PysgjVM7EH0zJIwJPTQ99SxbPXU1QC88Wa/PKHlOmaKRV0kIeqfQCtqVWgy6LMSf
HcoCOjPyMgwiCgjK8Ck2gW04jvHZYl/QjBef90nje/D3DHpXuZJHEqm9y7nRv4um
xrFrRqB/0ZvqTX4bRCZ+zNuStopaLBaLfyizGtKWxmftU7almn9l28BsHqIaBpYb
FSm5mcVp5sYJQ+EVa3I5tlJlagGZDjfGEAMwTsPVxF/68NQgUuiJCpyEHUsbPX6K
TDwlGsUjAgMBAAECggEAeFJpeytsoXMC0iXhLn2/z1ZSX6TvzGOL3oBMDslBaSwG
VwfqD/TeZqpQP5/Fl4D1UdlxUXHpaClSNVZHinJYufXuUeC5KLycvnKrVmpOxuog
9YbtDHf1DrKiyKzOG7y971FzI3AT74mF9q1C2fGx5w3olLYFgecjigm7NaNK+lEw
SUxstj2DKSfvsfgm3mS/G92t+l0rmjM6ofIw48ECtNdA6bYU6oIDpp28PH3C3yVd
1RAPt5VX5aomRrvIa5BCliT87Y8ngz3MMoNQZpKoShJeJMG24si15GkBSpR0msDR
iZYhYB7DH2UFrGM7Ol2Ypp8oP64ZiYns/MOjqmFAQQKBgQD0dGj7UGNaG4RT2B44
7LsiVRMkUC1sYAvwa5gBxb+a3YkgSf4oqhTf7iCwTU7WDu5T8wcND2XlXOFZFwho
iMDl9MWNKzuzKB3Ls9+0WaERvkAasPxyafwlWYnHjtoUnp7ARZdCN+goFuSHuHHc
CXT1Bj4ZbEFqy4u1sMYcAAWVWwKBgQDOI8tyYq8Mcbpc0jIQtOuw5MCNEiN94zPr
qoybajZVbPLxQToZzZJDHDr2ukkpg41Ty7vXZGI87wmCXsEzbjVaHDL9EnC+G1yq
S7UlWtbxMVjbto0kJ3zyJnM1nkOnqPykWOD5rWBgTQwi5Ao0thxhCo7dVVHV4mv8
L5YFrPZx2QKBgFuUYOAFtbLELEbc6DWbOmAaTxmDkADR2qcvJ7tCQg3agMy/65+A
WGGr7EMgMzCuV0rL+RBDfID40tN1dYjz8pAzqu7AC5WKqd7ufBgsm9Lx20Ikm+6h
Ff1IFf3U3o5q/j450/jSyP571RGjX8R3JoHE3O7ZR4iiyKxAlXdX6r+RAoGBAKkG
LqZfBlt00TOU4ppSTsOf/cZubg2mA4ekM2CnyV9oUxfAvQw1RE2k0zBFdQIGLRbd
getOE0MVWT29xjsOjc6SOrjJqwomU2gLZb/4aTAhn1OgrsBLZKcFIgh/+cd6x5VW
jzoKkHDGHEJrq3anMEPdrWEMuWpgGt0Qg7mppfWZAoGAZAgCdx04vi77YIGoO5sF
OWQjYqfCJxdyRufWVYGC0GU/l/jJN4xYAp1ls5QuYnja3Nwt07YrEhUvs1VtzexA
mnG8VFLJlWWeoKorocR75qegvtR49oNmTzpoolZaFtzJ6LneWsVGPtpka7GJS3PB
KBNOebxsFZchNvEHuS4WXDw=

7. Click save.
8. Navigate to System ----> Advanced and select the certificate you just imported as the server certificate.
System ----> Advanced
9. Click "Save"
10. After changes are saved the Web GUI is no longer available

Due to the missing "-----END PRIVATE KEY-----" in the private key, nginx fails to start.

Logs indicate there's an issue with the SSL key:
tail /var/log/nginx/error.log
failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file

To restore web gui functionality ssh into pfsense and modify /cf/conf/config.xml replacing the cert specified here: <ssl-certref>50d1ed60453xx</ssl-certref> with the ref id of default certificate. The default certificate ref ID can be found by grepping for the refid for the default cert: grep "webConfigurator default" /cf/conf/config.xml

After modifying config.xml delete the cache: rm /tmp/config.cache and restart the web gui: /etc/rc.restart_webgui

Actions
Copy link
 #1

Updated by Kill Bill almost 9 years ago

Duplicate of Bug #1685.

(Note - there's no need for manual messing with config.xml, see the other bug.)

Actions
Copy link
 #2

Updated by Jim Pingle almost 9 years ago

  • Status changed from New to Resolved

#1685 is something different.

We already protect against importing such bad combinations on 2.4. You can't import a key without that line, or one that doesn't match the certificate.

Actions
Copy link

Also available in: Atom PDF