Bug #7995
closed
pfSense Certificate Manager Issues Blank Certificates
0%
Description
Strange issue I'm having with the certificate manager in pfSense 2.4.0 release. I can create a certificate authroity but any certificates created from the newly created CA updon download are blank. On random attempts to create new server certificates I also get a list identical error messages in a row when saving.
OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
I'm not using any special characters that I know of and I'm not leaving spaces in the names either.
Also, trying to set up OpenVPN access server and getting an error in OpenVPN logs probably related to the malformed certificates.
Cannot load certificate file /var/etc/openvpn/server1.cert
I have the ACME package installed an working with a few server certificates so I'm not sure if that is interfering with some file permission somewhere.
This seems like a bug to me unless I' missing something obvious.
Updated by Jim Pingle over 7 years ago
- Status changed from New to Feedback
- Assignee set to Jim Pingle
- Priority changed from High to Low
I can't make this happen on 2.4.0 or 2.4.1 here, I create CA and cert entries multiple times per day when testing things like this and I've never seen it happen before.
Without knowing the exact contents of the CA cert and a failing cert this will be nearly impossible to diagnose. Not just what is in the CA certificate, but also what you entered in the GUI since it could differ from the contents of the CA/certificate. It could be something in the inputs or properties of the CA but it's not clear what without any detail. We'll need to see what shows up on the CA and Certificate list in the GUI plus copies of the offending CA and certificate files, if possible. No need for the keys, of course. If you want to send those in privately, that can be arranged.
Updated by Kristopher Kolpin over 7 years ago
Hi Jim,
Thanks for taking a look at my issue.
I did a fresh demo install on VirtualBox with 2.4.1. Performed the GUI wizard post-install with DHCP for WAN and then went straight to the certificate manager. Created my CA and then my server certificate with an IP address SAN. Works like a charm.
When I did a fresh install of 2.4.1 on my production system I get the same issue with the blank certificates. Packages installed prior to making my own CA and server certificates include ACME (account setup with one LE server cert), pfBlockerNG, and Squid.
How would I go about sending info in privately?
Thanks in advance!
Updated by Jim Pingle over 7 years ago
So you used the exact same input on both systems and it worked on one and failed on the other?
Please take screenshots of each step you make when creating the problem certificates, and forward those along with the other info to me. jimp [at] pfsense {dot} org.
Updated by Jim Pingle over 7 years ago
I can't seem to replicate that here. I used the exact same inputs you sent via e-mail and it worked as expected on 2.4.1 and 2.4.2 snapshots. I get a usable CA and server certificate, no errors, and nothing is blank/empty.
The certificate error "PEM_read_bio:no_start_line" usually means that the certificate data passed to OpenSSL either wasn't valid or somehow could not be read. Though it's not quite clear exactly which item it's talking about. It could be the CA certificate or the temporary CSR for the server certificate.
Can you replicate this on any other system you have? First and foremost, make sure it's on 2.4.1 (or a 2.4.2 snapshot) before trying it again. It's possible there is something else wrong/out of date on that box unrelated to the certificate code.
Updated by Jim Pingle over 7 years ago
- Status changed from Feedback to Closed
After some more digging based on your later e-mail reply, I believe I found the root cause of this. See #8065
Closing this since this is a red herring/symptom.
Updated by Gary Graham over 7 years ago
I'm having the same issue on a freshly upgraded factory configured SG-8860. This happens with my existing CA as well as with any new ones I create.
I can confirm that /usr does not have it's own mount point.
Is there a telltale way to see if the product name was read properly? I do see all of the fields populated with information on the dashboard.
I can open a new issue if you'd like.
Updated by Jim Pingle over 7 years ago
It will appear OK after booting, most tests will look fine then. You have to watch the console during boot time, the errors show there and are not logged.
If you update to a 2.4.2 snapshot it should be OK now.
Updated by Sebastian Billmann about 7 years ago
Hi, sorry to necro but this bug still seems to exist in 2.4.2p1.
User Certifactes meant for OpenVPN I just issued are all empty.
It doesn't seem to make a difference wether I issue the certifacte while creating a user or issue the certificate in the certifcate manager manually.
I tried issuing the certifactes using my existing CA and with a freshly created CA but the outcome remains the same.
Updated by Jim Pingle about 7 years ago
Highly unlikely that it's the same issue. Post on the forum, pfSense subreddit, or mailing list to discuss and diagnose your specific problem.
Updated by Throw Away about 7 years ago
We are also seeing this issue in production. I posted to the subreddit, but everything seems to be exactly the same as what's described above.