OPNsense Forum

I upgraded from 21.1.2 to 22.1.3 last night.

Since then, on reboot and every time I save/apply my IPSec configs I get those errors

[18-Mar-2022 00:29:44 America/Toronto] PHP Warning:  openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate! in /usr/local/etc/inc/plugins.inc.d/ipsec.inc on line 1257

[39675810-00da-4d28-b42b-1befc06e7261] Script action stderr returned "b"no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'""

/usr/local/sbin/pluginctl: Error: Invalid certificate hash info for


Anybody has an idea of what's up ? I think it may be related to this release note but I'm not sure how to fix it...

Quoteo ipsec: clean up stale CA certificates on reconfigure

Also, I checked under: /usr/local/etc/strongswan.opnsense.d/*.conf and there is nothing (Except a README file) in there but this configuration line

include strongswan.opnsense.d/*.conf


is included in the /usr/local/etc/strongswan.conf anyways, this could explain one of the errors above (maybe all 3 actually).

Checking the code of

        $strongswan = generate_strongswan_conf($strongswanTree);
        $strongswan .= "\ninclude strongswan.opnsense.d/*.conf\n";
        @file_put_contents("/usr/local/etc/strongswan.conf", $strongswan);

        /* generate CA certificates files */
        $cafiles = [];
        foreach (isset($config['ca']) ? $config['ca'] : [] as $ca) {
            $cert = base64_decode($ca['crt']);
            $x509cert = openssl_x509_parse(openssl_x509_read($cert));
            if (is_array($x509cert) && isset($x509cert['hash'])) {
                $fname = "{$capath}/{$x509cert['hash']}.0.crt";
                $cafiles[] = $fname;
                if (!@file_put_contents($fname, $cert)) {
                    log_error(sprintf('Error: Cannot write IPsec CA file for %s', $ca['descr']));
                }
            } else {
                log_error(sprintf('Error: Invalid certificate hash info for %s', $ca['descr']));
            }
        }
        foreach (glob("{$capath}/*.0.crt") as $fname) {
            if (!in_array($fname, $cafiles)) {
                unlink($fname);
            }
        }


I see it seems to do something against the ipsec certs... I see 2 certs generated there: /usr/local/etc/ipsec.d/cacerts/ so I'm not sure what going on...

It also seems I have a empty CA under System: Trust: Authorities, I don't think I saw an empty CA there before the upgrade...

ok, so deleting the empty self-signed CA seems to have fixed this issue

This is not happening anymore since I deleted the empty CA cert

[18-Mar-2022 11:15:55 America/Toronto] PHP Warning:  openssl_x509_read(): supplied parameter cannot be coerced into an X509 certificate! in /usr/local/etc/inc/plugins.inc.d/ipsec.inc on line 1257


And this one is gone too now
2022-03-18T11:15:55-04:00 Error opnsense /usr/local/sbin/pluginctl: Error: Invalid certificate hash info for

This self-sign CA seems like it was used for the web GUI and possibly other stuff for IPSec ? Could it be that it got wiped on the upgrade or not (re-)generated properly ?

However the following "errors" persists, which I guess is normal since there is no files under this folder. Not sure they should be logged at Error level though or even be logged as an error.


Date Severity Process Line
2022-03-18T11:39:05-04:00 Error configd.py [033c924d-1574-4bd8-ac18-241d0f3451d6] Script action stderr returned "b"no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'""
2022-03-18T11:39:04-04:00 Error configd.py [6ebc7f84-633f-4128-ba8a-d0c7a1daed63] Script action stderr returned "b"no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'""
2022-03-18T11:39:00-04:00 Error configd.py [ff5483fa-5c54-45ac-b74b-c6b8eb5de680] Script action stderr returned "b"no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'""
2022-03-18T11:38:02-04:00 Error configd.py [5828834c-f694-474c-9a54-ac9208347813] Script action stderr returned "b"no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'""
2022-03-18T11:38:00-04:00 Error configd.py [f26a48ad-5c5d-4452-bdf0-d79e4be1e386] Script action stderr returned "b"no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'""
2022-03-18T11:37:58-04:00 Error configd.py [c1f4a1c2-9b18-4e8f-a1a5-b537e9bffd14] Script action stderr returned "b"no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'""
2022-03-18T11:37:54-04:00 Error configd.py [da8d2b3a-d68e-43f2-8d7b-fd5e24d6dafc] Script action stderr returned "b"no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'""
2022-03-18T11:15:55-04:00 Error configd.py [39675810-00da-4d28-b42b-1befc06e7261] Script action stderr returned "b"no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'""
2022-03-18T11:15:53-04:00 Error configd.py [714f0020-e64e-4654-8f27-231d1e7c6c3d] Script action stderr returned "b"no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'""
2022-03-18T11:15:49-04:00 Error configd.py [b16026ba-b84b-458a-a53a-269ccb139bc4] Script action stderr returned "b"no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'""