After update to 25.7, Certificates plugin in dashboard stop showing certs and get stack in constant loading.
When I go to "System: Trust: Authorities" it shows this error:
So Im efectively cut out from managing certificates on my box. Even if I cant access certificate management, certs are still in system because my HAproxy working ok with acme certs and even openvpn with internal certs. So there must be some bug when accessing internat cert storage.
Anybody with same problem here?
I found out that certificates work ok, until upgrade to 25.7 version. Last working version is OPNsense 25.1.12-amd64. After upgrade to 25.7, certificate trust inside opnsense stop showing certificates, dashboard plugin "certificates" showing error and certificate part of opnsense is dead :(
Try to restore a backup.
Backup restore didnt have any effect on this problem.
Any filesystem corruption, possibly?
Nope, its a VM. I even tried a new install and backup import and result is same. Are there any changes in how 25.7 handles certs compared to 25.1? Could it be a somehow cripled cert wich 25.7 cant chew up? This newer happened before through updates and it is a big problem for me, because I use this feature a lot...acme certs for haproxy, local CA for client cert access for haproxy, vpn crt etc.
I have the same issue: error viewing system/trust/authority | certificates. I tried creating a new internal CA and it didn't show up in the authority's page. However, in the filter selection in the certificates page, I can see the name of my newly created CA. The existing certificates in my Opnsense server appeared to be still functioning properly.
I came here for the same issue. Once I moved to 25.7 Trust Certificates and Authorities shows and error and spins forever.
There is no response as to how to fix this problem. I have two machines, one under proxmox and one bare-metal. Both had same issues after upgrading from 25.1 to 25.7. Just wonder whether most people didn't experience this issue.
It's a bit sensitive to ask for the CA data in your configuration because it also holds private keys. Not sure what the incompatibility is there.
If anyone wants to provide data over PM I'm willing to send instructions to extract via such a PM conversation.
Cheers,
Franco
The bug was found with the help of a user:
# opnsense-patch https://github.com/opnsense/core/commit/d1042bb65e
The bad news is the CA certificate data is probably broken and needs to be fixed manually, but at least now you can see and edit it.
Cheers,
Franco
Thanks a lot, Franco. The patch worked to enable viewing of the "Authorities" and "Certificates" pages. I am not sure about the possibly broken CA data. Everything related to my ACME certificates appeared to work perfectly.
is there a clear understanding why this issue only impacted some OPNsense deployments ?
In all my OPNsense 25.7.4-amd64 deployments, i have several CA and server X.509v3 certificates, singed using sha256WithRSAEncryption, and having zero issues whatsoever....
I don't have an answer to your question. On further inspection of my CA authority after applying the patch, I noticed that the private key was corrupted. I went back to my backup configuration files of a year ago, the private key was already corrupted. I went further back to 2 years ago, mysteriously, the cert part was corrupted while the private key was apparently intact. I pasted the private key of that configuration file to my current private key section and saved it. There was no error reported, maybe implying the private key is compatible with the cert of the CA authority. I am not knowledgeable enough to explain what happened.
i see, so the source of your corruption is not yet identified ?
I've had NordVPN Root CA X.509 cert installed since migrating to new openvpn instance configuration, once i upgraded to 25.7...
I've only recently in last several months deployed additional subordinate CA and server X.509 certs to OPNsense deployments....been through several upgrades since, and no corruption so far
The bug appears to originate from the acme-client plugin by automatically installing CA certificates into the store. The actual source of why the CA certificate data is corrupted is unknown.
The bug is a wider issue in the API response handling which could affect other parts of the system, but it's a rather fringe case requiring binary data which is unlikely through a JSON return in the API.
Cheers,
Franco
Thx for the patch. I just updated to 25.7.5 and certs showing up as usual.
What would you think is outlook-timeframe for resolving this?
Resolving what exactly? These CA certificates cannot be fixed as they appear as runtime-generated user data. The best way to remove these faulty certificates is to remove them manually.
Cheers,
Franco
So, I read your bug description again "...wider issue in the API response handling which could affect other parts of the system...", it means that this bug corrupt only CA certs writen by acme plugin and other CA certs in opnsense certificate store arent afffected? Or all CA cert will be somehow affected? And if I remove them manually, what will prevent to happen this all over again if we are currently in phase "The actual source of why the CA certificate data is corrupted is unknown." Thx for clarification.
The CA data is corrupted in the config.xml and it causes the API to break. The API could break on any such corrupted data in any part of the config.xml, but it's very unlikely to happen that raw binary data is in the config.xml in the first place.