OPNsense Forum

English Forums => 21.7 Legacy Series => Topic started by: XeroX on August 19, 2021, 03:08:28 pm

Title: SSL Certificates signing | Error 500
Post by: XeroX on August 19, 2021, 03:08:28 pm
Hello,
currently running latest OPNSense 21.7.

I'm not able to sign certificates anymore (Internal Certificate Signing). Trying to sign a certificate results in "500 Internal Server Error"

Code: [Select]
2021-08-19T15:00:47 lighttpd[38924] (gw_backend.c.2275) response not received, request sent: 2438 on socket: unix:/tmp/php-fastcgi.socket-1 for /system_certmanager.php?act=new, closing connection
2021-08-19T15:00:47 lighttpd[38924] (mod_fastcgi.c.419) unexpected end-of-file (perhaps the fastcgi process died):pid: 49810 socket: unix:/tmp/php-fastcgi.socket-1
2021-08-19T14:59:29 lighttpd[38924] (gw_backend.c.2275) response not received, request sent: 2396 on socket: unix:/tmp/php-fastcgi.socket-1 for /system_certmanager.php?act=new, closing connection
2021-08-19T14:59:29 lighttpd[38924] (mod_fastcgi.c.419) unexpected end-of-file (perhaps the fastcgi process died):pid: 49810 socket: unix:/tmp/php-fastcgi.socket-1

Anyone able to verify if this is a general problem or just mine?

Cheers
Title: Re: SSL Certificates signing | Error 500
Post by: franco on August 19, 2021, 03:15:12 pm
It's a bug in PHP version that came with 21.7.1 in LibreSSL only and will be fixed with 21.7.2. If you need to create new certificates you need to switch to OpenSSL for the time being.


Cheers,
Franco
Title: Re: SSL Certificates signing | Error 500
Post by: XeroX on August 19, 2021, 03:57:43 pm
Thank you franco.

I will wait till 21.7.2. I prefer LibreSSL. Time has shown its more reliable and more secure (from my perspective).

Is there any patch I can apply and test?
Title: Re: SSL Certificates signing | Error 500
Post by: apsandreas on September 01, 2021, 03:48:42 pm
Same applies to me. Is there an immediate fix for it?
Title: Re: SSL Certificates signing | Error 500
Post by: franco on September 01, 2021, 03:51:28 pm
Yes, use OpenSSL flavour. It's as good an immediate fix as there is.


Cheers,
Franco
Title: Re: SSL Certificates signing | Error 500
Post by: apsandreas on September 01, 2021, 03:55:13 pm
Yes I read that. But is there a workaround that does NOT require a reboot? This is our main gateway - i cannot do it now as it drops about 50 VPN connections not to speak of the phone / video conferences... :(

Title: Re: SSL Certificates signing | Error 500
Post by: fabian on September 01, 2021, 06:31:12 pm
This just creates a key pair, a CSR and signs it with the CA. In theory, you can download the CA certificate and key and perform the same actions locally. Afterwards, you would have to upload the new certificate and optionally the key to use the certificate in OPNsense.
Title: Re: SSL Certificates signing | Error 500
Post by: apsandreas on September 02, 2021, 08:37:41 am
I changed to OpenSSL. It even worked without a reboot, so there was no downtime involved when I did it.
Title: Re: SSL Certificates signing | Error 500
Post by: franco on September 02, 2021, 09:42:11 am
Ok, nice to hear.


Cheers,
Franco