OPNsense certificates showing error after update from 25.1 to 25.7

[franco]

The bug appears to originate from the acme-client plugin by automatically installing CA certificates into the store. The actual source of why the CA certificate data is corrupted is unknown.

The bug is a wider issue in the API response handling which could affect other parts of the system, but it's a rather fringe case requiring binary data which is unlikely through a JSON return in the API.


Cheers,
Franco

[HatalaTitla48]

Thx for the patch. I just updated to 25.7.5 and certs showing up as usual.
What would you think is outlook-timeframe for resolving this?

[franco]

Resolving what exactly? These CA certificates cannot be fixed as they appear as runtime-generated user data. The best way to remove these faulty certificates is to remove them manually.


Cheers,
Franco

[HatalaTitla48]

So, I read your bug description again "...wider issue in the API response handling which could affect other parts of the system...", it means that this bug corrupt only CA certs writen by acme plugin and other CA certs in opnsense certificate store arent afffected? Or all CA cert will be somehow affected? And if I remove them manually, what will prevent to happen this all over again if we are currently in phase "The actual source of why the CA certificate data is corrupted is unknown." Thx for clarification.

[franco]

The CA data is corrupted in the config.xml and it causes the API to break. The API could break on any such corrupted data in any part of the config.xml, but it's very unlikely to happen that raw binary data is in the config.xml in the first place.