SSL Certificates signing | Error 500

Started by XeroX, August 19, 2021, 03:08:28 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 19, 2021, 03:08:28 PM
Hello,
currently running latest OPNSense 21.7.

I'm not able to sign certificates anymore (Internal Certificate Signing). Trying to sign a certificate results in "500 Internal Server Error"

Code Select
2021-08-19T15:00:47 lighttpd[38924] (gw_backend.c.2275) response not received, request sent: 2438 on socket: unix:/tmp/php-fastcgi.socket-1 for /system_certmanager.php?act=new, closing connection
2021-08-19T15:00:47 lighttpd[38924] (mod_fastcgi.c.419) unexpected end-of-file (perhaps the fastcgi process died):pid: 49810 socket: unix:/tmp/php-fastcgi.socket-1
2021-08-19T14:59:29 lighttpd[38924] (gw_backend.c.2275) response not received, request sent: 2396 on socket: unix:/tmp/php-fastcgi.socket-1 for /system_certmanager.php?act=new, closing connection
2021-08-19T14:59:29 lighttpd[38924] (mod_fastcgi.c.419) unexpected end-of-file (perhaps the fastcgi process died):pid: 49810 socket: unix:/tmp/php-fastcgi.socket-1

Anyone able to verify if this is a general problem or just mine?

Cheers
August 19, 2021, 03:15:12 PM #1
It's a bug in PHP version that came with 21.7.1 in LibreSSL only and will be fixed with 21.7.2. If you need to create new certificates you need to switch to OpenSSL for the time being.


Cheers,
Franco
August 19, 2021, 03:57:43 PM #2 Last Edit: August 19, 2021, 04:04:28 PM by XeroX
Thank you franco.

I will wait till 21.7.2. I prefer LibreSSL. Time has shown its more reliable and more secure (from my perspective).

Is there any patch I can apply and test?
September 01, 2021, 03:48:42 PM #3
Same applies to me. Is there an immediate fix for it?
September 01, 2021, 03:51:28 PM #4
Yes, use OpenSSL flavour. It's as good an immediate fix as there is.


Cheers,
Franco
September 01, 2021, 03:55:13 PM #5
Yes I read that. But is there a workaround that does NOT require a reboot? This is our main gateway - i cannot do it now as it drops about 50 VPN connections not to speak of the phone / video conferences... :(

September 01, 2021, 06:31:12 PM #6
This just creates a key pair, a CSR and signs it with the CA. In theory, you can download the CA certificate and key and perform the same actions locally. Afterwards, you would have to upload the new certificate and optionally the key to use the certificate in OPNsense.
September 02, 2021, 08:37:41 AM #7
I changed to OpenSSL. It even worked without a reboot, so there was no downtime involved when I did it.
September 02, 2021, 09:42:11 AM #8
Ok, nice to hear.


Cheers,
Franco
Print
Go Up Pages1
User actions