No more able to sign my SSL certificates

[Rajstopy]

Dear all,

I've upgraded to OPNSense version 22.7.6 and since then, I'm no more able to sign my SSL certificates for my internal PKI.  :-[

This is what I do:

System > Trust > Certificates > Sign a Certificate Signing Request

The Show Details looks great.

Then Next and I get the message Unknown Error Occurred. Try Again.

The crash reporter indicates the following:

Code Select Expand

[22-Oct-2022 07:57:33 Europe/Paris] PHP Fatal error:  Uncaught Error: Call to undefined method phpseclib3\File\X509::getOID() in /usr/local/www/system_certmanager.php:134
Stack trace:
#0 /usr/local/www/system_certmanager.php(411): parse_csr('-----BEGIN CERT...')
#1 {main}
  thrown in /usr/local/www/system_certmanager.php on line 134

Code Select Expand

User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.4 Safari/605.1.15
FreeBSD 13.1-RELEASE-p2 stable/22.7-n250239-dde4437e8f2 SMP amd64
OPNsense 22.7.6 2eef9015b
Plugins os-net-snmp-1.5_1 os-ntopng-1.2_1 os-redis-1.1_1 os-vmware-1.5_1 os-zabbix-agent-1.13
Time Sat, 22 Oct 2022 08:00:50 +0200
OpenSSL 1.1.1q  5 Jul 2022
Python 3.9.14
PHP 8.0.24

I'm just stuck at that stage, because I have a lot of clients relying on this authority  :-\

Any idea?

Cheers

[Rajstopy]

Digging a little be more into it, here is the pkg check output.

Do you think this may by linked?

Code Select Expand

root@mercure:~ # pkg check -da
Checking all packages: 100%
py37-markupsafe has a missing dependency: python37
py37-markupsafe has a missing dependency: py37-setuptools
py37-markupsafe is missing a required shared library: libpython3.7m.so.1.0

>>> Missing package dependencies were detected.
>>> Found 2 issue(s) in the package database.

pkg: No packages available to install matching 'python37' have been found in the repositories
pkg: No packages available to install matching 'py37-setuptools' have been found in the repositories
>>> Summary of actions performed:

python37 dependency failed to be fixed
py37-setuptools dependency failed to be fixed

>>> There are still missing dependencies.
>>> Try fixing them manually.

>>> Also make sure to check 'pkg updating' for known issues.

[franco]

phpseclib version 3 is a gift that keeps on giving. The quality drop of the library is staggering. Much to the point where we shall not even recommend or endorse its use any longer.

getOID() changes for version 3 are not documented:

https://github.com/phpseclib/phpseclib/blob/master/CHANGELOG.md

It looks like it moved to ASN1 class... patch here:

https://github.com/opnsense/core/commit/854350f14bc

# opnsense-patch 854350f14bc

(not entirely sure if working just yet, cannot verify myself before Monday)


Cheers,
Franco

[Rajstopy]

Franco, you are just amazing  ;D

I'm able to sign my certs again.

Cheers

# opnsense-patch 854350f14bc

[franco]

Thanks for confirming. Not sure about amazing, but in any case we will make sure to add this to 22.7.7.


Cheers,
Franco