OPNsense certificates showing error after update from 25.1 to 25.7

Started by HatalaTitla48, August 15, 2025, 11:19:43 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
August 15, 2025, 11:19:43 PM Last Edit: August 31, 2025, 06:28:54 PM by HatalaTitla48
After update to 25.7, Certificates plugin in dashboard stop showing certs and get stack in constant loading.
When I go to "System: Trust: Authorities" it shows this error:
So Im efectively cut out from managing certificates on my box. Even if I cant access certificate management, certs are still in system because my HAproxy working ok with acme certs and even openvpn with internal certs. So there must be some bug when accessing internat cert storage.
Anybody with same problem here?
August 31, 2025, 06:24:27 PM #1
I found out that certificates work ok, until upgrade to 25.7 version. Last working version is OPNsense 25.1.12-amd64. After upgrade to 25.7, certificate trust inside opnsense stop showing certificates, dashboard plugin "certificates" showing error and certificate part of opnsense is dead :(
August 31, 2025, 09:24:12 PM #2
Try to restore a backup.
August 31, 2025, 10:35:45 PM #3
Backup restore didnt have any effect on this problem.
August 31, 2025, 10:40:51 PM #4
Any filesystem corruption, possibly?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 31, 2025, 11:49:03 PM #5
Nope, its a VM. I even tried a new install and backup import and result is same. Are there any changes in how 25.7 handles certs compared to 25.1? Could it be a somehow cripled cert wich 25.7 cant chew up? This newer happened before through updates and it is a big problem for me, because I use this feature a lot...acme certs for haproxy, local CA for client cert access for haproxy, vpn crt etc.
September 06, 2025, 09:26:26 PM #6
I have the same issue: error viewing system/trust/authority | certificates.  I tried creating a new internal CA and it didn't show up in the authority's page. However, in the filter selection in the certificates page, I can see the name of my newly created CA. The existing certificates in my Opnsense server appeared to be still functioning properly.
September 22, 2025, 06:10:25 PM #7
I came here for the same issue. Once I moved to 25.7 Trust Certificates and Authorities shows and error and spins forever.
October 05, 2025, 01:16:24 AM #8
There is no response as to how to fix this problem.  I have two machines, one under proxmox and one bare-metal. Both had same issues after upgrading from 25.1 to 25.7.  Just wonder whether most people didn't experience this issue.
October 06, 2025, 02:48:13 PM #9
It's a bit sensitive to ask for the CA data in your configuration because it also holds private keys. Not sure what the incompatibility is there.

If anyone wants to provide data over PM I'm willing to send instructions to extract via such a PM conversation.


Cheers,
Franco
October 07, 2025, 03:19:36 PM #10
The bug was found with the help of a user:

# opnsense-patch https://github.com/opnsense/core/commit/d1042bb65e

The bad news is the CA certificate data is probably broken and needs to be fixed manually, but at least now you can see and edit it.


Cheers,
Franco
October 07, 2025, 11:44:23 PM #11
Thanks a lot, Franco.  The patch worked to enable viewing of the "Authorities" and "Certificates" pages. I am not sure about the possibly broken CA data. Everything related to my ACME certificates appeared to work perfectly.
October 08, 2025, 02:38:57 AM #12 Last Edit: October 08, 2025, 02:40:38 AM by hharry
is there a clear understanding why this issue only impacted some OPNsense deployments ?

In all my OPNsense 25.7.4-amd64 deployments, i have several CA and server X.509v3 certificates, singed using sha256WithRSAEncryption, and having zero issues whatsoever....
OPNsense 25.7.5-amd64 running on ESXi 6.7 U2 VM, 4Gbytes RAM, 2 x vCPU
frr OSPF + eBGP, IDS, AdGuard Home, sftp-backup plugins. limited kea DHCP server deployment.
October 08, 2025, 05:59:05 AM #13
I don't have an answer to your question. On further inspection of my CA authority after applying the patch, I noticed that the private key was corrupted.  I went back to my backup configuration files of a year ago, the private key was already corrupted.  I went further back to 2 years ago, mysteriously, the cert part was corrupted while the private key was apparently intact. I pasted the private key of that configuration file to my current private key section and saved it. There was no error reported, maybe implying the private key is compatible with the cert of the CA authority. I am not knowledgeable enough to explain what happened. 
October 08, 2025, 07:22:28 AM #14 Last Edit: October 08, 2025, 07:28:08 AM by hharry
i see, so the source of your corruption is not yet identified ?

I've had NordVPN Root CA X.509 cert installed since migrating to new openvpn instance configuration, once i upgraded to 25.7...

I've only recently in last several months deployed additional subordinate CA and server X.509 certs to OPNsense deployments....been through several upgrades since, and no corruption so far
OPNsense 25.7.5-amd64 running on ESXi 6.7 U2 VM, 4Gbytes RAM, 2 x vCPU
frr OSPF + eBGP, IDS, AdGuard Home, sftp-backup plugins. limited kea DHCP server deployment.
Print
Go Up Pages1 2
User actions