core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon opnsense

Certificate store does not flag server certificates as in-use, when allocated to a OpenVPN instance (server instance)

Open gcams opened this issue 1 year ago • 1 comments

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
  • [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

When an TLS server certificate is assigned to an OpenVPN server instance (using the new OpenVPN Instances section), the certificate is not correctly flagged as "in-use" in the certificate store, and can therefore be deleted. Once deleted, the server instance will then fail to (re)start because it cannot load the certificate.

To Reproduce

Steps to reproduce the behavior:

  1. Go to https://opnsense_ip/system_certmanager.php
  2. Create a new server certificate (from an existing private CA) for use in a VPN server instance
  3. Go to https://opnsense_ip/ui/openvpn/instances
  4. Create a new server instance
  5. Assign the certificate created in step 2, to the server instance
  6. Save and activate the server instance
  7. Return to https://opnsense_ip/system_certmanager.php
  8. Observe that the "Trash" icon is still present against the certificate, and can be deleted, despite being in-use Optional steps:
  9. Delete the certificate
  10. Go to https://opnsense/ui/openvpn/status
  11. Click the reload button next to the server instance created in step 5
  12. Observe the server instance will now fail, as the certificate cannot be loaded/read from disk

Expected behavior In Step 8 above, there should be no ability to delete the certificate, whilst it is assigned to the server instance in step 5. The "Trash" icon should not be shown against the certificate, once it is allocated to an OpenVPN instance.

Screenshots Certificate allocated to server instance: 2024-01-29 15_17_36-Window

Certificate in certificate store can be deleted: 2024-01-29 15_18_20-Window Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 23.7.12 (amd64). Intel® Alder Lake N100

gcams avatar Jan 29 '24 15:01 gcams

Maybe in a future version we can think of something better, but currently this information is incomplete. Trying to extend cert_in_use() to support other internal components doesn't look like a great idea as plugins may also depend on them.

https://github.com/opnsense/core/blob/681006cd39aec0b284ebcd2e391f88132d093637/src/etc/inc/certs.inc#L612-L619

AdSchellevis avatar Jan 29 '24 16:01 AdSchellevis

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Jul 27 '24 14:07 OPNsense-bot