Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security/acme-client: SFTP/SSH automation results in fatal PHP error #4363

Open
UG-N opened this issue Nov 21, 2024 · 4 comments · May be fixed by #4383
Open

security/acme-client: SFTP/SSH automation results in fatal PHP error #4363

UG-N opened this issue Nov 21, 2024 · 4 comments · May be fixed by #4383
Assignees
Labels
bug Production bug

Comments

@UG-N
Copy link

UG-N commented Nov 21, 2024

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug
We are using the automatisation feature "upload certificate via SFTP" to an windows server with openssl.
The "Test connection" is working fine with every Identy Type (ed25519, RSA and ECDSA) but the real automatisation results in a fatal php error firmware crash.

To Reproduce
Steps to reproduce the behavior:

  1. Go to ACME Client -> Automatisation
  2. Configure the SFTP Upload to an SSH Server
  3. Go to ACME Client -> Certificate and select an Certificate
  4. Add the created Automatisation to a certificate and run the automatisation
  5. Wait a few second and then check the firmware crash log in the system status section in the top right corner (it will become red)

Relevant log files
System Information:

User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
FreeBSD 14.1-RELEASE-p6 stable/24.7-n267939-fd5bc7f34e1 SMP amd64
OPNsense 24.7.9_1 b41ccdc9f
Plugins os-acme-client-4.6 os-dmidecode-1.1_1 os-haproxy-4.3_1 os-iperf-1.0_2 os-smart-2.3 os-theme-cicada-1.38 os-theme-rebellion-1.9.1 os-theme-tukan-1.28 os-theme-vicuna-1.48 os-vnstat-1.3_1
Time Thu, 21 Nov 2024 22:21:26 +0100
OpenSSL 3.0.15
Python 3.11.10
PHP 8.2.25

PHP Errors:

[21-Nov-2024 22:21:16 Europe/Berlin] PHP Fatal error: Uncaught TypeError: OPNsense\AcmeClient\SSHKeys::getKnownHostKey(): Argument #2 ($port) must be of type int, string given, called in /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/SSHKeys.php on line 134 and defined in /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/SSHKeys.php:355
Stack trace:
#0 /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/SSHKeys.php(134): OPNsense\AcmeClient\SSHKeys->getKnownHostKey('192.168.200.17', '')
#1 /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/SftpClient.php(78): OPNsense\AcmeClient\SSHKeys->trustHost('192.168.200.17', false, '')
#2 /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php(325): OPNsense\AcmeClient\SftpClient->connect('192.168.200.17', 'Administrator', '', '')
#3 /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php(268): connectWithServer(Array, NULL)
#4 /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php(231): uploadCertificatesToHost(Array)
#5 /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/Utils.php(277): commandUpload(Array)
#6 /usr/local/opnsense/scripts/OPNsense/AcmeClient/upload_sftp.php(562): OPNsense\AcmeClient\Utils::runCLIMain('help', 'getOptionsById', Array, 0, 255)
#7 {main}
thrown in /usr/local/opnsense/mvc/app/library/OPNsense/AcmeClient/SSHKeys.php on line 355

Environment
OPNsense 24.7.9_1-amd64
FreeBSD 14.1-RELEASE-p6
OpenSSL 3.0.15

@OPNsense-bot
Copy link

Thank you for creating an issue.
Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository,
please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

@OPNsense-bot OPNsense-bot added the incomplete Issue template missing info label Nov 21, 2024
@UG-N
Copy link
Author

UG-N commented Nov 26, 2024

We have found out where the error is coming from:

In the automation “sftp upload” there is the field “Port”.
If you leave this empty, port 22 should be used according to the GUI, but this is not the case. If you leave the field for the port empty, the automation generates a firmware crash.

You have to enter the port used for the SFTP automation in the ACME client, even if this does not differ from port 22, then it works.

This is clearly a bug

@fraenki fraenki self-assigned this Nov 29, 2024
fraenki added a commit to fraenki/plugins that referenced this issue Dec 3, 2024
@fraenki fraenki changed the title ACME Client Automatisations results in fatal PHP error security/acme-client: SFTP/SSH automation results in fatal PHP error Dec 3, 2024
@fraenki fraenki added the bug Production bug label Dec 3, 2024
@fraenki
Copy link
Member

fraenki commented Dec 3, 2024

Would you please test the following patch?

opnsense-patch -c plugins 3a09ff073

@fraenki fraenki linked a pull request Dec 3, 2024 that will close this issue
@fraenki fraenki removed the incomplete Issue template missing info label Dec 3, 2024
@UG-N
Copy link
Author

UG-N commented Dec 6, 2024

We installed the patch, but the same error occurs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Production bug
Development

Successfully merging a pull request may close this issue.

3 participants