This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[UTM 9.7005] Bug ? Certificate management in webadmin

Hi,

i updated one of my test-utm from 9.6x to 9.7005.

After the update i cant manage certificates in "webserver protection / certificate management" or "Site 2 Site 'VPN / certificate management"

  • the certificates list is a blank site
  • after 30 sec the well known message  pops up "if i want to give addidional 30 seconds ..."
  • then nothing els occours

 

in log files:

  • i can see entrys in webadmin.log for each certificate in system:
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: |=========================================================================
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: W Complete chain for: REF_pYMkIGSPGKew
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: $VAR1 = [
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:           'C=de, ST=xxxxxxxxxx, L=xxxx, O=KVBB, CN=VPN CA-4096, emailAddress=astaro@xxxxx.lan'
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:         ];
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  1. wfe::asg::modules::asg_ca::_get_certificate_chain:1412() /</var/webadmin/webadmin.plx>wfe/asg/modules/asg_ca.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  2. wfe::asg::modules::asg_ca::func_ca_certs:395() /</var/webadmin/webadmin.plx>wfe/asg/modules/asg_ca.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  3. (eval):283() asg.plx
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  4. main::top-level:279() asg.plx

  • after aprox 1 minute:
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: |=========================================================================
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: I Got Sigterm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  1. main::__ANON__:103() asg.plx
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  2. (eval):445() IO/Handle.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  3. IO::Handle::read:445() IO/Handle.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  4. RPC::PlServer::Comm::Read:162() /</var/webadmin/webadmin.plx>RPC/PlServer/Comm.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  5. RPC::PlClient::Call:109() /</var/webadmin/webadmin.plx>RPC/PlClient.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  6. RPC::PlClient::Object::Astaro::RPC::get_object:5() (eval 1397)
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  7. (eval):118() /</var/webadmin/webadmin.plx>Astaro/ConfdPlRPC.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  8. Astaro::ConfdPlRPC::AUTOLOAD:116() /</var/webadmin/webadmin.plx>Astaro/ConfdPlRPC.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  9. (eval):1() (eval 8294)
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  10. wfe::asg::modules::asg_connector::AUTOLOAD:314() /</var/webadmin/webadmin.plx>wfe/asg/modules/asg_connector.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  11. wfe::asg::modules::asg_ca::_get_certificate_chain:1405() /</var/webadmin/webadmin.plx>wfe/asg/modules/asg_ca.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  12. wfe::asg::modules::asg_ca::func_ca_certs:395() /</var/webadmin/webadmin.plx>wfe/asg/modules/asg_ca.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  13. (eval):283() asg.plx
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  14. main::top-level:279() asg.plx
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: |=========================================================================
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: I exit with 57
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  1. main::END:593() asg.plx

Maybee this occurs only with many certificates on a system - i have aprox. 4000 certs there (for ssl-vpn users)

The Rest-api seems to work - have not tested deeper there until now.

anyone else with this problem?

 



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Eusebiu,

    no solution or workaround from Sohos until now.

    But there must be a way over the Rest-API from UTM.

    If you have Support open a case @Sophos and refer to my case with nr. 9394118

     

    @Sophos: can you post us the neccesary rest-requests against the api to upload a certificate as a workaround until a solution is available?

    I had contact with Sophos last week - but no solution so until now ...

    Regards

    Stefan

  • I remember having problems a year ago with downloading certificates because there were parentheses in the name: Modify a certificate at the command line so that it can be downloaded in WebAdmin in 9.510.  Does that resolve your issue?

    Cheers - Bob 

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the hint Bob, but i think we have an other problem added with the new support for certifikate chains in 9.7.

    Getting Certificates over the Rest-API is no problem.

    But i have no idea how to upload a pkcs12 to utm this way. This would be a workaround until the certificate management tab in webadmin works again (if you have a lot of users)

     

    Regards Stefan

  • Got on workaround:

    If you have more than 755 the certificates tab is not working anymore. If you delete a user the coresponding certificate will be deleted too. I had to delete users till i got to 750 certificates.

     

    From what I observed there is a TTL at 60 sec. If the certificates tab is needing more than 60 seconds then the process is dead.

    So, I assume you have tot delete till you get under 60sec. for me that was 750 certificates.

  • I think it is not realy a workaround (for me) to delete users with there certertificates until it works. This will only work if you have no use for the certificates of the users ...

    The users you can create again. Maybe automaticaly on backendlogin or per rest-api. - But every user wil get a new certificate and cant login per ssl-vpn ...

     

  • Hi  

    I will get in touch with the case owner for this. Please allow me some time.

    Regards

    Jaydeep