Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[UTM 9.7005] Bug ? Certificate management in webadmin

Potsdam

Hi,

i updated one of my test-utm from 9.6x to 9.7005.

After the update i cant manage certificates in "webserver protection / certificate management" or "Site 2 Site 'VPN / certificate management"

  • the certificates list is a blank site
  • after 30 sec the well known message  pops up "if i want to give addidional 30 seconds ..."
  • then nothing els occours

 

in log files:

  • i can see entrys in webadmin.log for each certificate in system:
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: |=========================================================================
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: W Complete chain for: REF_pYMkIGSPGKew
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: $VAR1 = [
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:           'C=de, ST=xxxxxxxxxx, L=xxxx, O=KVBB, CN=VPN CA-4096, emailAddress=astaro@xxxxx.lan'
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:         ];
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  1. wfe::asg::modules::asg_ca::_get_certificate_chain:1412() /</var/webadmin/webadmin.plx>wfe/asg/modules/asg_ca.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  2. wfe::asg::modules::asg_ca::func_ca_certs:395() /</var/webadmin/webadmin.plx>wfe/asg/modules/asg_ca.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  3. (eval):283() asg.plx
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  4. main::top-level:279() asg.plx

  • after aprox 1 minute:
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: |=========================================================================
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: I Got Sigterm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  1. main::__ANON__:103() asg.plx
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  2. (eval):445() IO/Handle.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  3. IO::Handle::read:445() IO/Handle.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  4. RPC::PlServer::Comm::Read:162() /</var/webadmin/webadmin.plx>RPC/PlServer/Comm.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  5. RPC::PlClient::Call:109() /</var/webadmin/webadmin.plx>RPC/PlClient.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  6. RPC::PlClient::Object::Astaro::RPC::get_object:5() (eval 1397)
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  7. (eval):118() /</var/webadmin/webadmin.plx>Astaro/ConfdPlRPC.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  8. Astaro::ConfdPlRPC::AUTOLOAD:116() /</var/webadmin/webadmin.plx>Astaro/ConfdPlRPC.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  9. (eval):1() (eval 8294)
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  10. wfe::asg::modules::asg_connector::AUTOLOAD:314() /</var/webadmin/webadmin.plx>wfe/asg/modules/asg_connector.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  11. wfe::asg::modules::asg_ca::_get_certificate_chain:1405() /</var/webadmin/webadmin.plx>wfe/asg/modules/asg_ca.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  12. wfe::asg::modules::asg_ca::func_ca_certs:395() /</var/webadmin/webadmin.plx>wfe/asg/modules/asg_ca.pm
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  13. (eval):283() asg.plx
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  14. main::top-level:279() asg.plx
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: |=========================================================================
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]: I exit with 57
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:
    2019:11:04-17:24:09 fw-pap-test01 webadmin[18126]:  1. main::END:593() asg.plx

Maybee this occurs only with many certificates on a system - i have aprox. 4000 certs there (for ssl-vpn users)

The Rest-api seems to work - have not tested deeper there until now.

anyone else with this problem?

 



This thread was automatically locked due to age.
  • 0

    What does Sophos Support say?

    • 0 in reply to DouglasFoster

      waiting for an answer from support ...

      • 0 in reply to Potsdam

        Hi  

        Would you please DM me the Support case number?

        Regards

        Jaydeep

        • 0 in reply to Jaydeep

          3 weeks later - no reaction from support until now ... :(

          • 0 in reply to Potsdam

            Hallo,

            wenn Sie uns kontaktieren, können wir versuchen Sie bei den Problemen zu unterstützen.

             


            Dirk

            Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
            Sophos Solution Partner since 2003
            If a post solves your question, click the 'Verify Answer' link at this post.

            • 0 in reply to dirkkotte

              hello,

              I have the exact same problem.

              Is there an solution/workaround?

              I need to upload a new certificate and I'm not able to do it. 

              As a workaround, is it possible to upload a .pfx through terminal?

              Thanks

              • 0 in reply to Eusebiu Ipate

                Hi Eusebiu,

                no solution or workaround from Sohos until now.

                But there must be a way over the Rest-API from UTM.

                If you have Support open a case @Sophos and refer to my case with nr. 9394118

                 

                @Sophos: can you post us the neccesary rest-requests against the api to upload a certificate as a workaround until a solution is available?

                I had contact with Sophos last week - but no solution so until now ...

                Regards

                Stefan

                • 0 in reply to Potsdam

                  I remember having problems a year ago with downloading certificates because there were parentheses in the name: Modify a certificate at the command line so that it can be downloaded in WebAdmin in 9.510.  Does that resolve your issue?

                  Cheers - Bob 

                   
                  Sophos UTM Community Moderator
                  Sophos Certified Architect - UTM
                  Sophos Certified Engineer - XG
                  Gold Solution Partner since 2005
                  MediaSoft, Inc. USA
                  • 0 in reply to BAlfson

                    Thanks for the hint Bob, but i think we have an other problem added with the new support for certifikate chains in 9.7.

                    Getting Certificates over the Rest-API is no problem.

                    But i have no idea how to upload a pkcs12 to utm this way. This would be a workaround until the certificate management tab in webadmin works again (if you have a lot of users)

                     

                    Regards Stefan

                    • 0 in reply to Eusebiu Ipate

                      Got on workaround:

                      If you have more than 755 the certificates tab is not working anymore. If you delete a user the coresponding certificate will be deleted too. I had to delete users till i got to 750 certificates.

                       

                      From what I observed there is a TTL at 60 sec. If the certificates tab is needing more than 60 seconds then the process is dead.

                      So, I assume you have tot delete till you get under 60sec. for me that was 750 certificates.

                      • 0 in reply to Eusebiu Ipate

                        I think it is not realy a workaround (for me) to delete users with there certertificates until it works. This will only work if you have no use for the certificates of the users ...

                        The users you can create again. Maybe automaticaly on backendlogin or per rest-api. - But every user wil get a new certificate and cant login per ssl-vpn ...

                         

                        • 0 in reply to Potsdam

                          Hi  

                          I will get in touch with the case owner for this. Please allow me some time.

                          Regards

                          Jaydeep

                      • 0

                        Hello All,

                        A Bug ID was created NUTM-11561 for the behavior "Unable to load certificate list in webadmin when large number of certificates present" and a fix is planned in version 9.702 as of now. 

                        I will update the thread as soon as I have further information.

                        Regards

                        Jaydeep

                        • 0 in reply to Jaydeep

                          9.702-1 Is out with "High urgency" flag but does not list the "NUTM-11561" Bug Fix you describe.  In fact, 9.702-1 only mentions fixing NUTM-11688 [RED_Firmware] RED50 flash courruption fixes.

                          Do you know if NUTM-11561 Bug is resolved in  9.702-1 or not?

                          • 0 in reply to PcSupport

                            Hi  

                            No, it's not fixed in 9.702. It is likely to be available in 9.703 version.

                            Regards

                            Jaydeep

                            • 0 in reply to Jaydeep

                              Is the only way to get a NEW Certificate Uploaded to your Sophos UTM at this point to contact Sophos Support if you are running into this issue?  I have a WebAdmin certificate that is expiring soon and will need updated ASAP.

                          Unfiltered HTML
                          x An error occurred. Please try again or contact your administrator.