security/acme-client: Node no longer exists warnings

[seitzbg]

I keep getting the following bug on my dashboard :(

[22-Oct-2017 00:00:02 Etc/UTC] PHP Warning: cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122 [23-Oct-2017 00:00:02 Etc/UTC] PHP Warning: cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122

This is with the latest version of Opnsense as well. Any help appreciated!

[fichtner]

It's an warning caused by the garbage collector of PHP 7 and it's harmless. We have, however, not found any clues as to how it can be fixed, there is some info available on the web but non applies in these circumstances (there have been a few commits to try to address this). We hope the jump to PHP 7.1 changes the behaviour of this warning. But it's quite impossible to know because we can't be sure why it is warning about it in the first place.

[AdSchellevis]

@fichtner I expect the object is somewhere changed within the loop, which invalidates the next fetch of children(). A simple workaround could be to clone() the "$configObj->OPNsense->AcmeClient->certificates" object before iterating, but there might as well be a bug somewhere within the methods in the loop modifying the same object. The loop is a bit too complicated to inspect easily.

[fichtner]

Preliminary crash report examination seems to confirm my suspicion: PHP 7.0 garbage collection was too aggressive and 7.1 fixed this...

[fraenki]

@fichtner Just configured another Let's Encrypt setup on top of 17.7.9_9 and got this message again:

[11-Dec-2017 14:42:37 Europe/Berlin] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122

I'm pretty sure @AdSchellevis's assumption is correct, because the objects actually are changed within the loop. I have to collect all changes in the loop without modifying the object and commit all changes at the end of the run. That being said, I'm unsure how to implement this, so some advice how to properly do this would be very welcome. :)

[fraenki]

I finally have an idea how to properly fix this issue. Should be ready briefly after OPNsense 18.1 was released.

UPDATE: Had to re-schedule due to other priorities; next ETA is 03/2018.

[fichtner]

super-awesome ❤️

[tyl0re]

is there en ETA for the FIX?

[fraenki]

A fix was committed and will be available in the next OPNsense release.

All fearless people may apply the patch manually:

opnsense-patch -c plugins 541cfdbe222b60f48c3664bae4db321da1455016

Please report back.

[fzoske]

@fraenki In the latest released version (1.15) the error still occurs:

[01-Jun-2018 13:52:29 Europe/Berlin] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 182
[01-Jun-2018 13:52:29 Europe/Berlin] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 255
[01-Jun-2018 13:52:29 Europe/Berlin] PHP Warning:  SimpleXMLElement::attributes(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 1124
[01-Jun-2018 13:52:29 Europe/Berlin] PHP Warning:  log_cert_acme_status(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 1124
[01-Jun-2018 13:52:29 Europe/Berlin] PHP Warning:  log_cert_acme_status(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 1132

Regards,
Fabian

[ssbarnea]

I still see these warnings with lastest code:

FreeBSD 11.2-RELEASE-p9-HBSD  f083bc4f8a0(stable/19.1) amd64
OPNsense 19.1.4 736dc49c3
Plugins os-acme-client-1.20 os-arp-scan-1.1 os-cache-1.0 os-dyndns-1.13 os-haproxy-2.15 os-lldpd-1.1 os-postfix-1.8_2 os-tor-1.7_1 os-upnp-1.3 
Time Tue, 26 Mar 2019 16:51:10 +0000
OpenSSL 1.0.2r  26 Feb 2019
PHP 7.1.27

[fraenki]

I still see these warnings with lastest code

@ssbarnea Could you please add the actual log message too? Because there are multiple places in the code where this issue may be found. Ideally you would provide the acme errors in context with everything else, this might help me to figure out what's going on and what triggers this error.

To everyone else: If you find a way to reproduce these "node no longer exists" warnings, please share it with me. Currently I'm unable to reproduce it.

[janmg]

Earlier today I got this Error message on a brand new installation. First I added a firewall rule to allow HTTP and HTTPS on the WAN interface. Second, I changed the key length to 2048 bit. I'm running Opnsense on a Celeron in a virtual machine and I guess, the PHP Warning is a timing issue. Now I do get a fine certificate =)

User-Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
FreeBSD 11.2-RELEASE-p10-HBSD  5e5adf26fc3(stable/19.1) amd64
OPNsense 19.7.b_92 55641d204
Plugins os-acme-client-1.23 os-dyndns-1.15_1 
Time Wed, 12 Jun 2019 10:33:17 +0000
OpenSSL 1.0.2s  28 May 2019
PHP 7.2.19

[12-Jun-2019 08:57:11 Etc/UTC] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 171
[12-Jun-2019 08:57:11 Etc/UTC] PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 243
[12-Jun-2019 08:57:11 Etc/UTC] PHP Warning:  SimpleXMLElement::attributes(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 1186
[12-Jun-2019 08:57:11 Etc/UTC] PHP Warning:  log_cert_acme_status(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 1186
[12-Jun-2019 08:57:11 Etc/UTC] PHP Warning:  log_cert_acme_status(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 1194