Home Original page

Can delete CA marked "In Use"

Describe the bug
I can delete CA that is marked "In Use" via REST API v2.

To Reproduce

  1. Create new CA in System/Certificates/Authorities
  2. Create new VPN Client in VPN/OpenVPN/Clients. For "Peer Certificate Authority" select CA from step 1.
  3. Look at CA in System/Certificates/Authorities, it will be market "In Use" by OpenVPN Client.
  4. Go to REST API Documentation page to DELETE /api/v2/system/certificate_authority endpoint, select ID for CA from step 1 and press Execute. Responce will be SUCCESS and CA gone.

Expected behavior
Responce should be "CERTIFICATE_AUTHORITY_CANNOT_BE_DELETED_WHILE_IN_USE" and CA should remain.

{
  "code": 403,
  "status": "forbidden",
  "response_id": "CERTIFICATE_AUTHORITY_CANNOT_BE_DELETED_WHILE_IN_USE",
  "message": "Certificate authority cannot be deleted because it is in use.",
  "data": []
}

Screenshots or Response

pfSense Version & Package Version:

  • pfSense 2.8.1
  • Package Version v2.7.2

Affected Endpoints:

  • URL: /api/v2/system/certificate_authority

Additional context
I looked into CertificateAuthority.inc file, and there is function _delete() (line 116). In this function line 118 looks:

 if (cert_in_use($this->refid->value)) {

Probably it must be changed to:

 if (ca_in_use($this->refid->value)) {

This way I can not delete CA that is marked "In Use".