A new install of 14.1-34.42 gives the following errors when you first login and it prompts for a password change. Also, when you go to SSL Files, you get the attached. Obviously this version gone through a lot of QA before release...

In better news, they do seem to have fixed the broken SSL with the Freemium release

 

A PHP Error was encountered

Severity: 8192

Message: strcmp(): Passing null to parameter #1 ($string1) of type string is deprecated

Filename: controllers/Login.php

Line Number: 52

A PHP Error was encountered

Severity: 8192

Message: strcmp(): Passing null to parameter #1 ($string1) of type string is deprecated

Filename: controllers/Login.php

Line Number: 70

A PHP Error was encountered

Severity: 8192

Message: strcmp(): Passing null to parameter #1 ($string1) of type string is deprecated

Filename: controllers/Login.php

Line Number: 107

Hi Stephen,

Have you tried clearing cookies? I just encountered the PHP error. Incognito/New opened browser cleared the error for me.

Br

Daniel

I think that's coincidence - there wouldn't be any cookies against a previously unused IP address. Plus the PHP errors make it clear this is a server-side issue relating to opening some internally-generated SSL keys (which are chowned to root mode 0600), plus coding errors failing to sanitize arguments to strcmp() coupled with poor error-handling throughout. The permissions on the keys in /nsconfig/ssl don't alter, so this looks to be something trying to open them after privileges have been dropped. It happens only on first boot/access and does not reoccur if you reboot without saving which is why it appeared to disappear for you. The strcmp() error is shown whenever the force password change is shown in the web gui (if you change the password from the CLI you don't see it).

I did all my tests in incognito mode.

Stephen

The strcmp() errors are from lines like:

if (strcmp($this->input->post('challengepassword'), ""))

At the password change form there is no challengepassword field on first access, so it is null.

We are receiving this as well. Was there a fix for the issue?

Edited December 12, 2024Dec 12 by ThinkingVirtually

Hello @ThinkingVirtually

with 14.1 38.53 the PHP error is fixed. 👍

Best regards,
Michael 

On 1/2/2025 at 10:51 AM, Michael Adam said:

Hello @ThinkingVirtually

with 14.1 38.53 the PHP error is fixed. 👍

Best regards,
Michael 

Upgraded from 14.1-29.72 to 14.1-38.53 but still getting the same, just as a sidenote this VPX is still running in "freemium" would that make a difference? Should not as I have been running this for a couple of months with no issues.

Hello @Ryno Hugo

 

this look different to the case description. The PHP error appears after a fresh VPX 14.1-34.42 import. In my cases with the ESX/vSphere VPX. A fresh imported VPX is always a Freemium cause no other license is in the imported image. 

 

If you see the PHP error after upgrade a old version to a VPX 14.1-38.53 this could be a other problem like Browser Cache. Best try it first with a incognito window. 

Best regards,
Michael 

4 hours ago, Michael Adam said:

Hello @Ryno Hugo

 

this look different to the case description. The PHP error appears after a fresh VPX 14.1-34.42 import. In my cases with the ESX/vSphere VPX. A fresh imported VPX is always a Freemium cause no other license is in the imported image. 

 

If you see the PHP error after upgrade a old version to a VPX 14.1-38.53 this could be a other problem like Browser Cache. Best try it first with a incognito window. 

Best regards,
Michael 

Already tried incognito and another browser.

 

Error here:

Error in retrieving SSL Key Files.

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/ns-root.key): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/ns-server.key): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/ns-sftrust-root.key): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/ns-sftrust.key): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/ryno_key): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/11111): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/11): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/test): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/test10): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

{"errorcode":0,"message":"DONE","severity":"NONE","sslkeyfiles":[{"filename":"ns-root.srl","filelocation":"\/nsconfig\/ssl\/","fileaccesstime":"Tue Jan 7 14:52:55 2025","filemodifiedtime":"Mon Oct 14 11:26:42 2024","filesize":"3"},{"filename":"ns-sftrust-root.srl","filelocation":"\/nsconfig\/ssl\/","fileaccesstime":"Tue Jan 7 14:52:55 2025","filemodifiedtime":"Mon Oct 14 11:26:43 2024","filesize":"3"}]}

Just now, Ryno Hugo said:

Already tried incognito and another browser.

 

Error here:

Error in retrieving SSL Key Files.

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/ns-root.key): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/ns-server.key): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/ns-sftrust-root.key): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/ns-sftrust.key): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/ryno_key): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/11111): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/11): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/test): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

 

 

 

 

A PHP Error was encountered

 

 

Severity: Warning

 

Message: fopen(/nsconfig/ssl/test10): Failed to open stream: Permission denied

 

Filename: controllers/Rapi.php

 

Line Number: 3689

 

{"errorcode":0,"message":"DONE","severity":"NONE","sslkeyfiles":[{"filename":"ns-root.srl","filelocation":"\/nsconfig\/ssl\/","fileaccesstime":"Tue Jan 7 14:52:55 2025","filemodifiedtime":"Mon Oct 14 11:26:42 2024","filesize":"3"},{"filename":"ns-sftrust-root.srl","filelocation":"\/nsconfig\/ssl\/","fileaccesstime":"Tue Jan 7 14:52:55 2025","filemodifiedtime":"Mon Oct 14 11:26:43 2024","filesize":"3"}]}

Ps this was with nsroot account, also created a superuser same results with that brand new user account

Hello @Ryno Hugo

 

this is definitely a other error message as discussed in that topic. It looks like that everything with your SSL-Keys is going wrong. Did you check the permissions to the SSL-Folder and -Files? You can do this with a SSH or SCP Session. This connection should work.

 

Best regards,
Michael 

There were freemium issues with SSL certificates when they increased functionality recently.  Once they get broken they stay broken, until you update to the latest firmware.

Once on the latest version, you can then import and setup the higher end certificates and things should work correctly.

 

We also have the php issue with the version 14.1.38.53. We recently upgraded because we had the php error directly when going in Traffic Management / SSL / SSL Files. Now we do see the error only when we try to create a key or csr.

We already tried incognito mode but it doesn't help. We are running the netscaler with a valid license.

Have you tried adjusting the permissions on the files with permission errors similar to what this article outlines?

https://support.citrix.com/s/article/CTX233308-reason-needed-for-the-following-message-failed-to-open-file-flashnsconfigcallhomeconf-permission-denied?language=en_US

We just dug a bit more on this permission issue and it appears to generate the PHP errors only with the key creation.

When we create a key from the gui it will assig the following permissions -rw------- while it used to create all ssl files with the following permissions : -rw-r--r--

I fixed the permissions on all files to 644 (-rw-r--r--) and it doesn't show the php error anymore, but if I create a new key it will generate an error again as the creation process seems bugged.

I could manage and used an old key to prepare my CSR file but Citrix should fix this in the next firmwares (I don't know if they are aware of this bug).

TBH I have had issues with CSRs and keys in the past with NetScalers.  I just generate them with other tools and then upload them to the NetScaler.  You can use NetScaler Console to do this, or generate them with POSH-ACME, or do the cert work in Windows, and then export and import a PFX.

Yes there are always many alternatives, but it was working fine for years and all our procedures are built using this part of the netscaler. It's a shame they introduced a bug with the last versions. A bug which doesn't seem so hard to fix...

It's part of their hardening process.  Locking down the system after all the compromises over the last few years.  Check out the zero touch ssl functions on NetScaler Console with the new firmware.  This allows you to centralize the certificates on the Console, and the NetScaler can check them out as needed.  This will be useful with Google's desire to go to 3 months, and there may be integrations in the future with ACME providers for auto renewals of certs as needed.

To follow-up, I just had a call with Citrix support, they thought this bug was fixed, they will report to R&D and hopefully this will be fixed in a new version.

Awesome thank you @cst! 100% bug