Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Not possible to replace CRL #857

New issue
New issue
Open
Open
Not possible to replace CRL#857
@steffen-kdab

Description

@steffen-kdab
steffen-kdab
opened on Mar 2, 2026

Describe the bug
According to the API docs, a CRL can be updated by sending a PATCH request to /api/v2/system/crl . This does not work. I tried various workarounds like deleting the current CRL and upload a new one, but none of that works. Either it will tell you the CRL is in use or the field is not editable.

To Reproduce
Steps to reproduce the behavior:

Send PATCH request to /api/v2/system/crl with data like

params = {
        "id": 0,
        "descr": "This is a new CRL",
        "method": "existing",
        "text": "XYZABC CRL Content"
    }

If any of the fields descr, text, ... differ from what is on the server, it will tell you that the field is not editable and refuse.

Expected behavior
I would expect the CRL to be updated and the service using it, it my case the openvpn server, reloading to pick up the change.

pfSense Version & Package Version:

  • pfSense Version: PfSense+ 25.07.1-RELEASE
  • Package Version: v2.7.3

Affected Endpoints:
/api/v2/system/crl

Additional context
I read through the code, and everything looks to be in place to update the CRL file, only the API rejects access. So as an experiment, I hacked /usr/local/pkg/RESTAPI/Models/CertificateRevocationList.inc and set the editable attr. to true on the two fields that are relevant to me, and it looks like it actually works, ie. replaced the CRL file and restarted the service. I don't have a good overview over what other implications this might have, and how it would work with CRLs that are not produced externally though.

--- CertificateRevocationList.inc.ORIG  2026-02-25 11:29:13.577355000 +0100
+++ CertificateRevocationList.inc       2026-03-02 23:12:24.728582000 +0100
@@ -40,7 +40,7 @@
         $this->descr = new StringField(
             required: true,
             unique: true,
-            editable: false,
+            editable: true,
             validators: [new RegexValidator(pattern: "/[\?\>\<\&\/\\\"\']/", invert: true)],
             help_text: 'The unique name/description for this CRL.',
         );
@@ -73,7 +73,7 @@
         );
         $this->text = new Base64Field(
             required: true,
-            editable: false,
+            editable: true,
             conditions: ['method' => 'existing'],
             help_text: 'The raw x509 CRL data.',
         );

Thank you for listening :)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions