Hi experts,
After deploying CA Certificate on both FF & Chrome/IE the url call to the webconfig (as example) is OK for FF & IE but KO for Chrome.
As far as I understood chrome is strict on certificate check and require (because use of CN as domanie definition is deprecated for decade) subjectAlternativeName to be provided.
I've tryed to follow some tutorial to :
and it's OK, but openssl.cnf have changed and user certificate creation now fails.
Where could I find documentation of certificate subject matter ?
Which developpeur is in charge of this part ?
How could I contribute to improve this part of ClearOS ?
After deploying CA Certificate on both FF & Chrome/IE the url call to the webconfig (as example) is OK for FF & IE but KO for Chrome.
As far as I understood chrome is strict on certificate check and require (because use of CN as domanie definition is deprecated for decade) subjectAlternativeName to be provided.
I've tryed to follow some tutorial to :
- Create root CA
- Create Intermediate CA with trust chain
- Create server certificates
and it's OK, but openssl.cnf have changed and user certificate creation now fails.
Where could I find documentation of certificate subject matter ?
Which developpeur is in charge of this part ?
How could I contribute to improve this part of ClearOS ?
Share this post:
Responses (14)
-
Accepted Answer
Hi Taryck,
I've filed bug 15981. I suspect the person at Clearcenter will be Ben Chambers but I'm not sure. I'll try to ping him a message. -
Accepted Answer
-
Accepted Answer
News from letsencrypt.org : Wildcard Certificates Coming January 2018
Let’s Encrypt will begin issuing wildcard certificates in January of 2018.
So I have to wait until January... -
Accepted Answer
I'm away at the moment, but as far as I recall. if you just use sites by dropping conf files into /etc/http/conf.d then apache uses the certificate from /etc/httpd/conf.d/ssl.conf. If you use the ClearOS webconfig for your default website then you need to use the certificates in flex-443.conf. Similarly, for any website in a Flexshare, if you set it up in the Webconfig, you have to use the flex-443.conf file.
re wildcard certificates. I can understand the requirement. I use Certbot for my Letsencrypt certificates and it can create a single certificate to cover, say, www.mydomain.com, server.mydomain.com, anysite.mydomain.com etc.I think it is also possible to add subdomains pretty much when you want. To a large extent this gets round the requirement for a wildcard certificate. -
Accepted Answer
Hi Taryck,
Remember that if you edit flex-443.conf you may also need to set the immutable on the file otherwise changing any flexshare through the webconfig could overwrite you changes.
BTW, with all this certificate work you're doing, have you thought of looking at Letsencrypt certificates? I use them for my web server, but did not bother for the Webconfig. I believe there may also be an app under development for Letsencrypt. I did try cheating the Certificate Manager app by copying the Letsencrypt certificates to my desktop and importing them into the app, deleting the imported certificates and replacing them with symlinks to the Letsencrypt certificates in the /etc/letsencrypt/live folder, but it all failed. I hope the app will sort this out. -
Accepted Answer
Hi Nick,
You right about flexshare.conf rebuild. But i've edited (I do not provide the info in my previous post that i Edit to add it) the file : /etc/httpd/conf.d/ssl.conf
which defined the whole ssl configuration for the default host. While flexshare define virutal host for <flexshare>.<hostname>.
I've heard of Letsencrypt but i did not try yet.
Most of access to my server if from know person who have to install to root CA once with a 25 years old CA and 10 years old server certificate... -
Accepted Answer
-
Accepted Answer
To fix the "wrong" webconfig usage I had to edit file /var/clearos/certificate_manager/state/webconfig.conf
{"app_description":"Webconfig","certs":{"Web-based administration":"xxxxxx-bensiali-net"}}
instead of :
{"app_description":"Webconfig","certs":{"Web-based administration":"sys-0-cert.pem"}}
-
Accepted Answer
-
Accepted Answer
Also need to fix httpd for flexshare, because certificate selection only apply to virtualhost servername : <myshare>.host.domain.tld
Edited file : /etc/httpd/conf.d/ssl.conf
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
#SSLCertificateFile /etc/clearos/certificate_manager.d/xxxx-bensiali-net.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateKeyFile /etc/clearos/certificate_manager.d/xxxxx-bensiali-net.key
by the way I do not understand why we've got 2 certifcates for the same host :
- /etc/pki/tls/certs/localhost.crt
- /etc/pki/CA/sys-0-cert.pem
I suggest to be able to set more than Server Name for web server apps - /etc/pki/tls/certs/localhost.crt
-
Accepted Answer
Thanks.
Here is my workaround with I hope is not so bad.
- I use the CA as an external CA
- I use Certificate Manager => External Certificates : to generate request & key pair
- I use my own script to use ClearOS CA to sign the certificate
- I'm extracting the domain information from the request
- I use CleaOS openssl.cnf file but I add the required Google Chrome requierements
- My script locate the certificate as expected by the "import certificate" button on External Certificates table
I've switch certificate used by webconfig by editing /usr/clearos/sandbox/etc/httpd/conf.d/certs.conf
#SSLCertificateFile /etc/pki/CA/sys-0-cert.pem
#SSLCertificateKeyFile /etc/pki/CA/private/sys-0-key.pem
SSLCertificateFile /etc/clearos/certificate_manager.d/xxxxxx-bensiali-net.crt
SSLCertificateKeyFile /etc/clearos/certificate_manager.d/xxxxxx-bensiali-net.key
restart webconfig
And now it's OK for Google Chrome.
however, the certiciate usage list is not updated.
- sys-0-cert.pem is still displayed as the certificate for webconfig
- my external certificate xxxxxx-bensiali-net has no usage
It's not a big problem, but if anyone could provide my a way to fix this...
Here is my script :
#!/bin/sh
base_file=/Taryck/major_files/Certificates/subjectAlternativeName.base.ext
openssl_config=/etc/pki/CA/openssl.cnf
request=$1
if [ "$request" = "" ]; then
echo "provide a request fle name !"
exit 1
fi
if [ "$2" != "" ]; then
echo "provide only one parameter"
exit 1
fi
if [ ! -f $request ]; then
echo "Request File not found : $request !"
exit 2
fi
if [ ! -r $request ]; then
echo "can't read Request File : $request !"
exit 2
fi
cert_file="${request%.*}"'.crt'
if [ -f $cert_file ]; then
echo "Target Certificate file : $cert_file already exists !"
exit 3
fi
domain=`openssl req -noout -text -in $request | grep ".*Subject:.*CN=.*" | sed 's/.*, CN=\(.*\)\/emailAddress.*/\1/g'`
echo "Request's domain : $domain"
read -p "Confirmez vous (Y/N) ? " -n 1 -r reponse
echo # (optional) move to a new line
if ! [[ "$reponse" =~ ^[Yy]$ ]]; then
exit 4
fi
echo
ext_file=`/Taryck/scripts/timestamp.sh`
ext_file='/tmp/subjectAlternativeName.ext.'"$domain"'.'"$ext_file"
if [ -f $ext_file ]; then
echo "Temps file : $ext_file already exists !"
exit 5
fi
cat $base_file | sed "s/#\(.*\)<domain>/\1$domain/g" > $ext_file
if [ ! -f $ext_file ]; then
echo "Error generating Domain directive File : $ext_file !"
exit 5
fi
if [ ! -r $ext_file ]; then
echo "Can't read Domain directive File : $ext_file !"
exit 5
fi
echo "EXECUTE :"
echo "openssl ca -config $openssl_config -days 1825 -notext -md sha256 "
echo "-in $request "
echo "-out $cert_file "
echo "-extfile $ext_file"
echo
read -p "Confirmez vous (Y/N) ? " -n 1 -r reponse
echo # (optional) move to a new line
if ! [[ $reponse =~ ^[Yy]$ ]]; then
exit 6
fi
openssl ca -config $openssl_config -days 1825 -notext -md sha256 -in $request -out $cert_file -extfile $ext_file
if [ ! -r $cert_file ]; then
echo "Failed to create certificate file : $cert_file !"
exit 5
fi
The script use an extension config file (/Taryck/major_files/Certificates/subjectAlternativeName.base.ext) that looks like this :
# Fichier : subjectAltName.ext
# Source : http://wiki.cacert.org/FAQ/subjectAltName
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
#keyUsage = critical, digitalSignature, keyEncipherment
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
#Chrome issue : Impossible de vérifier que ce serveur est bien xx, car son certificat de sécurité provient du domaine [missing_subjectAltName]
subjectAltName = @alternate_names
[alternate_names]
#DNS.1 = <domain>
#DNS.2 = *.<domain>
You'll have to adapt config file location because "/Taryck/major_files/Certificates/subjectAlternativeName.base.ext" is a little bit too egocentric, I guess. But it helps me reminding that all that is in "/Taryck" doesn't comes from any package...
and output look like this :
[root@xxxxx Certificates]# ./sign-request.sh /etc/clearos/certificate_manager.d/xxxxx-bensiali-net.req
Request's domain : xxxxx.bensiali.net
Confirmez vous (Y/N) ? y
EXECUTE :
openssl ca -config /etc/pki/CA/openssl.cnf -days 1825 -notext -md sha256
-in /etc/clearos/certificate_manager.d/xxxxx-bensiali-net.req
-out /etc/clearos/certificate_manager.d/xxxxx-bensiali-net.pem
-extfile /tmp/subjectAlternativeName.ext.xxxxx.bensiali.net.2017-08-05-16-09-08
Confirmez vous (Y/N) ? y
Using configuration from /etc/pki/CA/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2097154 (0x200002)
Validity
Not Before: Aug 5 14:11:43 2017 GMT
Not After : Aug 4 14:11:43 2022 GMT
Subject:
countryName = FR
stateOrProvinceName = IdF
localityName = xxxxx
organizationName = ClearOS
organizationName = bensiali.net
organizationalUnitName = xxxxx
commonName = xxxxx.bensiali.net
emailAddress = security@xxxxx.bensiali.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
DF:....:53
X509v3 Authority Key Identifier:
keyid:75:....:A7
DirName:/C=FR/L=xxxxx/O=ClearOS/OU=xxxxx/CN=ca.xxxxx.bensiali.net/emailAddress=security@xxxxx.bensiali.net/O=bensiali.net/ST=IdF
serial:B4:...:A1
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:xxxxx.bensiali.net, DNS:*.xxxxx.bensiali.net
Certificate is to be certified until Aug 4 14:11:43 2022 GMT (1825 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
I appolgize but both in script and config file you'll find french text. I use french to diferentiante stuff that come from internet to stuff I've done by my own.
Feel free to ask question if it's not clear...
PS: Can't find the way to attach script and config file so added URLReferences:
- I use the CA as an external CA
-
Accepted Answer
I can not find anything about Chrome requirements for Certificate requiring Subject Alternate Names only? Now indeed I think SAN where introduced part of the X.509 V3 certificates specifications but is it a requirement for Chrome?
The issue with creating self-signed certificates using the Webconfig ClearOS app for Chrome could be entirely another problem. I think I also tried to use the app but at the time it was creating X.509 V1 certificates that I had to manually change to be V3, this might not be the case anymore.
This is certainly a complicated subject and I am no expert. Looking at 'Taryck BENSIALI' configuration, a Wildcard DNS within a Subject Alternate Names (SANs) is an approach the I never thought of. Also note Wildcard Certificates can be useful but will only secure a specific subdomain level. -
Accepted Answer
Looking at the bug, it was downgraded from "minor" to "tweak" and is targeted for 7.4 Beta 1 which hopefully should be in the testing repo fairly soon. A number of my bugs have been bumped from 7.4 Beta 1 to 7.4 updates but this one has not so I have fingers my crossed. -
Accepted Answer
A basic fix will be available for the upcoming ClearOS 7.4 release. The first "Subject Alternative Name" will be set to the "common name" for now.
[ req_distinguished_name ]
commonName = clearos.example.com
... snip ...
[ alt_names ]
DNS.1 = clearos.example.com
I'll add a feature request to add support for multiple Subject Alternative Names, but this fix will resolve the Chrome support issue.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »