Community Forum

Resolved
0 votes
Hi experts,

After deploying CA Certificate on both FF & Chrome/IE the url call to the webconfig (as example) is OK for FF & IE but KO for Chrome.
As far as I understood chrome is strict on certificate check and require (because use of CN as domanie definition is deprecated for decade) subjectAlternativeName to be provided.

I've tryed to follow some tutorial to :

  1. Create root CA
  2. Create Intermediate CA with trust chain
  3. Create server certificates

and it's OK, but openssl.cnf have changed and user certificate creation now fails.

Where could I find documentation of certificate subject matter ?
Which developpeur is in charge of this part ?
How could I contribute to improve this part of ClearOS ?
Saturday, August 05 2017, 10:49 AM
Share this post:
Responses (14)
  • Accepted Answer

    Saturday, August 05 2017, 12:58 PM - #Permalink
    Resolved
    0 votes
    Hi Taryck,
    I've filed bug 15981. I suspect the person at Clearcenter will be Ben Chambers but I'm not sure. I'll try to ping him a message.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, August 05 2017, 02:42 PM - #Permalink
    Resolved
    0 votes
    Ben is the right resource here. Taryk, any feedback or help you have on this please give it here and we will add it to the ticket. You've posted a lot of great information in the past so let us know if you want better access to the bug tracker moving forward.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, August 07 2017, 05:42 AM - #Permalink
    Resolved
    0 votes
    News from letsencrypt.org : Wildcard Certificates Coming January 2018
    Let’s Encrypt will begin issuing wildcard certificates in January of 2018.

    So I have to wait until January...
    The reply is currently minimized Show
  • Accepted Answer

    Monday, August 07 2017, 09:04 AM - #Permalink
    Resolved
    0 votes
    I'm away at the moment, but as far as I recall. if you just use sites by dropping conf files into /etc/http/conf.d then apache uses the certificate from /etc/httpd/conf.d/ssl.conf. If you use the ClearOS webconfig for your default website then you need to use the certificates in flex-443.conf. Similarly, for any website in a Flexshare, if you set it up in the Webconfig, you have to use the flex-443.conf file.

    re wildcard certificates. I can understand the requirement. I use Certbot for my Letsencrypt certificates and it can create a single certificate to cover, say, www.mydomain.com, server.mydomain.com, anysite.mydomain.com etc.I think it is also possible to add subdomains pretty much when you want. To a large extent this gets round the requirement for a wildcard certificate.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, August 06 2017, 08:41 PM - #Permalink
    Resolved
    0 votes
    Hi Taryck,
    Remember that if you edit flex-443.conf you may also need to set the immutable on the file otherwise changing any flexshare through the webconfig could overwrite you changes.

    BTW, with all this certificate work you're doing, have you thought of looking at Letsencrypt certificates? I use them for my web server, but did not bother for the Webconfig. I believe there may also be an app under development for Letsencrypt. I did try cheating the Certificate Manager app by copying the Letsencrypt certificates to my desktop and importing them into the app, deleting the imported certificates and replacing them with symlinks to the Letsencrypt certificates in the /etc/letsencrypt/live folder, but it all failed. I hope the app will sort this out.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, August 06 2017, 09:44 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    You right about flexshare.conf rebuild. But i've edited (I do not provide the info in my previous post that i Edit to add it) the file : /etc/httpd/conf.d/ssl.conf
    which defined the whole ssl configuration for the default host. While flexshare define virutal host for <flexshare>.<hostname>.

    I've heard of Letsencrypt but i did not try yet.

    Most of access to my server if from know person who have to install to root CA once with a 25 years old CA and 10 years old server certificate...
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, August 05 2017, 03:15 PM - #Permalink
    Resolved
    0 votes
    I saw you were having problems posting and I've tidied up.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, August 05 2017, 03:24 PM - #Permalink
    Resolved
    0 votes
    To fix the "wrong" webconfig usage I had to edit file /var/clearos/certificate_manager/state/webconfig.conf
    {"app_description":"Webconfig","certs":{"Web-based administration":"xxxxxx-bensiali-net"}}

    instead of :
    {"app_description":"Webconfig","certs":{"Web-based administration":"sys-0-cert.pem"}}
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, August 05 2017, 09:06 PM - #Permalink
    Resolved
    0 votes
    Hi Taryck,

    I'll be handling the issue in the tracker for the time being - Ben is not available. Please keep in mind, this needs to be triaged with the other 700+ open features & issues!
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, August 06 2017, 05:54 PM - #Permalink
    Resolved
    0 votes
    Also need to fix httpd for flexshare, because certificate selection only apply to virtualhost servername : <myshare>.host.domain.tld
    Edited file : /etc/httpd/conf.d/ssl.conf

    # Server Certificate:
    # Point SSLCertificateFile at a PEM encoded certificate. If
    # the certificate is encrypted, then you will be prompted for a
    # pass phrase. Note that a kill -HUP will prompt again. A new
    # certificate can be generated using the genkey(1) command.
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    #SSLCertificateFile /etc/clearos/certificate_manager.d/xxxx-bensiali-net.crt

    # Server Private Key:
    # If the key is not combined with the certificate, use this
    # directive to point at the key file. Keep in mind that if
    # you've both a RSA and a DSA private key you can configure
    # both in parallel (to also allow the use of DSA ciphers, etc.)
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    #SSLCertificateKeyFile /etc/clearos/certificate_manager.d/xxxxx-bensiali-net.key


    by the way I do not understand why we've got 2 certifcates for the same host :

    • /etc/pki/tls/certs/localhost.crt
    • /etc/pki/CA/sys-0-cert.pem


    I suggest to be able to set more than Server Name for web server apps
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, August 05 2017, 03:03 PM - #Permalink
    Resolved
    0 votes
    Thanks.
    Here is my workaround with I hope is not so bad.


    • I use the CA as an external CA
    • I use Certificate Manager => External Certificates : to generate request & key pair
    • I use my own script to use ClearOS CA to sign the certificate
    • I'm extracting the domain information from the request
    • I use CleaOS openssl.cnf file but I add the required Google Chrome requierements
    • My script locate the certificate as expected by the "import certificate" button on External Certificates table


    I've switch certificate used by webconfig by editing /usr/clearos/sandbox/etc/httpd/conf.d/certs.conf
    #SSLCertificateFile /etc/pki/CA/sys-0-cert.pem
    #SSLCertificateKeyFile /etc/pki/CA/private/sys-0-key.pem
    SSLCertificateFile /etc/clearos/certificate_manager.d/xxxxxx-bensiali-net.crt
    SSLCertificateKeyFile /etc/clearos/certificate_manager.d/xxxxxx-bensiali-net.key

    restart webconfig
    And now it's OK for Google Chrome.

    however, the certiciate usage list is not updated.

    • sys-0-cert.pem is still displayed as the certificate for webconfig
    • my external certificate xxxxxx-bensiali-net has no usage

    It's not a big problem, but if anyone could provide my a way to fix this...

    Here is my script :
    #!/bin/sh
    base_file=/Taryck/major_files/Certificates/subjectAlternativeName.base.ext
    openssl_config=/etc/pki/CA/openssl.cnf

    request=$1
    if [ "$request" = "" ]; then
    echo "provide a request fle name !"
    exit 1
    fi
    if [ "$2" != "" ]; then
    echo "provide only one parameter"
    exit 1
    fi
    if [ ! -f $request ]; then
    echo "Request File not found : $request !"
    exit 2
    fi
    if [ ! -r $request ]; then
    echo "can't read Request File : $request !"
    exit 2
    fi

    cert_file="${request%.*}"'.crt'
    if [ -f $cert_file ]; then
    echo "Target Certificate file : $cert_file already exists !"
    exit 3
    fi

    domain=`openssl req -noout -text -in $request | grep ".*Subject:.*CN=.*" | sed 's/.*, CN=\(.*\)\/emailAddress.*/\1/g'`
    echo "Request's domain : $domain"
    read -p "Confirmez vous (Y/N) ? " -n 1 -r reponse
    echo # (optional) move to a new line
    if ! [[ "$reponse" =~ ^[Yy]$ ]]; then
    exit 4
    fi
    echo

    ext_file=`/Taryck/scripts/timestamp.sh`
    ext_file='/tmp/subjectAlternativeName.ext.'"$domain"'.'"$ext_file"
    if [ -f $ext_file ]; then
    echo "Temps file : $ext_file already exists !"
    exit 5
    fi
    cat $base_file | sed "s/#\(.*\)<domain>/\1$domain/g" > $ext_file
    if [ ! -f $ext_file ]; then
    echo "Error generating Domain directive File : $ext_file !"
    exit 5
    fi
    if [ ! -r $ext_file ]; then
    echo "Can't read Domain directive File : $ext_file !"
    exit 5
    fi

    echo "EXECUTE :"
    echo "openssl ca -config $openssl_config -days 1825 -notext -md sha256 "
    echo "-in $request "
    echo "-out $cert_file "
    echo "-extfile $ext_file"
    echo
    read -p "Confirmez vous (Y/N) ? " -n 1 -r reponse
    echo # (optional) move to a new line
    if ! [[ $reponse =~ ^[Yy]$ ]]; then
    exit 6
    fi
    openssl ca -config $openssl_config -days 1825 -notext -md sha256 -in $request -out $cert_file -extfile $ext_file
    if [ ! -r $cert_file ]; then
    echo "Failed to create certificate file : $cert_file !"
    exit 5
    fi


    The script use an extension config file (/Taryck/major_files/Certificates/subjectAlternativeName.base.ext) that looks like this :
    # Fichier : subjectAltName.ext
    # Source : http://wiki.cacert.org/FAQ/subjectAltName

    basicConstraints = CA:FALSE
    nsCertType = server
    nsComment = "OpenSSL Generated Server Certificate"
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid,issuer:always
    #keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    #keyUsage = critical, digitalSignature, keyEncipherment
    keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
    extendedKeyUsage = serverAuth
    #Chrome issue : Impossible de vérifier que ce serveur est bien xx, car son certificat de sécurité provient du domaine [missing_subjectAltName]
    subjectAltName = @alternate_names

    [alternate_names]
    #DNS.1 = <domain>
    #DNS.2 = *.<domain>


    You'll have to adapt config file location because "/Taryck/major_files/Certificates/subjectAlternativeName.base.ext" is a little bit too egocentric, I guess. But it helps me reminding that all that is in "/Taryck" doesn't comes from any package... :)

    and output look like this :
    [root@xxxxx Certificates]# ./sign-request.sh /etc/clearos/certificate_manager.d/xxxxx-bensiali-net.req
    Request's domain : xxxxx.bensiali.net
    Confirmez vous (Y/N) ? y

    EXECUTE :
    openssl ca -config /etc/pki/CA/openssl.cnf -days 1825 -notext -md sha256
    -in /etc/clearos/certificate_manager.d/xxxxx-bensiali-net.req
    -out /etc/clearos/certificate_manager.d/xxxxx-bensiali-net.pem
    -extfile /tmp/subjectAlternativeName.ext.xxxxx.bensiali.net.2017-08-05-16-09-08

    Confirmez vous (Y/N) ? y
    Using configuration from /etc/pki/CA/openssl.cnf
    Check that the request matches the signature
    Signature ok
    Certificate Details:
    Serial Number: 2097154 (0x200002)
    Validity
    Not Before: Aug 5 14:11:43 2017 GMT
    Not After : Aug 4 14:11:43 2022 GMT
    Subject:
    countryName = FR
    stateOrProvinceName = IdF
    localityName = xxxxx
    organizationName = ClearOS
    organizationName = bensiali.net
    organizationalUnitName = xxxxx
    commonName = xxxxx.bensiali.net
    emailAddress = security@xxxxx.bensiali.net
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Cert Type:
    SSL Server
    Netscape Comment:
    OpenSSL Generated Server Certificate
    X509v3 Subject Key Identifier:
    DF:....:53
    X509v3 Authority Key Identifier:
    keyid:75:....:A7
    DirName:/C=FR/L=xxxxx/O=ClearOS/OU=xxxxx/CN=ca.xxxxx.bensiali.net/emailAddress=security@xxxxx.bensiali.net/O=bensiali.net/ST=IdF
    serial:B4:...:A1

    X509v3 Key Usage: critical
    Digital Signature, Non Repudiation, Key Encipherment
    X509v3 Extended Key Usage:
    TLS Web Server Authentication
    X509v3 Subject Alternative Name:
    DNS:xxxxx.bensiali.net, DNS:*.xxxxx.bensiali.net
    Certificate is to be certified until Aug 4 14:11:43 2022 GMT (1825 days)
    Sign the certificate? [y/n]:y

    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated


    I appolgize but both in script and config file you'll find french text. I use french to diferentiante stuff that come from internet to stuff I've done by my own.

    Feel free to ask question if it's not clear...
    PS: Can't find the way to attach script and config file so added URL
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, August 16 2017, 07:52 PM - #Permalink
    Resolved
    0 votes
    I can not find anything about Chrome requirements for Certificate requiring Subject Alternate Names only? Now indeed I think SAN where introduced part of the X.509 V3 certificates specifications but is it a requirement for Chrome?

    The issue with creating self-signed certificates using the Webconfig ClearOS app for Chrome could be entirely another problem. I think I also tried to use the app but at the time it was creating X.509 V1 certificates that I had to manually change to be V3, this might not be the case anymore.

    This is certainly a complicated subject and I am no expert. Looking at 'Taryck BENSIALI' configuration, a Wildcard DNS within a Subject Alternate Names (SANs) is an approach the I never thought of. Also note Wildcard Certificates can be useful but will only secure a specific subdomain level.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, August 16 2017, 08:15 PM - #Permalink
    Resolved
    0 votes
    Looking at the bug, it was downgraded from "minor" to "tweak" and is targeted for 7.4 Beta 1 which hopefully should be in the testing repo fairly soon. A number of my bugs have been bumped from 7.4 Beta 1 to 7.4 updates but this one has not so I have fingers my crossed.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, September 13 2017, 03:43 PM - #Permalink
    Resolved
    0 votes
    A basic fix will be available for the upcoming ClearOS 7.4 release. The first "Subject Alternative Name" will be set to the "common name" for now.


    [ req_distinguished_name ]
    commonName = clearos.example.com

    ... snip ...

    [ alt_names ]
    DNS.1 = clearos.example.com


    I'll add a feature request to add support for multiple Subject Alternative Names, but this fix will resolve the Chrome support issue.
    The reply is currently minimized Show
Your Reply