Project

General

Profile

Bug #10362

Error renewing cert if SAN contains IP Address

Added by Viktor Gurov 8 months ago. Updated 7 months ago.

Status:
Resolved
Priority:
Normal
Category:
Certificates
Target version:
Start date:
03/20/2020
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:

Description

example SAN: DNS:tkWAN2, IP Address:10.123.123.4

If I try to renew it, I get the message 'Error renewing Certificate' and:

PHP Errors:
PHP Warning:  in_array() expects parameter 2 to be array, null given in /etc/inc/certs.inc on line 1658
PHP Warning:  openssl_csr_new(): Error loading extensions_section section server_san of /etc/ssl/openssl.cnf in /etc/inc/certs.inc on line 1682
PHP Warning:  openssl_csr_new(): Error loading extensions_section section server_san of /etc/ssl/openssl.cnf in /etc/inc/certs.inc on line 1682

pfSense 2.5.0.a.20200319.0930

Associated revisions

Revision 3fdd559e (diff)
Added by Viktor Gurov 7 months ago

Renew cert with IP Address SAN. Issue #10362

History

#1 Updated by Viktor Gurov 7 months ago

https://www.openssl.org/docs/manmaster/man5/x509v3_config.html#Subject-Alternative-Name:

The subject alternative name extension allows various literal values to be included in the configuration file.
These include email (an email address) URI a uniform resource indicator, DNS (a DNS domain name),
RID (a registered ID: OBJECT IDENTIFIER), IP (an IP address), dirName (a distinguished name) and otherName

Correct SAN is IP, not IP Address

Fix:
https://github.com/pfsense/pfsense/pull/4244

#2 Updated by Jim Pingle 7 months ago

  • Status changed from New to Pull Request Review

#3 Updated by Renato Botelho 7 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#4 Updated by Viktor Gurov 7 months ago

  • Status changed from Feedback to Resolved

renewing is OK on 2.5.0.a.20200321.2101

Also available in: Atom PDF