Project

General

Profile

Actions

Bug #11652

closed

Unable to renew a certificate without a SAN

Added by Jim Pingle 7 months ago. Updated 6 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
03/10/2021
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.0
Affected Architecture:

Description

If a certificate entry has a CN which contains a space, attempting to renew the certificate will result in an error:

  • Create an internal CA
  • Create an internal certificate with a CN of "space test"
  • Click the renew icon for the "space test" certificate
  • Click Renew/Reissue

The page displays the following error:

The following input errors were detected:

Error renewing Certificate

Actions #1

Updated by Jim Pingle 7 months ago

  • Subject changed from Unable to renew a certificate containing a space in the CN to Unable to renew a certificate containing special characters in the CN

This isn't exclusive to space, it also affects other characters which must be escaped for x509 such as "+".

Actions #2

Updated by Jim Pingle 7 months ago

  • Subject changed from Unable to renew a certificate containing special characters in the CN to Unable to renew a certificate without a SAN

Narrowed it down further. The real problem is that a certificate without a SAN cannot be renewed.

Certificates with a CN that contains special characters and that do not have a manually-entered SAN list result in a certificate without a SAN. This is because those types of CN values cannot be mapped to a valid SAN type. The certificate renewal code was assuming any non-CA certificate entry had at least one SAN.

Fix coming shortly.

Actions #3

Updated by Jim Pingle 7 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Jim Pingle 7 months ago

  • Status changed from Feedback to Waiting on Merge
  • Target version changed from CE-Next to 2.5.1

Small fix and very likely to be hit in the wild (See https://forum.netgate.com/post/971557 for one example), so good to have sooner rather than later.

Actions #5

Updated by Renato Botelho 7 months ago

  • Status changed from Waiting on Merge to Feedback

Cherry-picked to RELENG_2_5_1

Actions #6

Updated by Viktor Gurov 6 months ago

  • Status changed from Feedback to Resolved

works as expected on 2.5.1.r.20210330.1803

Actions

Also available in: Atom PDF