Project

General

Profile

Actions

Bug #14068

closed

Importing Chained Cert Data into the System --> Cert Manager --> Certificates Breaks Authentication

Added by Kris Phillips almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Certificates
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Release Notes:
Default
Affected Plus Version:
23.01
Affected Architecture:
All

Description

Previously, including the entire CA chain as well as the client certificate in the certificate under System --> Cert Manager --> Certificates, rather than breaking out every CA in the chain into individual entries, would allow authentication. However, now 23.01 responds with "Unknown CA" if you try this. Taking the entries and breaking them into one or multiple CAs and a separate client certificate resolves this issue.

Actions #1

Updated by Jim Pingle almost 2 years ago

  • Status changed from New to Feedback

Allowing multiple CAs in a single entry was always a hackish workaround for things that didn't support chains. Importing them separately is the proper solution.

However, now 23.01 responds with "Unknown CA" if you try this.

What exactly gives this error message? The CA manager? Cert manager? OpenVPN? Something else?

At this point I'd say whatever doesn't support chains of separate entries should be fixed to support chains and we shouldn't support stuffing the entries together like this anymore. they could maybe be identified and separated on upgrade if need be.

Actions #2

Updated by Kris Phillips almost 2 years ago

Jim Pingle wrote in #note-1:

Allowing multiple CAs in a single entry was always a hackish workaround for things that didn't support chains. Importing them separately is the proper solution.

However, now 23.01 responds with "Unknown CA" if you try this.

What exactly gives this error message? The CA manager? Cert manager? OpenVPN? Something else?

At this point I'd say whatever doesn't support chains of separate entries should be fixed to support chains and we shouldn't support stuffing the entries together like this anymore. they could maybe be identified and separated on upgrade if need be.

The message of "Unknown CA" is what pfSense is sending to the remote host. This was captured in a packet capture on the interface that the LDAPS authentication was exiting.

Actions #3

Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to Closed

Kris Phillips wrote in #note-2:

The message of "Unknown CA" is what pfSense is sending to the remote host. This was captured in a packet capture on the interface that the LDAPS authentication was exiting.

So it's only when pfSense is authenticating against an LDAP server with TLS?

LDAP was not mentioned at all in the original subject or description.

Given the way the LDAP client wants to read certificate data it has to be chained properly, which the code already handles. Splitting the entry up is the correct solution since that was an old workaround that was only needed before chains were properly supported.

Trying to detect multiple CA entries stuffed together and breaking them out just to stitch them back together would be a ton of work to support something nobody should be doing anymore.

Actions

Also available in: Atom PDF