Certificate manager doesn't allow wildcards in Subject Alternative Names
Having a wildcard certificate in the DNS Subject Alternative Name is valid, but the pfSense webinterface doesn't allow this.
Instead, it displays an error message:
The following input errors were detected:
DNS subjectAltName values must be valid hostnames or FQDNs
Would it be possible to change the error checking of the webinterface so wildcard DNS names are allowed in the "DNS subjectAltName"-field?
#1 Updated by Daniel Schultheis over 4 years ago
You can achive this behaviour by modifying the file /etc/inc/util.inc
The problem lies within the is_domain() method which checks if the entered domain is indeed a valid domain string. Search for this method inside /etc/inc/util.inc and replace this line
if (preg_match('/^(?:(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9])\.)*(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9\.])$/i', $domain))
with the following
if (preg_match('/^(?:(?:[a-z_0-9\*]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9])\.)*(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9\.])$/i', $domain))
This will allow a wildcard (*) as the first character allowing you to define wildcard domains in the SAN fields.
I hope this will make it inside the public release at some point.
#2 Updated by Jim Pingle over 4 years ago
That change is unlikely to make it in unless it's in a separate function or a separate option to the function to activate the behavior. Allowing wildcards in that function unconditionally would allow them in other places where they are not functional (e.g. aliases, hostname fields for things like VPN peer addresses, etc).
#3 Updated by Daniel Schultheis over 4 years ago
I've created a patch which now wraps this whole behaviour in a seperate function call.
In /usr/local/www/system_certmanager.php a new function is_wildcard_hostname() is called. This function is a copy of is_hostname() in /etc/inc/util.inc which in return will call a new function is_wildcard_domain() which checks the hostname against the modified regular expression.
#4 Updated by Daniel Schultheis over 4 years ago
I've just optimized the patch a bit to revert back to the original functions which now have an additional $allow_wildcard parameter which defaults to false if not set.
#8 Updated by Chris Buechler over 4 years ago
- Status changed from New to Confirmed
- Priority changed from Low to Normal
- Target version set to 2.3
- Affected Version set to All
Thanks Daniel. Merge request won't cleanly merge anymore, added a note there. If you can get an ICLA on file and submit an updated pull request we'll get that in for 2.3.