Project

General

Profile

Bug #7496

Chrome 58 added cert requirements which make it fail to accept the default self-signed certificates

Added by Ivor Kreso almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
04/25/2017
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.3.3_1
Affected Architecture:

Associated revisions

Revision a636256c (diff)
Added by Jim Pingle almost 2 years ago

Always add the CN as the first SAN when creating a certificate in the GUI or an automatic GUI self-signed certificate. Per RFC 2818, relying on the CN to determine the hostname is deprecated, SANs are required. Chrome 58 started enforcing this requirement. Fixes #7496

Revision cad0d5bc (diff)
Added by Jim Pingle almost 2 years ago

Always add the CN as the first SAN when creating a certificate in the GUI or an automatic GUI self-signed certificate. Per RFC 2818, relying on the CN to determine the hostname is deprecated, SANs are required. Chrome 58 started enforcing this requirement. Fixes #7496

Revision c1a42e25 (diff)
Added by Jim Pingle almost 2 years ago

Always add the CN as the first SAN when creating a certificate in the GUI or an automatic GUI self-signed certificate. Per RFC 2818, relying on the CN to determine the hostname is deprecated, SANs are required. Chrome 58 started enforcing this requirement. Fixes #7496

History

#1 Updated by Jim Pingle almost 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Jim Pingle almost 2 years ago

This fix will be in 2.4 and 2.3.4 snapshots shortly. To apply the fix early, or to apply the fix to existing 2.3.3-p1 systems, follow these steps:

  • Install the System Patches package ( https://doc.pfsense.org/index.php/System_Patches )
  • Add a new patch under System > Patches
  • Give it a Description such as "certsanfix"
  • Enter the appropriate URL/Commit ID for the firewall version:
    • 2.4 snapshots: a636256cf9a7e27cf5d26c7677d0b7961e0fb143
    • 2.3.4 snapshots: cad0d5bc8da8034c4fa7f41e5476a80b0c38b04f
    • 2.3.3-RELEASE-p1: c1a42e25a35b16821eaf88418c449741d1638c00
  • Set Path Strip Count to 2 (this should be set automatically on save, but do it anyhow just in case)
  • Click Save
  • Click Fetch on the patch entry in the list
  • Click Apply on the patch entry in the list
  • Open a console or shell prompt, enter option 8 for the shell
  • Run the following command::
    pfSsh.php playback generateguicert

The firewall will generate and activate a fresh GUI certificate.

Connect to the GUI with a browser to test.

#3 Updated by Kill Bill almost 2 years ago

Would be probably good to show the SANs in the Cert. Manager (in place/in addition to CN) -- somehow doesn't seem to be the case (at least looking at the certs produced by ACME package.)

Likely better handled with a separate ticket though.

#4 Updated by Jim Pingle almost 2 years ago

That's on my to-do list as well, I was thinking a "view certificate" icon/operation may be more useful, to print all of the properties in the certificate.

#5 Updated by Konstantin K almost 2 years ago

Hello!
Certificates work fine for Chrome 58 if you add CN also in 'Alternative Names' -> 'FQDN or Hostname'.

#6 Updated by Jim Pingle almost 2 years ago

  • Status changed from Feedback to Resolved

Works OK in snapshots, reports of others showing it works as well. Seems to be solid. Closing.

Also available in: Atom PDF