Project

General

Profile

Bug #7735

Switching to wildcard cert fails until reboot

Added by Adam Thompson about 1 year ago. Updated 8 months ago.

Status:
Not a Bug
Priority:
Low
Assignee:
Category:
Certificates
Target version:
-
Start date:
07/28/2017
Due date:
% Done:

0%

Estimated time:
Affected Version:
2.3.4
Affected Architecture:
amd64

Description

Steps to reproduce:
1. manually add the Globalsign CA
2. manually add the AlphaSSL intermediate CA
3. manually add a wildcard cert, and name it "*.avant.ca 2017"
4. switch webconfigurator to the new cert

Observe:
A. all browsers now complain about a broken SSL certificate (although they were still able to see the cert chain somehow)
(Sorry, I didn't think to run openssl s_client to gather all the data, but I'm doing this on another firewall in a few minutes so I should be able to gather additional data there.)

Next steps:
5. reboot firewall

Observe:
B. all browsers are now happy with the SSL certificate

Don't know if it has anything to do with using '*' in the name, or if switching certs on the fly is just brokenish. Solved by a reboot anyway, so not a serious problem.

History

#1 Updated by Jim Thompson 12 months ago

  • Assignee set to Jim Pingle
  • Target version set to 2.4.3

#2 Updated by Jim Pingle 9 months ago

  • Target version deleted (2.4.3)

I don't have access to a wildcard certificate to verify this but it's unlikely to be related. Changing a certificate on the fly works fine, I do that regularly with Let's Encrypt switching from self-signed to ACME certs.

The name wouldn't matter because internally the certificates are only referenced by their unique ID.

We'll need to find some better/more reliable way to reproduce this. Let's Encrypt will start supporting wildcards next month so we may have a way to test it then.

#3 Updated by Adam Thompson 8 months ago

I've been unable to reproduce this in the 2.4 stream, so please close either with CAN'T REPRODUCE or FIXED IN 2.4 (or something along those lines).

#4 Updated by Jim Pingle 8 months ago

  • Status changed from New to Not a Bug

Also available in: Atom PDF