Bug #7735
closedSwitching to wildcard cert fails until reboot
0%
Description
Steps to reproduce:
1. manually add the Globalsign CA
2. manually add the AlphaSSL intermediate CA
3. manually add a wildcard cert, and name it "*.avant.ca 2017"
4. switch webconfigurator to the new cert
Observe:
A. all browsers now complain about a broken SSL certificate (although they were still able to see the cert chain somehow)
(Sorry, I didn't think to run openssl s_client to gather all the data, but I'm doing this on another firewall in a few minutes so I should be able to gather additional data there.)
Next steps:
5. reboot firewall
Observe:
B. all browsers are now happy with the SSL certificate
Don't know if it has anything to do with using '*' in the name, or if switching certs on the fly is just brokenish. Solved by a reboot anyway, so not a serious problem.
Updated by Jim Thompson over 6 years ago
- Assignee set to Jim Pingle
- Target version set to 2.4.3
Updated by Jim Pingle over 6 years ago
- Target version deleted (
2.4.3)
I don't have access to a wildcard certificate to verify this but it's unlikely to be related. Changing a certificate on the fly works fine, I do that regularly with Let's Encrypt switching from self-signed to ACME certs.
The name wouldn't matter because internally the certificates are only referenced by their unique ID.
We'll need to find some better/more reliable way to reproduce this. Let's Encrypt will start supporting wildcards next month so we may have a way to test it then.
Updated by Adam Thompson about 6 years ago
I've been unable to reproduce this in the 2.4 stream, so please close either with CAN'T REPRODUCE or FIXED IN 2.4 (or something along those lines).