Bug #8059

/etc/ssl/openssl.cnf in 2.4.0 and 2.4.1 is broken

Added by void necron almost 3 years ago. Updated almost 3 years ago.

Very Low
Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:


When using dehydrated ( instead of the acme package for requesting LetsEncrypt certificates (because it works with localdir without having to install HAProxy..) it uses /etc/ssl/openssl.cnf.
Every update the commonName is being reset, but that's a 'known issue'.
However, since 2.4.0 the file has been change so much it generates an error when signing the request:

[2.4.1-RELEASE][]/usr/local/src/ ./dehydrated -x -c -d -d -d
  1. !! WARNING !! No main config file found, using default config! #
    Processing with alternative names:
    + Checking domain name(s) of existing cert... unchanged.
    + Checking expire date of existing cert...
    + Valid till Dec 21 09:01:00 2017 GMT (Longer than 30 days). Ignoring because renew was forced!
    + Signing domains...
    + Generating private key...
    + Generating signing request...
    problems making Certificate Request
    34380751816:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:/builder/ce-241/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/a_mbstr.c:158:maxsize=2

When I'm using instead of the 2.4.0 or 2.4.1 version it works:

[2.4.1-RELEASE][]/usr/local/src/dehydrated: ./dehydrated -c -d -d -d -d
  1. INFO: Using main config file /etc/dehydrated/config
    Processing with alternative names:
    + Signing domains...
    + Generating private key...
    + Generating signing request...
    + Requesting challenge for
    + Requesting challenge for
    + Requesting challenge for
    + Requesting challenge for

It has something to do with "countryName_default" which is outcommented in the 2.3.5 version, but not in the newer.
Just commenting it out doesn't work.

Associated revisions

Revision 3414dea1 (diff)
Added by Jim Pingle almost 3 years ago

Restore some customizations to openssl.cnf, otherwise it cannot generate a certificate. Fixes #8059

We set prompt=no, so most of these values will cause an error when openssl commands are run directly.


#1 Updated by Jim Pingle almost 3 years ago

  • Category set to Certificates
  • Status changed from New to Confirmed
  • Assignee set to Jim Pingle
  • Priority changed from Normal to Very Low
  • Target version set to 2.4.2
  • Affected Version set to 2.4.x

It is not broken, it works fine when you use it in a supported way (read: use the GUI or the ACME package).

Nonetheless, I'll look into it. There are some differences there, but I'll have to check on why those changes were made.

#2 Updated by Jim Pingle almost 3 years ago

I just pushed a fix for this, but a few important points need to be made:

1. The ACME package works fine serving from a local webroot without haproxy. Whatever you read about requiring haproxy was wrong. But exposing your firewall's web server to the Internet is an awful idea. Using 'standalone' mode in ACME will fire up a service only when needed, which is better, but still not ideal. That may also be what dehydrated does but I'm not familiar with that client. Still, it's entirely unnecessary to use it when the ACME package will work properly and hook into the GUI and other places naturally.
2. Generating a certificate in the way that caused the original error will undoubtedly have filled the CSR with bunk info (a generic city/state/company/etc), which may be ignored by ACME when they sign your certificate, but could cause problems for anyone using openssl at the CLI directly using the default configuration file.

#3 Updated by Jim Pingle almost 3 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#4 Updated by void necron almost 3 years ago

Jim Pingle wrote:

Applied in changeset 3414dea15b2f31099ef2ec962c2062ae95080a0e.

Hi Jim,

Thanks for the fix!
1) I'll look into the local webroot part again, but I couldn't get it to work in the first run (invalid response issue). What I do is during the certificate request open the firewall port for the http check and disable the port 80 rule once the request/validation was completed. I'm aware of the risk but thanks for pointing it out.
2) Could be. I'll make sure the creator of dehydrated reads this redmine to make sure his software doesn't fsck things up as well.

Again, thanks for the time to fix this!


#5 Updated by Jim Pingle almost 3 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF