Project

General

Profile

Actions

Bug #8059

closed

/etc/ssl/openssl.cnf in 2.4.0 and 2.4.1 is broken

Added by Anonymous almost 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority:
Very Low
Assignee:
Category:
Certificates
Target version:
Start date:
11/06/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.x
Affected Architecture:

Description

When using dehydrated (https://github.com/lukas2511/dehydrated) instead of the acme package for requesting LetsEncrypt certificates (because it works with localdir without having to install HAProxy..) it uses /etc/ssl/openssl.cnf.
Every update the commonName is being reset, but that's a 'known issue'.
However, since 2.4.0 the file has been change so much it generates an error when signing the request:

[2.4.1-RELEASE][]/usr/local/src/letsencrypt.sh: ./dehydrated -x -c -d fw.domain.com -d webmail.domain.com -d autodiscover.domain.com
  1. !! WARNING !! No main config file found, using default config! #
    Processing domain.com with alternative names: webmail.domain.com autodiscover.domain.com
    + Checking domain name(s) of existing cert... unchanged.
    + Checking expire date of existing cert...
    + Valid till Dec 21 09:01:00 2017 GMT (Longer than 30 days). Ignoring because renew was forced!
    + Signing domains...
    + Generating private key...
    + Generating signing request...
    problems making Certificate Request
    34380751816:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too long:/builder/ce-241/tmp/FreeBSD-src/crypto/openssl/crypto/asn1/a_mbstr.c:158:maxsize=2

When I'm using https://github.com/pfsense/pfsense/blob/RELENG_2_3_5/src/etc/ssl/openssl.cnf instead of the 2.4.0 or 2.4.1 version it works:

[2.4.1-RELEASE][]/usr/local/src/dehydrated: ./dehydrated -c -d domain.com -d webmail.domain.com -d fw.domain.com -d autodiscover.domain.com
  1. INFO: Using main config file /etc/dehydrated/config
    Processing domain.com with alternative names: webmail.domain.com fw.domain.com autodiscover.domain.com
    + Signing domains...
    + Generating private key...
    + Generating signing request...
    + Requesting challenge for domain.com...
    + Requesting challenge for webmail.domain.com...
    + Requesting challenge for fw.domain.com...
    + Requesting challenge for autodiscover.domain.com...

It has something to do with "countryName_default" which is outcommented in the 2.3.5 version, but not in the newer.
Just commenting it out doesn't work.

Actions

Also available in: Atom PDF