pfSense Support Subscription

Author Topic: OpenVPN\Certificate Creation SSL Errors  (Read 160 times)

0 Members and 1 Guest are viewing this topic.

Offline secretlycool

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
OpenVPN\Certificate Creation SSL Errors
« on: December 28, 2017, 03:04:47 pm »
Hello All,

I am at a loss.

I upgraded to 2.4.2, and this issue started to occur. When I try to create an internal certificate with the CA for openVPN it creates this error.

The following input errors were detected:
Ľopenssl library returns: error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name
Ľopenssl library returns: error:22097069:X509 V3 routines:DO_EXT_NCONF:invalid extension string
Ľopenssl library returns: error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension

Any ideas?

Thanks,
Colton

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21488
  • Karma: +1456/-26
    • View Profile
Re: OpenVPN\Certificate Creation SSL Errors
« Reply #1 on: December 28, 2017, 03:13:50 pm »
What are the exact inputs you used for each field?
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline secretlycool

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: OpenVPN\Certificate Creation SSL Errors
« Reply #2 on: December 28, 2017, 03:55:32 pm »
Method: Internal Certificate
Descriptive Name : Test Certificate
CA: MyOpenVPNCa
Keylength: 2048
Digest Algorithm:Sha256
Lifetime: 3650
CountryCode:US
State:State Abbreviation
City:MyCity
Organization:MyOrgName
OU: Left blank
Email: User Email
Common Name:Test Certificate
Certificate Type: User Certificate
Alternative Name: Email Address: User Email

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14753
  • Karma: +1372/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: OpenVPN\Certificate Creation SSL Errors
« Reply #3 on: December 29, 2017, 08:33:35 am »
"Common Name:Test Certificate"

Yeah that is not going to work.. Get the same error when you do that... Use something like actual username of the user for the vpn connection... Say secretlycool for example..

Username as CN with spaces not going to be valid since a CN "space" is not a valid character..

-common-name <FQDN or Custom Common Name> - FQDN or Custom Common Name

This specifies the desired certificate name as a fully qualified domain name (FQDN) or custom common name or the name of a person. The supported characters, which are a subset of the ASCII character set, are as follows:

         o   Letters a through z, A through Z
         o   Numbers 0 through 9
         o   Asterisk (*), period (.), underscore (_) and hyphen (-)

         The common name must not start or end with a "-" or a ".". The maximum length is 253 characters.
« Last Edit: December 29, 2017, 08:41:28 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline secretlycool

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: OpenVPN\Certificate Creation SSL Errors
« Reply #4 on: December 29, 2017, 08:47:02 am »
On the old build you I have CNs with spaces. But this worked without issue!

Thanks,
Colton

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14753
  • Karma: +1372/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: OpenVPN\Certificate Creation SSL Errors
« Reply #5 on: December 29, 2017, 08:49:20 am »
sorry but a CN with spaces would never be valid.. Its not a valid FQDN...

edit:  Hmmmm You sure you were not adding that as fqdn as SAN... I just tested this and created cn of test cert without any problem..


When I first tested this I got the same exact error.. But now I can not seem to duplicate it.. I was doing some more research and while your fqdn like in a san has to meet those requirements, etc.  common name seems to be able to have a space.. Hmm... Normally CN is a fqdn of the webserver.. But your using this as user cert etc.. So yeah I can see like name John Doe might be appropriate on the cert..

But been trying all kinds of possible combos and can not duplicate this now... Strange...  Wish I would of taken screenshot when got the error..
« Last Edit: December 29, 2017, 09:40:53 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14753
  • Karma: +1372/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: OpenVPN\Certificate Creation SSL Errors
« Reply #6 on: December 29, 2017, 09:47:57 am »
Ah ok found it - when you try and add a san of email address it creates those errors..

even the email address format is correct name@domain.com

I had jumped on the CN because normally a CN would have to be a DNS valid name, etc.  But this seems to be where the problem is.. I jumped on that because I am never fan of using spaces in such thing, be it file name or directory name.. Habit from when you never used spaces ;)  Been doing this many many years.  But from what I have seen as to a CN in a user cert sure spaces are valid.. And from above you can see can create them without any issue.  But seems might be a bug.. hate to say that in in the parsing of the email address section for the SAN..

"Alternative Name: Email Address: User Email "

But I can duplicate your problem.. So prob need to file a bug report using this thread as reference..  I can fire up previous versions and see if its a regression, etc.  If your saying you use to create certs with email addresses as SAN before without issue.
« Last Edit: December 29, 2017, 09:53:28 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline secretlycool

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: OpenVPN\Certificate Creation SSL Errors
« Reply #7 on: December 29, 2017, 09:52:54 am »
Only when there is a space in the common though? Seems odd to me. Could be a bug? No Space allowed this to work without issue.

Once again thanks for the help!

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14753
  • Karma: +1372/-202
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: OpenVPN\Certificate Creation SSL Errors
« Reply #8 on: December 29, 2017, 09:53:59 am »
Oh so your saying it works with email SAN as long as no space in the CN...  Odd...... hmmmmm
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 21488
  • Karma: +1456/-26
    • View Profile
Re: OpenVPN\Certificate Creation SSL Errors
« Reply #9 on: January 02, 2018, 10:52:03 am »
It's actually not the e-mail address that is the trigger but any SAN in addition to a CN with a space. It tries to copy the CN to the SAN list, but a CN with a space can't make a valid SAN entry, so it ended up with a bunk empty entry due to the way I coded that feature originally.

https://redmine.pfsense.org/issues/8252

I just pushed a fix, should show up in a few minutes.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!