Project

General

Profile

Bug #24272

Fix import of certificates converted from CSRs

Added by Kevin Morris almost 4 years ago. Updated over 3 years ago.

Status:
Resolved
Priority:
Expected
Assignee:
Suraj Ravichandran
Category:
Middleware
Target version:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

An externally signed certificate has been created through Certificate Signing Request has be created in the System->Certificates.

This certificate is not available in the UI at System->General to select for use as the HTTPS certificate.

[[https://forums.freenas.org/index.php?threads/ssl-certificate-not-listed-in-system-general-certificate.54955/]]

SystemCertificates.PNG (14.4 KB) SystemCertificates.PNG Kevin Morris, 05/31/2017 02:02 PM
FreeNasCertCapture.JPG (149 KB) FreeNasCertCapture.JPG Sal Martinez, 05/31/2017 03:21 PM
Screen Shot 2017-08-28 at 3.48.19 PM.png (49.5 KB) Screen Shot 2017-08-28 at 3.48.19 PM.png Bonnie Follweiler, 08/28/2017 12:49 PM
11313
11316
12324

Related issues

Related to FreeNAS - Bug #21395: Can't select installed certificates after updating to 9.10.2Closed: Duplicate2017-02-22
Has duplicate FreeNAS - Bug #22315: Can't choose cert from cert menu in settingsClosed: Duplicate2017-03-16

Associated revisions

Revision 029d0933 (diff)
Added by Suraj Ravichandran over 3 years ago

Fix faulty exclusion logic that were causing CSRs to be rejected even after they were converted to full blown certificates. Ticket: #24272

Revision bf684d6c (diff)
Added by Suraj Ravichandran over 3 years ago

Fix faulty exclusion logic that were causing CSRs to be rejected even after they were converted to full blown certificates. Ticket: #24272 (cherry picked from commit 029d0933c2f822a488f68392bbb14147e1a15354)

Revision 19d1c306 (diff)
Added by Suraj Ravichandran over 3 years ago

Fix faulty exclusion logic that were causing CSRs to be rejected even after they were converted to full blown certificates. Ticket: #24272

History

#1 Updated by Kevin Morris almost 4 years ago

  • Subject changed from SSL Certificate Does not Populate to the System->General Page; Certificat: Drop-down to SSL Certificate Does not Populate to the System->General Page; Certificate: Drop-down

#2 Updated by Suraj Ravichandran almost 4 years ago

  • Status changed from Unscreened to 15
  • Priority changed from No priority to Important

If its still a CSR then it will not list in the certificate drop down menu, you have to promote it to proper cert level for that.

Please check that and get back to me.

#3 Updated by Kevin Morris almost 4 years ago

11313

#4 Updated by Kevin Morris almost 4 years ago

The CSR does have the signed certificate associated. The certificate information is populated to the System->Certificates page.

#5 Updated by Suraj Ravichandran almost 4 years ago

Can you elaborate on what "The CSR does have the signed certificate associated." means?

All I want to know is that is it still a cert signing req or a signed cert?

It would help if you wrote down the exact steps you took to get to this point.

Thanks

#6 Updated by Sal Martinez almost 4 years ago

11316

Oddly enough, I am in the same position.. looking a google search a few hours ago I stumble upon this bug...

We also created an external CA signed certificate based out of a CSR.. on mine we added the certificate along with the subordinate and root certificates.

Do we need to restart web services or something ?

#7 Updated by Kevin Morris almost 4 years ago

'gainesville' is a signed certificate.

I created the CSR on the Certificates tab.
I edited the CSR to copy the base 64 request.
I signed the base 64 request externally adding subject alternative names of a short name, fully qualified domain name, and IP address.
I pasted the resulting certificate into the CSR and saved it.
The certificates page then showed the certificate as I pasted in my last edit.
I navigated to system General but the certificate was not available in the certificate dropdown field on that page.

I have restarted nginx and Django but this did not help.

#8 Updated by Suraj Ravichandran almost 4 years ago

  • Status changed from 15 to Screened
  • Priority changed from Important to Expected
  • Target version set to 11.1

@kevin thanks for the steps (just wanted to ensure that you were using the correct flow here).

seems like a bug to me.

I shall work on it post getting back from my time off.

#9 Updated by Alex S almost 4 years ago

I encountered this as well. Here is what I did:

  • Created a CA
  • Created a certificate signed by internal CA from above
  • Turned on HTTPS
  • Created a 4096bit CSR under certificates tab
  • Sent CSR to incommon and got a certificate back
  • Opened certificate and pasted in certificate
  • New certificate does not show in general tab as an option (but internal-ca signed one does)

Then I exported the certificate and private key, saved them, and used 'import certificate' to import them again under a new name. That worked (And is a work-around for anyone encountering this bug)

Running FreeNAS-9.10.2-U2 (e1497f2)

#10 Updated by Kevin Morris almost 4 years ago

Confirmed that the workaround posted by Alex is working. Exported key and certificate. Deleted. Imported. And was able to assign the certificate for https.

#11 Updated by Rex Wheeler almost 4 years ago

I ran into the same issue. I created a CSR from FreeNAS, edited the cert to obtain the CSR, had that CSR signed by my CA, pasted the resultant certificate from my CA into the certificate field in FreeNAS and observed that the certificate was not available to assign to the GUI (even though it in /etc/certificates.) After exporting the newly created certificate and private key and re-importing them (with a new identifier), the new identifier was available in the GUI for use (and the original cert still was not.)

I am on 11.0 RC3. My CA is a Windows Server CA using a copy of the default Web Server template that has been modified to allow key export.

Interestingly if I dump out the crt files in /etc/certificates for both the original certificate and the imported certificate I get the same decoded file:

openssl x509 -in original.crt -text > c1.txt
openssl x509 -in reimported.crt -text > c2.txt
diff c1.txt c2.txt

The diff shows they are the same certificate. I assume that there is something "special" that happens upon import.

#12 Updated by Suraj Ravichandran almost 4 years ago

I have resumed my work, and shall work on this ticket this week (i.e. today and tmrw)

#13 Updated by Suraj Ravichandran almost 4 years ago

  • Target version changed from 11.1 to 11.0-U1

bumping to 11.0-U1

#14 Updated by Suraj Ravichandran almost 4 years ago

  • Has duplicate Bug #22315: Can't choose cert from cert menu in settings added

#15 Updated by Vaibhav Chauhan almost 4 years ago

  • Target version changed from 11.0-U1 to 11.0-U2

#16 Updated by Vaibhav Chauhan almost 4 years ago

  • Target version changed from 11.0-U2 to 11.0-U3

#17 Updated by Suraj Ravichandran over 3 years ago

  • Status changed from Screened to Needs Developer Review
  • Assignee changed from Suraj Ravichandran to William Grzybowski

Please review this when you get the chances.

Thanks!

https://github.com/freenas/freenas/pull/242

#18 Updated by William Grzybowski over 3 years ago

  • Status changed from Needs Developer Review to Reviewed by Developer
  • Assignee changed from William Grzybowski to Suraj Ravichandran

#19 Updated by Suraj Ravichandran over 3 years ago

@Release Engineer: https://github.com/freenas/freenas/pull/244 PR for stable branch.

#20 Updated by Vaibhav Chauhan over 3 years ago

  • Status changed from Reviewed by Developer to 47

#21 Updated by Dru Lavigne over 3 years ago

  • Subject changed from SSL Certificate Does not Populate to the System->General Page; Certificate: Drop-down to Fix import of certificates converted from CSRs

#22 Updated by Bonnie Follweiler over 3 years ago

12324

See Screenshot

#23 Updated by Dru Lavigne over 3 years ago

  • Assignee changed from Vaibhav Chauhan to Suraj Ravichandran

#24 Updated by Dru Lavigne over 3 years ago

  • Status changed from Ready For Release to Resolved

#25 Updated by Dru Lavigne over 3 years ago

  • Related to Bug #21395: Can't select installed certificates after updating to 9.10.2 added

Also available in: Atom PDF