Project

General

Profile

Bug #24593

Clarify tooltips for Certificates and Certificate Authorities

Added by Suraj Ravichandran over 3 years ago. Updated over 2 years ago.

Status:
Done
Priority:
Important
Assignee:
Timothy Moore II
Category:
GUI (new)
Seen in:
Severity:
Reason for Closing:
Reason for Blocked:
Waiting for feedback
Needs QA:
Yes
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
Yes

Description

As of now, both the cert, CA, and interCA create form's tooltips have the following text:

"Common Name (eg, FQDN of FreeNAS server or service)" 

This is because their forms all inherit this help text from the CertificateBase model's cert_common field.

As a result, what can happen is as follows:

1. The user creates an internal CA with a common name as that of the FQDN of his freenas box.
2. (this step is optional) They then continue to either create an interCA using the CA created in step 1, giving this interCA the same common name.
3. They create an endpoint cert using either the CA or the interCA from step 1 or 2 above. For this cert also they give the same common name.
4. They use the cert created in step 3 for making the webui https.
5. When they try to access the FreeNAS box from Chrome, we present chrome with a chain of cert's all the way back to the earliest we have in our FreeNAS system i.e. end point cert + CA or endpoint cert + interCA + CA
6. This results in the chain of pubkeys containing the same common name and throws off browsers like chrome, resulting in the user not being able to access the site.

So what we should do is the following:
1. Either change the base help text string located at https://github.com/freenas/freenas/blob/master/gui/system/models.py#L725 to elaborately state that while you can use the FQDN for the common name it cannot be the same for any cert in this above-mentioned chain.
NOTE: keep in mind that the common name of the end point cert (in our example it is the webui cert) should match the dns at which we are trying to reach the box. For example, if our FreeNAS webui is located at myfreenasbox.ixsystems.com then the common name of the webui cert should also be "myfreenasbox.ixsystems.com"

2. Change indvidual text help strings for CA creation, interCA creation, cert, and lastly even CSR creation forms while still somehow conveying the above message. These are located at the following places in the code:
CA: https://github.com/freenas/freenas/blob/master/gui/system/forms.py#L2699
interCA: https://github.com/freenas/freenas/blob/master/gui/system/forms.py#L2814
CSR: https://github.com/freenas/freenas/blob/master/gui/system/forms.py#L3333
cert: https://github.com/freenas/freenas/blob/master/gui/system/forms.py#L3177

If I was unable to convey my point in the above text, please reach out via telegram.

Also, I will try and think if I can find anyway to programmatically prompt a message to the user in case he/she is entering the same common_name as previously used in the cert chain.

This ticket arose from a discussion about certs/CAs over at https://bugs.freenas.org/issues/24584


Related issues

Related to FreeNAS - Bug #24584: Certificate Issue - Bug #6864 regression?Closed: Behaves correctly2017-06-16

History

#1 Updated by Suraj Ravichandran over 3 years ago

  • Related to Bug #24584: Certificate Issue - Bug #6864 regression? added

#2 Updated by Warren Block over 3 years ago

  • Status changed from Unscreened to Screened

#3 Updated by Bonnie Follweiler almost 3 years ago

  • Needs QA changed from Yes to No
  • QA Status Test Passes FreeNAS added
  • QA Status deleted (Not Tested)

#4 Updated by Warren Block almost 3 years ago

  • Subject changed from Tooltips for Certificate's and Certificate Authority's create forms should have the same help text for the common name field to Tooltips for Certificates and Certificate Authorities create forms should have the same help text for the common name field

#5 Updated by Bonnie Follweiler almost 3 years ago

  • ChangeLog Required changed from No to Yes
  • Needs QA changed from No to Yes
  • QA Status deleted (Test Passes FreeNAS)

#6 Updated by Dru Lavigne almost 3 years ago

  • Target version changed from 11.1 to 11.1-U1

#7 Updated by Dru Lavigne almost 3 years ago

  • Target version changed from 11.1-U1 to 11.2-BETA1

Punting to the new UI tooltips.

#8 Updated by Dru Lavigne over 2 years ago

  • Status changed from Screened to Not Started
  • Assignee changed from Warren Block to Timothy Moore II

Tim: please ensure that the new UI tooltips are correct.

#9 Updated by Timothy Moore II over 2 years ago

  • Status changed from Not Started to Blocked
  • % Done changed from 0 to 50
  • Reason for Blocked set to Waiting for feedback

Created pull request #325 to ensure text of `Common Name` tooltip matches across every form under System/CAs and System/Certificates. This tooltip is based off the latest documentation in the FreeNAS User Guide (11.1-U1).

Does the description of the "Common Name" field in the User Guide, and thus the related tooltips, need to be updated further?

#10 Updated by Timothy Moore II over 2 years ago

  • Status changed from Blocked to Done
  • % Done changed from 50 to 100

Ok, after discussing the issue with Vladimir, I've submitted pull request #50 in freenas/freenas-docs (https://github.com/freenas/freenas-docs/pull/50) and pull request #334 in freenas/webui (https://github.com/freenas/webui/pull/334) to update both the FreeNAS guide and new UI tooltips. The documentation now states that the certificates/elements in a "chain" of certificates need to have unique "Common Names".

Vladimir also mentioned that "In the near future we'll have a feature that will validate certificate chains used for Web UI. We'll check this too, because having multiple certificates with same `common name` in one chain has no sense."

#11 Updated by Dru Lavigne over 2 years ago

  • Subject changed from Tooltips for Certificates and Certificate Authorities create forms should have the same help text for the common name field to Clarify tooltips for Certificates and Certificate Authorities
  • Status changed from Done to In Progress
  • Target version changed from 11.2-BETA1 to 11.1-U2
  • Needs Doc changed from Yes to No

#12 Updated by Timothy Moore II over 2 years ago

Updated PRs to remove references to FreeNAS.

#13 Updated by Dru Lavigne over 2 years ago

  • Category changed from Documentation to GUI (new)
  • Target version changed from 11.1-U2 to Master - FreeNAS Nightlies
  • Needs Merging changed from Yes to No

#14 Updated by Dru Lavigne over 2 years ago

  • Status changed from In Progress to Done

Also available in: Atom PDF