Project

General

Profile

Bug #26281

Validate that first certificate in chain matches private key

Added by Dan Willson over 1 year ago. Updated 10 months ago.

Status:
Done
Priority:
No priority
Assignee:
Vladimir Vinogradenko
Category:
GUI (new)
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I can not get 11.0-U4 to use an Incommon SSL certificate issued by Comodo that includes intermediate and root CA info. When creating a CSR in the webgui then copying the issued certificate (x.509 BASE64 encoded, including both the intermediate and root certs) into the UI, the certificate appears to be properly recognized. However, enabling HTTPS and the resulting restart of the web service causes nginx to reject HTTPS traffic.

From another workstation, I tested openssl on the server and received the following response:

$ openssl s_client -connect [HOST-REDACTED]:443
connect: Connection refused
connect:errno=61

I have escrowed both a working configuration and the original private key from the original CSR. This has allowed me to reset the installation back to Factory Default without requiring another IT team to revoke/reissue the certificate, then attempt to configure SSL using certificate import in the webgui to paste both the certificate (as specified above) plus the original private key used for the original CSR, and again the webgui service rejects all traffic after enabling HTTP+HTTPS.

I've verified that ntpd is functioning as expected and that the server is in the proper time zone. I've also replicated this behavior several times in 11.0-U4. I have not tried resetting and then using the new UI. I have also verified that the IPv4 webgui is set to only listen on the single configured interface using the IP address issued to the certificate. I've replicated this behavior several times and the inability to enable HTTPS (and disable HTTP) with a working certificate makes deployment impossible in my environment.


Related issues

Related to FreeNAS - Bug #34927: Add page for editing/viewing CAs in new UIDone
Related to FreeNAS - Bug #34927: Add page for editing/viewing CAs in new UIDone

Associated revisions

Revision cf094d53 (diff)
Added by Vladimir Vinogradenko over 1 year ago

fix(gui): Validate certificate chain

Validate that first certificate in chain matches private key.

Ticket: #26281

History

#1 Updated by Dan Willson over 1 year ago

  • File debug-cafedisco-20171019161622.txz added

#2 Updated by Dan Willson over 1 year ago

My apologies... when I wrote "again the webgui service rejects all traffic after enabling HTTP+HTTPS" above, I meant to say that nginx rejects all HTTPS traffic after enabling HTTP+HTTPS. I can still get to the server via HTTP.

From the nginx error.log file:

root@cafedisco:~ # cat /var/log/nginx/error.log
2017/10/19 15:56:47 [emerg] 7260#101269: SSL_CTX_use_PrivateKey_file("/etc/certificates/cafedisco2017.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
2017/10/19 15:56:47 [error] 5150#101434: *10 upstream prematurely closed connection while reading response header from upstream, client: IP-ADDRESS-REDACTED, server: localhost, request: "GET /system/restart-httpd-all/ HTTP/1.1", upstream: "fastcgi://127.0.0.1:9042", host: "HOSTNAME-REDACTED-INTENTIONALLY.edu", referrer: "http://HOSTNAME-REDACTED-INTENTIONALLY.edu/"
root@cafedisco:~ #

#3 Updated by Dan Willson over 1 year ago

  • Seen in changed from Unspecified to 11.0-U4

#4 Updated by Dru Lavigne over 1 year ago

  • Assignee changed from Release Council to Nikola Gigic

#5 Updated by Nikola Gigic over 1 year ago

  • Status changed from Unscreened to Screened
  • Target version set to 11.1

#6 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Target version changed from 11.1 to 11.1-U1

#7 Updated by Nikola Gigic over 1 year ago

Dan: Hello,
Is the CA/Certificate private key passphrase protected? According to nginx error, it seems that private key and passphrase mismatch.

#8 Updated by Nikola Gigic over 1 year ago

  • Status changed from Screened to Investigation

#9 Updated by Dan Willson over 1 year ago

Hello, Nikola. Thanks for your help. No, the CA/Certificate key is not passphrase protected. Decoding the certificate, the chain in the cert issued to me is as follows:

1. AddTrust External CA Root
2. USERTrust RSA Certification Authority
3. InCommon RSA Server CA
4. Host certificate (for the server's fully-qualified host name)

I was able to get SSL enabled and working by using just the host certificate and the exported private key generated by the CSR, but without the chain included it will fail verification after a Nessus security scan of the network. My apologies if this is a documentation or end-user issue that I've created.

#10 Updated by Dru Lavigne over 1 year ago

  • Assignee changed from Nikola Gigic to Vladimir Vinogradenko

#11 Updated by Vladimir Vinogradenko over 1 year ago

  • Status changed from Investigation to Screened

#12 Updated by Vladimir Vinogradenko over 1 year ago

  • Status changed from Screened to 15

Dan, nginx documentation (http://nginx.org/en/docs/http/configuring_https_servers.html#chains) states the following:

... authority provides a bundle of chained certificates which should be concatenated to the signed server certificate. The server certificate must appear before the chained certificates in the combined file:

If the server certificate and the bundle have been concatenated in the wrong order, nginx will fail to start and will display the error message:
SSL_CTX_use_PrivateKey_file(" ... /www.example.com.key") failed (SSL: error:0B080074:x509 certificate routines: X509_check_private_key:key values mismatch)

Which I think perfectly matches your case

1. AddTrust External CA Root
2. USERTrust RSA Certification Authority
3. InCommon RSA Server CA
4. Host certificate (for the server's fully-qualified host name)

Please try putting your chain in reverse order (this is also the standard order: your certificate first, root's one last), this might help.

#13 Updated by Vladimir Vinogradenko over 1 year ago

  • Assignee changed from Vladimir Vinogradenko to William Grzybowski

William, I would like to propose to add certificate chain validation. At least, we may verify that first certificate in chain matches private key.

I am not the only one thinking of it :) https://github.com/freenas/freenas/blob/b0dd005/gui/system/forms.py#L2492

#14 Updated by William Grzybowski over 1 year ago

  • Assignee changed from William Grzybowski to Vladimir Vinogradenko

I have no objections, sounds like a nice thing to have.

#15 Updated by Dru Lavigne over 1 year ago

  • Status changed from 15 to Screened

#16 Updated by Vladimir Vinogradenko over 1 year ago

  • Status changed from Screened to Needs Developer Review
  • Assignee changed from Vladimir Vinogradenko to William Grzybowski

#17 Updated by William Grzybowski over 1 year ago

  • Status changed from Needs Developer Review to Reviewed by Developer
  • Assignee changed from William Grzybowski to Vladimir Vinogradenko

#18 Updated by Vladimir Vinogradenko over 1 year ago

  • Status changed from Reviewed by Developer to Ready For Release

#19 Updated by William Grzybowski over 1 year ago

  • Target version changed from 11.1-U1 to 11.2-BETA1

#20 Updated by Dru Lavigne over 1 year ago

  • File deleted (debug-cafedisco-20171019161622.txz)

#21 Updated by Dru Lavigne over 1 year ago

  • Private changed from Yes to No

#22 Updated by Dru Lavigne about 1 year ago

  • Subject changed from nginx Ignores SSL Certificates via Both CSR and Import to Validate that first certificate in chain matches private key
  • Status changed from Ready For Release to Done
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#23 Updated by Dru Lavigne 12 months ago

  • Status changed from Done to Ready for Testing

#24 Updated by Dru Lavigne 10 months ago

  • Status changed from Ready for Testing to Done
  • Severity set to New

#26 Avatar?id=55038&size=24x24 Updated by Zackary Welch 10 months ago

  • Related to Bug #34927: Add page for editing/viewing CAs in new UI added

#27 Avatar?id=55038&size=24x24 Updated by Zackary Welch 10 months ago

  • Related to Bug #34927: Add page for editing/viewing CAs in new UI added

#28 Updated by Dru Lavigne 10 months ago

  • Needs QA changed from Yes to No

Also available in: Atom PDF