Generate CSR for an other certificate provider

sssmoves · October 16, 2017, 8:11pm

Hi,

I updated from 23a to 24 last week and don’t experienced any problems.
Also lots of clients did not complain about anything. So far so good

Today I wanted to extend the Certificate at Gandi
I go to the mailinabox web interface -> System -> TLS (SSL) Certificates looking for my CSR
I get the error message something has wrong

In the section… You will need to provide the certificate provider this Certificate Signing Request (CSR):
I only see Loading… instead of my CSR

In the /var/log/syslog I found this:

Oct 16 15:42:33 mail Exception on /ssl/csr/mail.socialisme.be [POST]#012Traceback (most recent call last):#012 File "/usr/lib/python3/dist-packages/flask/app.py", line 1817, in wsgi_app#012 response = self.full_dispatch_request()#012 File "/usr/lib/python3/dist-packages/flask/app.py", line 1477, in full_dispatch_request#012 rv = self.handle_user_exception(e)#012 File "/usr/lib/python3/dist-packages/flask/app.py", line 1381, in handle_user_exception#012 reraise(exc_type, exc_value, tb)#012 File "/usr/lib/python3/dist-packages/flask/_compat.py", line 33, in reraise#012 raise value#012 File "/usr/lib/python3/dist-packages/flask/app.py", line 1475, in full_dispatch_request#012 rv = self.dispatch_request()#012 File "/usr/lib/python3/dist-packages/flask/app.py", line 1461, in dispatch_request#012 return self.view_functions[rule.endpoint](**req.view_args)#012 File "/usr/local/bin/mailinabox-daemon", line 55, in newview#012 return viewfunc(*args, **kwargs)#012 File "/usr/local/bin/mailinabox-daemon", line 363, in ssl_get_csr#012 return create_csr(domain, ssl_private_key, request.form.get('countrycode', ''), env)#012 File "/root/mailinabox/management/ssl_certificates.py", line 559, in create_csr#012 "-subj", "/C=%s/ST=/L=/O=/CN=%s" % (country_code, domain)])#012 File "/root/mailinabox/management/utils.py", line 123, in shell#012 ret = getattr(subprocess, method)(cmd_args, **kwargs)#012 File "/usr/lib/python3.4/subprocess.py", line 620, in check_output#012 raise CalledProcessError(retcode, process.args, output=output)#012subprocess.CalledProcessError: Command '['openssl', 'req', '-new', '-key', '/home/user-data/ssl/ssl_private_key.pem', '-sha256', '-subj', '/C=/ST=/L=/O=/CN=mail.socialisme.be']' returned non-zero exit status 1

I cannot really track what the problem is and ask if there are other locations I can look for ?

jasonl · October 16, 2017, 9:42pm

I’m having the same issue. I tracked it down to an error coming from the openssl command being generated.
If you run the command from the shell you get the following:

root@email:~# openssl req -new -key /home/user-data/ssl/ssl_private_key.pem -sha256 -subj /C=US/ST=/L=/O=/CN=email.redacted.com
problems making Certificate Request
140019824695104:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:…/crypto/asn1/a_mbstr.c:102:minsize=1

JoshData · October 16, 2017, 10:06pm

openssl has gotten stricter about the inputs it accepts. The -subj option at

github.com

mail-in-a-box/mailinabox/blob/master/management/ssl_certificates.py#L559


			return ("The certificate does not correspond to the private key at %s." % ssl_private_key, None)

		# We could also use the openssl command line tool to get the modulus
		# listed in each file. The output of each command below looks like "Modulus=XXXXX".
		# $ openssl rsa -inform PEM -noout -modulus -in ssl_private_key
		# $ openssl x509 -in ssl_certificate -noout -modulus

	# Third, check if the certificate is self-signed. Return a special flag string.
	if cert.issuer == cert.subject:
		return ("SELF-SIGNED", None)

	# When selecting which certificate to use for non-primary domains, we check if the primary
	# certificate or a www-parent-domain certificate is good for the domain. There's no need
	# to run extra checks beyond this point.
	if just_check_domain:
		return ("OK", None)

	# Check that the certificate hasn't expired. The datetimes returned by the
	# certificate are 'naive' and in UTC. We need to get the current time in UTC.
	import datetime
	now = datetime.datetime.utcnow()

probably needs to be revised to be "/C=%s/CN=%s" instead of "/C=%s/ST=/L=/O=/CN=%s". If someone could submit this change in a pull request that’d be appreciated, including an entry in the CHANGELOG and a reference to the commit below.

We hit a related issue here:

system · October 23, 2017, 10:06pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.