OpenSSL Library Error when Creating New Certificate
-
What pfSense version?
-
2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE -
Hmm, I'm unable to replicate that. Are you able to give more accurate steps to replicate?
-
I've now removed the OpenVPN server and deleted all certificates and CAs. Then make a new CA with all of the defaults, adding a descriptive name. Then go over to certificates and add one. Again use all of the defaults, adding a descriptive name and common name, set the lifetime to 365, and change the certificate type to server. That's all there is to it. I've been running with this external CA and cert for a while now so I can't recall all that was done in the past but I can't imagine it was much more than just importing both through the UI. Just checked and this pfSense install dates back to 2019.
-
So just doing that, using mostly the defaults, generates those errors?
-
Yeah that's it. I am on the verge of reinstall. Unless you think there may be something else to look at. I considered trying to recreate what the UI is doing on the command line but don't know if it would tell me any more info.
-
@nanobist can you post exactly what your putting in when you try and create a cert, because not able to reproduce this problem either. Not on 2.6, not on 2.7 snap not on 23.05..
-
file:///home/ldavidson/Pictures/Screenshots/Screenshot%20from%202023-06-15%2015-41-06.png
-
Resulting in this error:
-
You didn't add the Country, State, City, Org data to the CA. The cert tries to use those by default and it's probably failing on that.
-
If I add that information I get more errors:
OpenSSL Library Error: error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name OpenSSL Library Error: error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string OpenSSL Library Error: error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension OpenSSL Library Error: error:0909006C:PEM routines:get_name:no start line OpenSSL Library Error: error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name OpenSSL Library Error: error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string OpenSSL Library Error: error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension -
@nanobist ok just fired up my 2.6 vm, and duplicating your settings works just fine..
Clearly something messed up.. Did you install any 3rd party package, packages from the package manager. Is this an upgrade from old pfsense, new clean install of 2.6?
-
Thanks for checking. You think it is time for a reinstall? Maybe this will be my excuse to finally virtualize my pfsense box.
-
@nanobist said in OpenSSL Library Error when Creating New Certificate:
my excuse to finally virtualize my pfsense box.
While I ran virtual for a very long time, and loved the ability to just easy rollback if anything went wrong - gave me piece of mind when playing with latest and greatest snaps of upcoming versions, etc.
I prob wouldn't go back to running virtual - nice having hardware, allows me do other stuff with my vm host without having to worry about loosing internet..
So it is for sure a + or - sort of thing running virtual as your main router/firewall. Now if I want to play I just run a vm as lab only, and not the actual router/firewall for my network.
-
I almost pulled the trigger on virtualizing it just now but I figure that is making things more complex than what I really need. To wrap this up I finished up the reinstall and restore and all is well now. I was able to create an internal CA and cert without issue. Thanks to both of you for the help.
-
@nanobist said in OpenSSL Library Error when Creating New Certificate:
but I figure that is making things more complex than what I really need.
Yeah it does add a bit of complexity - but again + and - to any sort of setup really. There are things I really like about a virtual router, but me personally prob wouldn't go back to that setup..
In a pinch I could run a virtual router - say my pfsense box went belly up, knock on wood I could always fire up the virtual router until my replacement hardware got here ;)
Maybe you want to fire up a "lab" if you will vm - then if need be a bit of changing some ports around on the switch and bam your in business again ;) That is my DR plan, again knock on wood ;)
-
I ran into this same problem and ended up in this thread. Having since solved the problem, I wanted to return to report my findings. I had to dig into the PHP source code for the PFSense Web Configurator as well as the C source code for OpenSSL to figure this out.
What I found is that these error messages indicate errors when parsing something in the config file, and since it is complaining about an empty or null name, I had some idea what to look for. In my OpenSSL configuration file, I found an empty SAN entry on line 14:
/etc/ssl/openssl.cnf
# pfSense: default SAN value if $ENV::SAN is not defined # SAN =/etc/ssl/openssl.cnf (after change)
# pfSense: default SAN value if $ENV::SAN is not defined # SAN = DNS:mynameThis simple change solves the issue.
-
Hmm, what exactly did you do to trigger that issue?
I've never seen a problem creating certs with the conf file as it is. I would assume either because the ENV value is set or that a SAN value is not required.
-
@stephenw10 yeah makes no sense to set that to something. Because if you have no san setup on the cert your doing, then the san should be blank..
If you put a space in for your san you get this error.
