OpenSSL Library Error when Creating New Certificate

nanobist · Jun 15, 2023, 7:06 PM

I had previously used an external CA and certificate for the web configurator. I am now trying to create an interal CA and certificate (I had deleted them long ago when I setup the external) and I have running into an error on certificate creation.

I am able to create the CA without issue but when I go to create the certificate I get:

OpenSSL Library Error: error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name
OpenSSL Library Error: error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string
OpenSSL Library Error: error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension

Created internal certificate test

Each time I get the above messages but the cert is never created. I have also looked at the config.xml to verify that no certs are in there.

Certificate Info

The descriptive name and common name are populated.
The common name contains no spaces.
No SANs added
Lifetime is 365 days

What I've tried

Delete the CA. Create the CA with the same settings and try adding a new cert
Recreate the CA using RSA instead of elliptic curve. Same result
Recreate the CA, omitting the option to add to the OS trust store

Curiously, I tried using the OpenVPN wizard and created a certificate in there using this same CA. That method created the certificate successfully but, I see it is blank. Clicking edit on the cert in the UI shows and empty certificate data field. If I export the cert to a file from the UI, I also see that the file is completely empty.

NollipfSense · Jun 15, 2023, 7:22 PM

@nanobist If I remember correctly, I had to setup a SAN.

nanobist · Jun 15, 2023, 7:56 PM

Thanks, I gave it a try and received the same error. I initially skipped adding the SAN since the UI says that it automatically adds the CN as a SAN.

stephenw10 · Jun 15, 2023, 8:51 PM

What pfSense version?

nanobist · Jun 15, 2023, 9:01 PM

2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE

stephenw10 · Jun 15, 2023, 9:35 PM

Hmm, I'm unable to replicate that. Are you able to give more accurate steps to replicate?

nanobist · Jun 15, 2023, 10:25 PM

I've now removed the OpenVPN server and deleted all certificates and CAs. Then make a new CA with all of the defaults, adding a descriptive name. Then go over to certificates and add one. Again use all of the defaults, adding a descriptive name and common name, set the lifetime to 365, and change the certificate type to server. That's all there is to it. I've been running with this external CA and cert for a while now so I can't recall all that was done in the past but I can't imagine it was much more than just importing both through the UI. Just checked and this pfSense install dates back to 2019.

stephenw10 · Jun 15, 2023, 10:29 PM

So just doing that, using mostly the defaults, generates those errors?

nanobist · Jun 15, 2023, 10:31 PM

Yeah that's it. I am on the verge of reinstall. Unless you think there may be something else to look at. I considered trying to recreate what the UI is doing on the command line but don't know if it would tell me any more info.

johnpoz · Jun 15, 2023, 10:36 PM

@nanobist can you post exactly what your putting in when you try and create a cert, because not able to reproduce this problem either. Not on 2.6, not on 2.7 snap not on 23.05..

nanobist · Jun 15, 2023, 10:43 PM

file:///home/ldavidson/Pictures/Screenshots/Screenshot%20from%202023-06-15%2015-41-06.png

nanobist · Jun 15, 2023, 10:45 PM

Resulting in this error:

stephenw10 · Jun 15, 2023, 11:25 PM

You didn't add the Country, State, City, Org data to the CA. The cert tries to use those by default and it's probably failing on that.

nanobist · Jun 15, 2023, 11:47 PM

If I add that information I get more errors:

    OpenSSL Library Error: error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name
    OpenSSL Library Error: error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string
    OpenSSL Library Error: error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension
    OpenSSL Library Error: error:0909006C:PEM routines:get_name:no start line
    OpenSSL Library Error: error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null name
    OpenSSL Library Error: error:22097069:X509 V3 routines:do_ext_nconf:invalid extension string
    OpenSSL Library Error: error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension

johnpoz · Jun 15, 2023, 11:55 PM

@nanobist ok just fired up my 2.6 vm, and duplicating your settings works just fine..

Clearly something messed up.. Did you install any 3rd party package, packages from the package manager. Is this an upgrade from old pfsense, new clean install of 2.6?

nanobist · Jun 16, 2023, 12:02 AM

Thanks for checking. You think it is time for a reinstall? Maybe this will be my excuse to finally virtualize my pfsense box.

johnpoz · Jun 16, 2023, 4:15 AM

@nanobist said in OpenSSL Library Error when Creating New Certificate:

my excuse to finally virtualize my pfsense box.

While I ran virtual for a very long time, and loved the ability to just easy rollback if anything went wrong - gave me piece of mind when playing with latest and greatest snaps of upcoming versions, etc.

I prob wouldn't go back to running virtual - nice having hardware, allows me do other stuff with my vm host without having to worry about loosing internet..

So it is for sure a + or - sort of thing running virtual as your main router/firewall. Now if I want to play I just run a vm as lab only, and not the actual router/firewall for my network.

nanobist · Jun 16, 2023, 4:15 AM

I almost pulled the trigger on virtualizing it just now but I figure that is making things more complex than what I really need. To wrap this up I finished up the reinstall and restore and all is well now. I was able to create an internal CA and cert without issue. Thanks to both of you for the help.

johnpoz · Jun 16, 2023, 9:07 AM

@nanobist said in OpenSSL Library Error when Creating New Certificate:

but I figure that is making things more complex than what I really need.

Yeah it does add a bit of complexity - but again + and - to any sort of setup really. There are things I really like about a virtual router, but me personally prob wouldn't go back to that setup..

In a pinch I could run a virtual router - say my pfsense box went belly up, knock on wood I could always fire up the virtual router until my replacement hardware got here ;)

Maybe you want to fire up a "lab" if you will vm - then if need be a bit of changing some ports around on the switch and bam your in business again ;) That is my DR plan, again knock on wood ;)