SSL certificate install error



  • Getting the following error when I try to complete the signing request via gui (using the free Comodo certificate):

    * The certificate subject 'CN=secure.mydomain.net, OU=Array' does not match the signing request subject.


  • Rebel Alliance Developer Netgate

    I haven't tried that before, but it looks like maybe it didn't get signed right?

    What it is showing you there is the data pulled from within the certificate pasted in the lower box. The OU shouldn't be an array. I'm not sure the csr generated even has an OU. It sets the CN, emailAddress, O, L, ST, and C. Look at the certificate list and it should give you the data that is going to be compared against the resulting certificate.



  • @dpf:

    Getting the following error when I try to complete the signing request via gui (using the free Comodo certificate):

    * The certificate subject 'CN=secure.mydomain.net, OU=Array' does not match the signing request subject.

    I'm getting exactly the same error using 2.0-BETA4 (amd64) built on Tue Oct 26 04:30:44 UTC 2010 – also with a Comodo certificate. The subjects in both the CSR and the signed certificate appear to be correct when I examine them with openssl, but the pfSense web GUI seems to be inserting that spurious "OU=Array" that's causing it to fail the test.

    J.


  • Rebel Alliance Developer Netgate

    It must be trying to use a variable as a string when it's really an array in there somewhere. I'll have to look into it. Unfortunately, I'm not sure how easily this can be reproduced since it seems to require a CSR being signed by an external source.



  • @jimp:

    It must be trying to use a variable as a string when it's really an array in there somewhere. I'll have to look into it. Unfortunately, I'm not sure how easily this can be reproduced since it seems to require a CSR being signed by an external source.

    I did a bit of digging, and I think I found the problem in the function cert_get_subject() in line 299 of certs.inc. It looks like components of the subject array can themselves be arrays. In my case, my externally signed cert has two OUs, so the openssl_x509_parse function returns this for the subject:

        [subject] => Array
            (
                [C] => US
                [postalCode] => 95616
                [ST] => CA
                [L] => Davis
                [street] => One Shields Ave
                [O] => University of California, Davis
                [OU] => Array
                    (
                        [0] => L&S-Social Sciences
                        [1] => PlatinumSSL
                    )
    
                [CN] => redacted.example.com
            )
    
    

    So the cert_get_subject() function needs to take that into account.

    J.


  • Rebel Alliance Developer Netgate

    I committed a potential fix for this. Or at least one that should handle components that are arrays.



  • @jimp:

    I committed a potential fix for this. Or at least one that should handle components that are arrays.

    I just tried it out, but I don't think it's working correctly. The cert subject is displayed at:

    , , , , , , , , ,  	
    

    after substituting in the new certs.inc and attempting to re-import the commercial cert.

    Jeremy.


  • Rebel Alliance Developer Netgate

    I'll take another stab at it today


  • Rebel Alliance Developer Netgate

    I checked in another fix, this one should work.

    With your array and the code I just checked in, I get:

    string(162) "CN=redacted.example.com, OU=PlatinumSSL, OU=L&S-Social Sciences, O=University of California, Davis, street=One Shields Ave, L=Davis, ST=CA, postalCode=95616, C=US"
    
    

Log in to reply