Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SSL certificate install error

    Scheduled Pinned Locked Moved 2.0-RC Snapshot Feedback and Problems - RETIRED
    9 Posts 3 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dpf
      last edited by

      Getting the following error when I try to complete the signing request via gui (using the free Comodo certificate):

      * The certificate subject 'CN=secure.mydomain.net, OU=Array' does not match the signing request subject.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        I haven't tried that before, but it looks like maybe it didn't get signed right?

        What it is showing you there is the data pulled from within the certificate pasted in the lower box. The OU shouldn't be an array. I'm not sure the csr generated even has an OU. It sets the CN, emailAddress, O, L, ST, and C. Look at the certificate list and it should give you the data that is going to be compared against the resulting certificate.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • H
          heureso
          last edited by

          @dpf:

          Getting the following error when I try to complete the signing request via gui (using the free Comodo certificate):

          * The certificate subject 'CN=secure.mydomain.net, OU=Array' does not match the signing request subject.

          I'm getting exactly the same error using 2.0-BETA4 (amd64) built on Tue Oct 26 04:30:44 UTC 2010 – also with a Comodo certificate. The subjects in both the CSR and the signed certificate appear to be correct when I examine them with openssl, but the pfSense web GUI seems to be inserting that spurious "OU=Array" that's causing it to fail the test.

          J.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            It must be trying to use a variable as a string when it's really an array in there somewhere. I'll have to look into it. Unfortunately, I'm not sure how easily this can be reproduced since it seems to require a CSR being signed by an external source.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • H
              heureso
              last edited by

              @jimp:

              It must be trying to use a variable as a string when it's really an array in there somewhere. I'll have to look into it. Unfortunately, I'm not sure how easily this can be reproduced since it seems to require a CSR being signed by an external source.

              I did a bit of digging, and I think I found the problem in the function cert_get_subject() in line 299 of certs.inc. It looks like components of the subject array can themselves be arrays. In my case, my externally signed cert has two OUs, so the openssl_x509_parse function returns this for the subject:

                  [subject] => Array
                      (
                          [C] => US
                          [postalCode] => 95616
                          [ST] => CA
                          [L] => Davis
                          [street] => One Shields Ave
                          [O] => University of California, Davis
                          [OU] => Array
                              (
                                  [0] => L&S-Social Sciences
                                  [1] => PlatinumSSL
                              )
              
                          [CN] => redacted.example.com
                      )
              
              

              So the cert_get_subject() function needs to take that into account.

              J.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                I committed a potential fix for this. Or at least one that should handle components that are arrays.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • H
                  heureso
                  last edited by

                  @jimp:

                  I committed a potential fix for this. Or at least one that should handle components that are arrays.

                  I just tried it out, but I don't think it's working correctly. The cert subject is displayed at:

                  , , , , , , , , ,  	
                  

                  after substituting in the new certs.inc and attempting to re-import the commercial cert.

                  Jeremy.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    I'll take another stab at it today

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      I checked in another fix, this one should work.

                      With your array and the code I just checked in, I get:

                      string(162) "CN=redacted.example.com, OU=PlatinumSSL, OU=L&S-Social Sciences, O=University of California, Davis, street=One Shields Ave, L=Davis, ST=CA, postalCode=95616, C=US"
                      
                      

                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.