basic constraints extension error with CFSSL

[steccas]

Hi I'm using lemur with CFSSL Plugin to run a self managed CA.

I'm able to create the certificates and the root authority works very well.

Unfortunately, Firefox throws a MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY error; this means that it reads the certificate as a Root CA and not as an endpoint cert.

"The server uses a certificate with a basic constraints extension identifying it as a certificate authority. For a properly-issued certificate, this should not be the case."

I'm using the server template via Lemur and in the logs I can see that the constraint ca=False is used; so I don't really know why this happens.

lemur_1     | Adding Critical Extension: key_usage <KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False)>
lemur_1     | Adding Critical Extension: key_usage <KeyUsage(digital_signature=True, content_commitment=False, key_encipherment=True, data_encipherment=False, key_agreement=False, key_cert_sign=False, crl_sign=False, encipher_only=False, decipher_only=False)>
lemur_1     | [2021-07-18 15:45:52,611] DEBUG in service: Adding Critical Extension: basic_constraints <BasicConstraints(ca=False, path_length=None)>
lemur_1     | Adding Critical Extension: basic_constraints <BasicConstraints(ca=False, path_length=None)>
lemur_1     | Adding Critical Extension: basic_constraints <BasicConstraints(ca=False, path_length=None)>
lemur_1     | [2021-07-18 15:45:52,612] DEBUG in service: Adding Critical Extension: sub_alt_names {'names': <SubjectAlternativeName(<GeneralNames([<DNSName(value='portainer.stecca.lan')>])>)>}
lemur_1     | Adding Critical Extension: sub_alt_names {'names': <SubjectAlternativeName(<GeneralNames([<DNSName(value='portainer.stecca.lan')>])>)>}
lemur_1     | Adding Critical Extension: sub_alt_names {'names': <SubjectAlternativeName(<GeneralNames([<DNSName(value='portainer.stecca.lan')>])>)>}
lemur_1     | [2021-07-18 15:45:52,613] DEBUG in service: Adding Extension: extended_key_usage <ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name=serverAuth)>])>
lemur_1     | Adding Extension: extended_key_usage <ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name=serverAuth)>])>
lemur_1     | Adding Extension: extended_key_usage <ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name=serverAuth)>])>
lemur_1     | [2021-07-18 15:45:52,615] INFO in plugin: Requesting a new cfssl certificate with csr: -----BEGIN CERTIFICATE REQUEST-----

Anyone can help?

[hosseinsh]

Hey @Steccas, not familiar with the CFSSL plugin, since it has been a community contribution, also I am not sure how this is related to the plugin. Based on your message, I understand you have a server up, in which case I would check if the server certificate being served is the expected one.

[steccas]

Hi! Sorry for the late answer.

Unfortunately, the certificate is right and is being created with the wrong flag.

Is there anyway to reach who did the contribution? Having CFSSL working is the best way to create a completely self managed and hosted CA without having to rely on third party services!

PS: This is the project that uses lemur + CFSSL: https://github.com/Steccas/stecCA

[hosseinsh]

Hey Luca,

can you paste the parsed certificate here pbpaste | openssl x509 -text -noout

and also the CSR? pbpaste | openssl req -text -noou

First you want to ensure that the Attributes in CSR match the attributes in the issued certificate, and also that certificate indeed contains the wrong CA:TRUE flag.

The CFSSL plugin is just using the constructed CSR, so I am not sure, if the plugin is causing the issue above. https://github.com/Netflix/lemur/blob/8dff7b982088607ded1fc1753b356607bf851baf/lemur/plugins/lemur_cfssl/plugin.py#L54-L55