OpenVPN / easy-rsa

easy-rsa - Simple shell based CA utility
Other
4.04k stars 1.2k forks source link

Help: Problem with missing SANs #1248

Open g0lgs opened 4 days ago

g0lgs commented 4 days ago

Hi,

I have several Certs used for my Internal Network VM's and devices that are due to expire in the next 14 days or so, each of these appears to have been created using EasyRSA 3.1.7 (as that is waht I had on the VM I used to create them before), but if I try to re-sign the original requests with 3.2.1 then the SANs are not added to the Certs (same applies if I create a new CA and generate the same requests and sign those)

An axample from 'openssl req -in requests/test.req -text' (on original request or on a new one) is:

    Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:test, DNS:test.local, IP Address:192.168.1.50

Any new cert created using 3.2.1 does not contain any SAN and hence Chrome / Opera (at least) refuse to accept the new Certs.

I tried adding '-verbose' option to see if I was missing anything, but that still showed no problems or errors.

If I revert back to using 3.1.7 then I get the SANs

What am I doing wrong ?

TinCanTech commented 4 days ago

@g0lgs Easy-RSA no longer applies a default SAN to every certificate.

The short answer is, use global option --auto-san to enable the old behavior. Using v3.1.7 is also still supported.

Default SAN removed: https://github.com/OpenVPN/easy-rsa/pull/1091

Auto SAN added: https://github.com/OpenVPN/easy-rsa/pull/1180

TinCanTech commented 4 days ago

An axample from 'openssl req -in requests/test.req -text' (on original request or on a new one) is:

    Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:test, DNS:test.local, IP Address:192.168.1.50

FTR: Easy-RSA has never provided both a DNS and an IP as a default SAN, for a single certificate.

g0lgs commented 4 days ago

FTR: Easy-RSA has never provided both a DNS and an IP as a default SAN, for a single certificate.

I'm not sure what you mean by that statement

my original request was like:

easyrsa --batch --req-cn="test" --subject-alt-name="DNS:test, DNS:test.local, IP:192.168.1.50" gen-req test nopass

so if I then use 3.1.7 like 'easyrsa sign-req server test'

then 'openssl x509 -in issued/test.crt -text' shows:

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:test, DNS:test.local, IP Address:192.168.1.50

but 3,2,1 shows no SAN.

g0lgs commented 4 days ago

@TinCanTech

The short answer is, use global option --auto-san to enable the old behavior. Using v3.1.7 is also still supported.

For me that only creates a SAN with the same name as the request filename not the other two (or more) that I had in my request:

           X509v3 Subject Alternative Name:
                DNS:test
TinCanTech commented 4 days ago

@g0lgs It is the responsibility of the signing CA to verify the requested attributes.

If you implicitly trust the external request then use global option --copy-ext.

This can also be set in your `vars file:

set_var EASYRSA_CP_EXT 1

Also, EASYRSA_CP_EXT is set by default for command build-*-full.

In future, EASYRSA_CP_EXT will also be added to vars.example.

TinCanTech commented 3 days ago

@g0lgs Using v3.2.1, does command renew work correctly ?

g0lgs commented 2 days ago

After downloading 'easyrsa-tools.lib' into the pwd I see that it shows the SAN with all the other Details

Then I get:

Enter pass phrase for <redacted>/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows

<REDACTED>

ERROR: adding extensions in section default
139854181107008:error:22075075:X509 V3 routines:v2i_GENERAL_NAME_ex:unsupported option:../crypto/x509v3/v3_alt.c:551:name=IP Address
139854181107008:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=DNS:test, DNS:test.local, IP Address:192.168.1.50

Easy-RSA error:

easyrsa_openssl - Command has failed:
* openssl ca -utf8 -batch -in <redacted>/pki/reqs/test.req -out <redacted>/pki/17104f3c/temp.3.1 -extfile <redacted>/pki/17104f3c/temp.2.1 -days 1095

EasyRSA Version Information
Version:     3.2.1
Generated:   Fri Sep 13 13:04:18 CDT 2024
SSL Lib:     OpenSSL 1.1.1f  31 Mar 2020
Git Commit:  3f60a68702713161ab44f9dd80ce01f588ca49ac
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: 3.2.1 | nix | Linux | /bin/bash

Notice
------
Renew FAILED but files have been successfully restored.
dj0nz commented 13 hours ago

Hi,

same here: A "renew" fails with an "unsupported option" error. As a workaround, I used "expire" and "sign-req" and got a certificate with SANs in but also a warning that reads:

WARNING INCOMPLETE Inline file created:

  • /usr/share/easy-rsa/pki/inline/hostname.inline

However, the certificate is usable and includes all configured SANs.

(easyrsa 3.2.1 on Debian Trixie)

TinCanTech commented 9 hours ago

@dj0nz

Hi,

same here: A "renew" fails with an "unsupported option" error.

What is the option that you are trying to use ?

As a workaround, I used "expire" and "sign-req" and got a certificate with SANs in but also a warning that reads:

WARNING INCOMPLETE Inline file created:

  • /usr/share/easy-rsa/pki/inline/hostname.inline

However, the certificate is usable and includes all configured SANs.

(easyrsa 3.2.1 on Debian Trixie)

The warning only indicates that the inline file is incomplete. Either the private key and/or the TLS key are missing.

This is not an error, only user information.