Certificate generation results in invalid certificates when connecting using IPv6 without DNS

[adlerweb]

When generating a certificate, the servers hostname being passed as "organizationName": https://github.com/canonical/lxd-ui/blob/c67187fd6597e71a4003fb3b88d7375737849017/src/util/certificate.tsx#L29 When connecting to a host using its IPv6 address instead of IPv4 or DNS, the hostname is the IPv6-address resulting in a organizationName like LXD UI [::1] (Browser Generated).

This parameter is marked as PRINTABLESTRING, which does not allow characters like [ or ], as such the certificate is invalid and can not be imported to the trust store (Error: x509: invalid RDNSequence: invalid attribute value: invalid PrintableString). The problem does not occur when using IPv4 or a DNS hostname.

To avoid this, the ui should either use utf8String instead of printableString (maybe https://github.com/digitalbazaar/forge/issues/754#issuecomment-716656831) or filter out characters not allowed in PrintableString.

[edlerd]

Thank you for reporting this. It is indeed an interesting case we didn't consider previously.

I agree, we should filter out characters not in the PrintableString range on cert generation, to avoid generating a cert that can't be imported.

[gattytto]

hello, I am running into this situation, how do I pin my snap installed lxd-ui to this commit ? thank you for the fix!

[edlerd]

I think the latest/candidate as well as 5.21/candidate channels of LXD already have the fix available today. If you have a a little more patience, both /stable channels will receive the fix as well. Probably best to stay on your current channel, as there is no guarantee of an easy switch back to stable once you are on candidate. Then again, the fixes should come out early next week to stable.