search

itiligent / Guacamole-Installer

Automated install of Gucamole with options for HTTPS reverse proxy, Active Directory integration, MFA, LetsEncrypt, dark theme, MySQL backup, email alerts & more.
GNU Affero General Public License v3.0
240 stars 44 forks source link

Error creating Nginx TLS certificate #21

Closed rgutierrez2004 closed 11 months ago

rgutierrez2004 commented 11 months ago

New installation throws the following error when trying to setup Nginx with TLS certificates: OS: Ubuntu 18.04

Creating a new Nginx TLS Certificate... Error Loading extension section v3_req 139864759878080:error:220A4076:X509 V3 routines:a2i_GENERAL_NAME:bad ip address:../crypto/x509v3/v3_alt.c:461:value= 139864759878080:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=@alt_names Failed. See /home/ubuntu/guac-setup/guacamole_setup.log Self signed certificate configured for Nginx

itiligent commented 11 months ago

I tested on a fresh Ubuntu 18.04 just now it installed fine with Nginx & TLS. The script works.

This error relates to invalid options being sent to the certificate generation process. Parameters the 4a script is receiving are out of bounds somehow. Double check with the custom options you are using to make sure you are not sending incompatible config settings such as more than TWO letters for country code.

Do a test run with only the script defaults as downloaded. During the install, when the installer reaches the below section on screen does it depict clear parameters like below?.. or still an error?

New self-signed TLS certificate attributes are shown below...
[req]
distinguished_name  = req_distinguished_name
x509_extensions     = v3_req
prompt              = no
string_mask         = utf8only

[req_distinguished_name]
C                   = AU
ST                  = Victoria
L                   = Melbourne
O                   = Itiligent
OU                  = I.T.
CN                  = *.lan

[v3_req]
keyUsage            = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage    = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName      = @alt_names

[alt_names]
DNS.1               = test.lan
DNS.2               = *.lan
IP.1                = 192.168.1.50

If you still get an an error there is something about your system that might be having isses discovering the local IP address (many nics?), or some other TLS library conflict. You cold try hard coding the certificate settings above by editing the 4a script and then commenting out its download line in script 1-setup to stop overwrite of your changes. At least thats where to start.

Unbuntu 18.x went EOL as of May 23 so better to move to something more recent, I wont be supporting 18.x into the future if packages diverge and things break in future.

rgutierrez2004 commented 11 months ago

Yes, I believe the problem only happens with Ubuntu distributions in cloud providers (which usually have public and private IPs) like Oracle cloud, where once the image is deployed, the OS does not get the private IP instead gets 127.0.1.1, which I believe result in the script "4a-install-tls-self-signed-nginx.sh" being unable to update the "IP.1" parameter accordingly. What I did is after getting the error from the initial install, I manually updated variable "DEFAULT_IP" with the public IP of my Ubuntu instance and run the script again, this time completed successfully generating the certificates.

itiligent commented 11 months ago

Thanks for the feeback. I'm glad you found the $DEFAULT_IP setting (I should have thought of that) . I tried to keep all the config options clear and up front for this sort of troublshooting so I hope it didnt take too long to find and sort out. I'm not sure how I could solve this specific error scenario in the script, maybe just an updated note on the readme.