Wildcard certificates (in SAN) broken - cryptography module

[PortableTech]

I ran the upgrade script and something went wrong. The roundcube interface is still working, but the admin console is completely down and returns an error of "Error: Something went wrong, sorry."

There were errors during the setup. I am including the results for reference. I did replace IPs, hostname, and keys to protect the innocent. Also, the HTML in the console output is being interpreted by Github and shown as HTML.

Also, I am not in trouble, I rolled the server back to a snapshot I took right before I did the upgrade. I did tar up the whole /var/log folder before I did though in case any of that would be helpful.

ubuntu@mail:~$ curl -s https://mailinabox.email/bootstrap.sh | sudo bash Updating Mail-in-a-Box to v0.11b . . . remote: Counting objects: 54, done. remote: Compressing objects: 100% (49/49), done. remote: Total 54 (delta 37), reused 13 (delta 5), pack-reused 0 Unpacking objects: 100% (54/54), done. From https://github.com/mail-in-a-box/mailinabox

• [new tag] v0.11b -> v0.11b

Running migration to Mail-in-a-Box #8...

---

* I added this to represent the menu system * Console Menus Started, all defaults accepted. *

---

Primary Hostname: mail.somebox.org Public IP Address: 1.2.3.4 Private IP Address: 1.2.3.4 Mail-in-a-Box Version: v0.11b

Updating system packages... already installed: python3 (3.4.0-0ubuntu2), python3-dev (3.4.0-0ubuntu2), python3-pip (1.5.4-1ubuntu3), netcat-openbsd (1.105-7ubuntu1), wget (1.15-1ubuntu1.14.04.1), curl (7.35.0-1ubuntu2.5), git (1:1.9.1-1ubuntu0.1), sudo (1.8.9p5-1ubuntu1.1), coreutils (8.21-1ubuntu5.1), bc (1.06.95-8ubuntu1), haveged (1.7c-1), unattended-upgrades (0.82.1ubuntu2.3), cron (3.0pl1-124ubuntu2), ntp (1:4.2.6.p5+dfsg-3ubuntu2.14.04.3), fail2ban (0.8.11-1) already installed: ufw (0.34~rc-0ubuntu2) Firewall is active and enabled on system startup already installed: bind9 (1:9.9.5.dfsg-3ubuntu0.2), resolvconf (1.69ubuntu1.1) already installed: openssl (1.0.1f-1ubuntu2.15) already installed: nsd (4.0.1-1ubuntu0.1), ldnsutils (1.6.17-1), openssh-client (1:6.6p1-2ubuntu2) already installed: postfix (2.11.0-1ubuntu1), postfix-pcre (2.11.0-1ubuntu1), postgrey (1.35-1+miab1), ca-certificates (20141019ubuntu0.14.04.1) already installed: dovecot-core (1:2.2.9-1ubuntu2.1), dovecot-imapd (1:2.2.9-1ubuntu2.1), dovecot-pop3d (1:2.2.9-1ubuntu2.1), dovecot-lmtpd (1:2.2.9-1ubuntu2.1), dovecot-sqlite (1:2.2.9-1ubuntu2.1), sqlite3 (3.8.2-1ubuntu2), dovecot-sieve (1:2.2.9-1ubuntu2.1), dovecot-managesieved (1:2.2.9-1ubuntu2.1) installing dovecot-lucene ... already installed: opendkim (2.9.1-1), opendkim-tools (2.9.1-1), opendmarc (1.2.0+dfsg-1) already installed: spampd (2.30-22.2), razor (1:2.85-4build2), pyzor (1:0.5.0-2fakesync1), dovecot-antispam (2.0+20130822-2build1) already installed: nginx (1.4.6-1ubuntu3.2), php5-fpm (5.5.9+dfsg-1ubuntu4.9) already installed: dbconfig-common (1.8.47+nmu1), php5 (5.5.9+dfsg-1ubuntu4.9), php5-sqlite (5.5.9+dfsg-1ubuntu4.9), php5-mcrypt (5.4.6-0ubuntu5), php5-intl (5.5.9+dfsg-1ubuntu4.9), php5-json (1.3.2-2build1), php5-common (5.5.9+dfsg-1ubuntu4.9), php-auth (1.6.4-1), php-net-smtp (1.6.1-1), php-net-socket (1.0.14-1), php-net-sieve (1.3.2-4), php-mail-mime (1.8.8-1), php-crypt-gpg (1.3.2-1), php5-gd (5.5.9+dfsg-1ubuntu4.9), php5-pspell (5.5.9+dfsg-1ubuntu4.9), tinymce (3.4.8+dfsg0-1), libjs-jquery (1.7.2+dfsg-2ubuntu1), libjs-jquery-mousewheel (8-2), libmagic1 (1:5.14-2ubuntu3.3) installing Roundcube webmail 1.1.2... already installed: dbconfig-common (1.8.47+nmu1), php5-cli (5.5.9+dfsg-1ubuntu4.9), php5-sqlite (5.5.9+dfsg-1ubuntu4.9), php5-gd (5.5.9+dfsg-1ubuntu4.9), php5-imap (5.4.6-0ubuntu5), php5-curl (5.5.9+dfsg-1ubuntu4.9), php-pear (5.5.9+dfsg-1ubuntu4.9), php-apc (4.0.2-2build1), curl (7.35.0-1ubuntu2.5), libapr1 (1.5.0-1), libtool (2.4.2-1.7ubuntu1), libcurl4-openssl-dev (7.35.0-1ubuntu2.5), php-xml-parser (1.3.4-6), php5 (5.5.9+dfsg-1ubuntu4.9), php5-dev (5.5.9+dfsg-1ubuntu4.9), php5-gd (5.5.9+dfsg-1ubuntu4.9), php5-fpm (5.5.9+dfsg-1ubuntu4.9), memcached (1.4.14-0ubuntu9), php5-memcache (3.0.8-4build1), unzip (6.0-9ubuntu1.3) Migrating owncloud/config.php to new location. installing ownCloud... upgrading ownCloud to 8.0.4 (backing up existing ownCloud directory to /tmp/owncloud-backup-1923)... already installed: php-soap (0.13.0-1), php5-imap (5.4.6-0ubuntu5), libawl-php (0.53-1), php5-xsl (5.5.9+dfsg-1ubuntu4.9) already installed: python3-flask (0.10.1-2build1), links (2.8-1ubuntu1), duplicity (0.6.23-1ubuntu4.1), libyaml-dev (0.1.4-3ubuntu3.1), python3-dnspython (1.11.1-1), python3-dateutil (2.0+dfsg1-1), build-essential (11.6ubuntu6), libssl-dev (1.0.1f-1ubuntu2.15), python3-dev (3.4.0-0ubuntu2) installing libffi-dev ... installing munin munin-node ... updated DNS: phillipslanding.org <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

Internal Server Error

The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

---

Your Mail-in-a-Box is running.

Please log in to the control panel for further instructions at:

Traceback (most recent call last): File "management/status_checks.py", line 982, in cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key, warn_if_expiring_soon=False) File "management/status_checks.py", line 641, in check_certificate sans = cert.extensions.get_extension_for_oid(OID_SUBJECT_ALTERNATIVE_NAME).value.get_values_for_type(DNSName) File "/usr/local/lib/python3.4/dist-packages/cryptography/hazmat/backends/openssl/x509.py", line 287, in extensions value = self._build_subject_alt_name(ext) File "/usr/local/lib/python3.4/dist-packages/cryptography/hazmat/backends/openssl/x509.py", line 502, in _build_subject_alt_name general_names = _build_general_names(self._backend, gns) File "/usr/local/lib/python3.4/dist-packages/cryptography/hazmat/backends/openssl/x509.py", line 86, in _build_general_names names.append(_build_general_name(backend, gn)) File "/usr/local/lib/python3.4/dist-packages/cryptography/hazmat/backends/openssl/x509.py", line 94, in _build_general_name return x509.DNSName(idna.decode(data)) File "/usr/local/lib/python3.4/dist-packages/idna/core.py", line 383, in decode result.append(ulabel(label)) File "/usr/local/lib/python3.4/dist-packages/idna/core.py", line 298, in ulabel check_label(label) File "/usr/local/lib/python3.4/dist-packages/idna/core.py", line 252, in check_label raise InvalidCodepoint('Codepoint {0} at position {1} of {2} not allowed'.format(_unot(cp_value), pos+1, repr(label))) idna.core.InvalidCodepoint: Codepoint U+002A at position 1 of '*' not allowed https://1.2.3.4/admin

You will be alerted that the website has an invalid certificate. Check that the certificate fingerprint matches:

XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX (yes, I changed this.)

Then you can confirm the security exception and continue.

[stevetoza]

I have the same issue

[JoshData]

Okay I see wildcart certs with the wildcard in the Subject Alternative Names extension is a problem for the new cryptography library we are using. It's been fixed upstream, so the fastest way to fix this is to install the latest upstream package:

sudo pip3 install git+https://github.com/pyca/cryptography

[PortableTech]

At this point I rolled back to a pre-upgrade snapshot. Just to make sure I am tracking, can I run the above command and then run the upgrade, or do I need to rerun the upgrade, let it break and then run that command?

[JoshData]

I'm not sure. If you run pip after upgrading (as I did) you'll just need to sudo service mailinabox restart to get it to take effect.

[PortableTech]

Will test this evening.

[PortableTech]

UPDATE: it is not possible to run the git command prior to the upgrade as there are dependencies issues. I did do it the way you suggested after and it does appear that resolved the issue.

I can also confirm that the 2048 bit DKIM key was made and does appear valid.

I will continue to test.

[brocktice]

I am still having problems after running the pip upgrade. I am having fewer problems, but still:

Traceback (most recent call last): File "management/status_checks.py", line 993, in cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key, warn_if_expiring_soon=False) File "management/status_checks.py", line 668, in check_certificate priv_key = load_pem(open(ssl_private_key, 'rb').read()) File "management/status_checks.py", line 767, in load_pem raise ValueError("Unsupported PEM object type: " + pem_type.decode("ascii", "replace")) ValueError: Unsupported PEM object type: PRIVATE KEY

EDIT: Disregard, helps if you concatenate the certificates correctly. The pip upgrade seems to have done the trick.

[JoshData]

Actually I just fixed that in master. You might have accidentally picked up the fix if you pulled?

[Xoib]

Well, it's fixed upstream at pyca/cryptography#2054 but it has not yet been picked up by package maintainers of main distros. You should force fetching the upstream version of pyca/cryptography#2071 until then because as is, the status_check fail.

File "/usr/local/lib/python3.4/dist-packages/idna/core.py", line 252, in check_label
    raise InvalidCodepoint('Codepoint {0} at position {1} of {2} not allowed'.format(_unot(cp_value), pos+1, repr(label)))
idna.core.InvalidCodepoint: Codepoint U+002A at position 1 of '*' not allowed

[JoshData]

Different issues.

[Xoib]

@JoshData : I am not talking about the one from @brocktice, but the first one from @PortableTech and @stevetoza.

[JoshData]

The cryptography library released 1.0 a few weeks ago, so anyone that upgraded to the latest Mail-in-a-Box should have it and this issue should be resolved. If not, please re-open the issue.