View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001035 | Main CAcert Website | certificate issuing | public | 2012-05-01 07:59 | 2014-04-15 22:10 |
| Reporter | laforge | Assigned To | |||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Platform | Default | OS | any | OS Version | any |
| Fixed in Version | 2014 Q1 | ||||
| Summary | 0001035: CN gets deleted from subjectAltName on cert renewal | ||||
| Description | When renewing certificates that had a given DNS name specified in both the CN and one of the SubjectAltNames, CAcert now suddenly removes the CN from the list of SubjectAltNames. This is I believe in violation to RFC2818, and the Mozilla developers tend to agree to that position, as you can see from https://bugzilla.mozilla.org/show_bug.cgi?id=369112 In effect it means that my renewed certificates cause certificate verification to fail on the primary host name present in the CN, as at least some web browsers (legitimately!) ignore the CN as soon as SubjectAltNames are present. | ||||
| Steps To Reproduce | Use an old CSR that is already in the CAcert system, which has e.g. the following configuration: CN: lists.gnumonks.org subjectAltName: lists.gnumonks.org subjectAltName: lists.osmocom.org subjectAltName: lists.gpl-violations.org Then renew that certificate, and you will get: CN: lists.gnumonks.org subjectAltName: lists.osmocom.org subjectAltName: lists.gpl-violations.org And Mozilla/NSS based browsers will tell you that the certificate is invalid, as they read RFC2818 actually requires them to ignore the CN if subjectAltNames are present. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
| duplicate of | 0000440 | closed | NEOatNHNG | Problem with subjectAltName |
| related to | 0000768 | closed | CAcert adds CommonName to SubjectAltName, although it's already there | |
| related to | 0000530 | closed | XMPP extension not present after renewal | |
| related to | 0000799 | new | Repeated CN in SAN in original CSR and produced in 1st received CRT is removed when CRT is renewed | |
| has duplicate | 0001214 | closed | NEOatNHNG | Extended validity certificates don't have the same Subject Alt Name as newly created certificates |
| related to | 0001054 | needs review & testing | Ted | Review the code regarding the new point calculation in ./includes/general.php |
| related to | 0001101 | needs work | TimoAHummel | general rewrite of get info from csr routine in includes/general.php |
|
|
Hi, as you can see by the related bugs I attached this has a loooong history. If you look at the code there also seems to be a 'special codepath' for some specific user account. Which scares me. I just create new CSRs each time I need a reneval. For years now. |
|
|
I think this is a duplicate of 0000440 which has a fix that still needs some testing. You are welcome to help out there. If you think this case is different please explain in more detail why it is, otherwise please close this bug report. |
|
|
As far as I can tell, bug 440 describes the exact opposite problem: "... but as you can see, www.fbunet.de now appears twice as a DNS record. Looks like the CN is taken and put into subjectAltName additionally (which makes no sense, as it's already there)." So the reporter of bug 440 claims that his DNS record from CN is copied into subjectAltName _additionally_. My bug report is about an existing subjectAltName being _removed_ from the certificate upon renewal. |
|
|
Um, yes. The description is the opposite but the solution is the same: unify the CN/SubjectAlternativeName handling for initial issuing and renewal. So please test on our test server https://cacert1.it-sls.de whether there your problem is solved and please report your findings. |
|
|
it seems the test system doesn't have the real CSR's installed (probably for good reasons). As a result, I'm not sure how I can test the specific bug I am encountering, as it occurs when renewing certificates. Is there a way how I can "go back in time" with the test system, submit a CSR, have it issue a certificate, then fast-forward time and renew the certificate for that old CSR? I would be happy to do it. |
|
|
No you can't go back in time, but the certificates expire much faster on the test server (3-30 days depending on your assurance status at the test server). So you can submit a CSR identical or equivalent to the one you used some time ago on the live system and then renew that one. Additional hint: To read mail sent to the test server account and do some other stuff not possible within the test server itself, login to https://ca-mgr1.it-sls.de with the same credentials you created the test server account with. |
|
|
At least on the live system I can renew all my certs at any given time. |
|
|
The problem is the same (inconsistent behaviour between first issue and renewal), the proposed solution by the reporters is different: either use the first-issue as standard, or use the renewal as standard. I think that the bug submitter is correct that the subjectAltName should contain the domain as present in the CN, since the CN should be ignored if a subjectAltName is present. Edit: I recommend that the bug reporter comment on 0000440 to explain. I know of the guidelines to handle X509 in email (RFC 5750), if you know of such a reference for X509 as webcertificates, that would be great. @NEOatNHNG: I'm happy to test, but the test server is a chore. I created an account (with the 5 obligatory insecurity questions, sigh), but the test server does not send out emails. I did found the place (https://ca-mgr1.it-sls.de/mail) where I could read the confirmation mail for my mail address. However, to add an account, I also need to confirm an email, and those mails don't show up there. Without an email, no domain, and without a domain, my CSR is rejected. Hence, I can't test. If you can point me to a page on wiki.cacert.org with a clear step-by-step guide how to use the test server and find the emails, I'm willing to test. Given that this web-email interface is very slow, I find this cumbersome at best. |
|
|
@macfreek: Documentation: https://wiki.cacert.org/Software/Assessment/TestserverManagementSystem and https://wiki.cacert.org/Software/CurrentTest by no means complete, feel free to add Email being slow: yes, initially the email interface was just a hack to get us started. Now there are so many mails in the same inbox being processed and filtered, that it takes a long time to load. We have to either put some intelligence in to only load the mails received in the last 30 days by default with the possibility to load all after clicking a button for example or truncate the inbox file regularly. Email not being displayed: what do you mean here? You want to add a domain or additional email address? At least for email addresses I just tried it: 1) Add the email address in the account 2) Login on ca-mgr with the _primary_ email address credentials (the ones you created the account with unless you changed that) 3) Wait a long time for the mail page to load ;-) 4) Scroll all to the bottom and find the confirmation mail (yes, the sorting order is also suboptimal, did I mention it was a hack?) |
|
|
@NEOatNHNG: thanks, it works. I never added a email address to the account, but straight away tried to add a domain. To verify that domain, an email was supposedly send by the test system, but to an email address _not associated with my account_. For that reason, the email was never shown in the webinterface. I just added that email address to my test account, and now the domain verification email did shown up (even the original email earlier today). Either I did not wait long enough, or it apparently is essential to first add an email address before adding a domain. Yes, it feel nice and hackery, but hey - it works now. I'll make a few test certificates and report back in 0000440. |
|
|
forgive me for being blunt, but is there anything keeping this issue from being fixed? It seems like a pretty simple thing to do, as it is a regression to previous behaviour and in violation of specification. A number of my certificates have meanwhile expired now as I am unable to renew them due to this bug. Users are starting to complain about that fact, and I'm seriously annoyed to consider moving away from CAcert and back to my running my own CA for *.{openmoko,osmocom,gpl-violations}.org and other projects :/ |
|
|
from certs test under other bugs 1054 and 440 1054.3.6 part V client certs variation renewal of cert 1. Valid certs.test@w.d 115C Not Revoked 2012-10-20 21:04:00 Now renewing the following certificates: Certificate for 'certs.test@w.d' has been renewed. Click here to install your certificate. (next page) x1) Install your certificate Install the certificate into your browser new cert Valid certs.test@w.d 1164 Not Revoked 2012-10-21 21:26:44 (next cert after Serial Number: 4449 (0x1161) -> 1164) cert serno 115c no longer in list view all certs, 115c listed: Valid certs.test@w.d 115C Not Revoked 2012-10-20 21:04:00 cert serno 1164 details: not yet visible in FF cert store ok, retrying to save new key in FF cert store Install the certificate into your browser https://cacert1.it-sls.de/account.php?id=6&cert=259099&install result: cert stored in cert store ... (or similar msg) now cert is visible in FF cert store Serno: 11:64 valid from/to: 21.09.2012 23:26:44 / 21.10.2012 23:26:44 owner: E = certs.test@w.d CN = CAcert WoT User -> ok cert-alternate-name Nicht kritisch E-Mail-Adresse: certs.test@w.d -> ok 2. renew key ------------------------------------------------------------- Valid certs.test@w.d 1161 Not Revoked 2012-10-21 13:02:39 Name: Certs Sub Test -> ok Valid from/to: 21.09.2012 15:02:39 / 21.10.2012 15:02:39 -> ok owner: E = bug1054.3.6.3.user2@w.d E = bug1054.3.6.3.user1@w.d E = certs.test@w.d CN = Certs Sub Test ------------------------------------------------------------- Now renewing the following certificates: Certificate for 'certs.test@w.d' has been renewed. Click here to install your certificate. https://cacert1.it-sls.de/account.php?id=6&cert=259100 x1) link opens new window/tab ... -> problem Install your certificate Install the certificate into your browser https://cacert1.it-sls.de/account.php?id=6&cert=259100&install cert saved to cert store new cert in list: Valid certs.test@w.d 1165 Not Revoked 2012-10-21 21:41:56 prev cert not in main list view all certs (cert still there) Valid certs.test@w.d 1161 Not Revoked 2012-10-21 13:02:39 cert 1165 details serno: 11:65 valid from/to: 21.09.2012 23:41:56 / 21.10.2012 23:41:56 -> ok owner: E = bug1054.3.6.3.user2@w.d E = bug1054.3.6.3.user1@w.d E = certs.test@w.d CN = Certs Sub Test -> ok externded keyusage -> ok cert-alternate-name: Nicht kritisch E-Mail-Adresse: certs.test@w.d E-Mail-Adresse: bug1054.3.6.3.user1@w.d E-Mail-Adresse: bug1054.3.6.3.user2@w.d -> ok => all ok except problem of https://bugs.cacert.org/view.php?id=1017 routine x1) runs into fix https://bugs.cacert.org/view.php?id=1017 [^] /account.php?id=6 list 3 options a. Install the certificate into your browser b. Download the certificate in PEM format c. Download the certificate in DER format using a. with FF see also https://bugs.cacert.org/view.php?id=1054#c3212 see also https://bugs.cacert.org/view.php?id=440#c3213 |
|
|
1054.3.6 part VI server certs variation renewal of cert 1. Valid test1.avintec.com 115F Not Revoked 2012-10-21 12:19:20 details original cert openssl x509 -text -in test1-avintec-com-1024-signed-c1.key -noout .................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4447 (0x115f) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 [^] .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 12:19:20 2012 GMT Not After : Oct 21 12:19:20 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ [^] X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl [^] X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption .................................................................... => ok starting renewal: Now renewing the following certificates: Processing request 302035: Renewing: test1.avintec.com -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- content saved to test1-renewal-115f-signed-c1.key new key after renewal: Valid test1.avintec.com 1166 Not Revoked 2012-10-21 22:06:42 old key 115f not visible in main server certs list view all certs (shows in the list) Valid test1.avintec.com 115F Not Revoked 2012-10-21 12:19:20 details of server cert 0001166 openssl x509 -text -in test1-renewal-115f-signed-c1.key -noout ................................................................. Certificate: Data: Version: 3 (0x2) Serial Number: 4454 (0x1166) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 22:06:42 2012 GMT Not After : Oct 21 22:06:42 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] ................................................................. => ok 2. Valid test1.avintec.com 1163 Not Revoked 2012-10-21 14:41:43 details original cert openssl x509 -text -in test2-avintec-com-2048-signed-c1.key -noout ....................................................................... Certificate: Data: Version: 3 (0x2) Serial Number: 4451 (0x1163) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 [^] .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 14:41:43 2012 GMT Not After : Oct 21 14:41:43 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ [^] X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl [^] X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported>, DNS:mail.avintec .com, othername:<unsupported>, DNS:www.avintec.com, othername:<unsupported>, DNS :www.fra.avintec.com, othername:<unsupported>, DNS:mx.avintec.com, othername:<un supported>, DNS:support.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption ....................................................................... => ok starting renewal: Now renewing the following certificates: Processing request 302038: Renewing: test1.avintec.com -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- content saved to test2-renewal-1163-signed-c1.key new key after renewal: Valid test1.avintec.com 1167 Not Revoked 2012-10-21 22:17:20 old key 1163 not visible in main server certs list view all certs (shows in the list) Valid test1.avintec.com 1163 Not Revoked 2012-10-21 14:41:43 details of server cert 0001166 openssl x509 -text -in test2-renewal-1163-signed-c1.key -noout ................................................................. Certificate: Data: Version: 3 (0x2) Serial Number: 4455 (0x1167) Signature Algorithm: sha1WithRSAEncryption Issuer: C=AU, ST=New South Wales, O=CAcert Testserver, OU=http://cacert1 .it-sls.de, CN=CAcert Testserver Root Validity Not Before: Sep 21 22:17:20 2012 GMT Not After : Oct 21 22:17:20 2012 GMT Subject: CN=test1.avintec.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Ne tscape Server Gated Crypto, Microsoft Server Gated Crypto Authority Information Access: OCSP - URI:http://ocsp.cacert.org/ X509v3 CRL Distribution Points: URI:http://crl.cacert.org/revoke.crl X509v3 Subject Alternative Name: DNS:test1.avintec.com, othername:<unsupported>, DNS:mail.avintec .com, othername:<unsupported>, DNS:www.avintec.com, othername:<unsupported>, DNS :www.fra.avintec.com, othername:<unsupported>, DNS:mx.avintec.com, othername:<un supported>, DNS:support.avintec.com, othername:<unsupported> Signature Algorithm: sha1WithRSAEncryption [...] ................................................................. => ok => all ok see also https://bugs.cacert.org/view.php?id=440#c3216 see also https://bugs.cacert.org/view.php?id=1054#c3215 |
|
|
fixed with bug 440 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2012-05-01 07:59 | laforge | New Issue | |
| 2012-05-01 14:25 | mutax | Relationship added | related to 0000440 |
| 2012-05-01 14:26 | mutax | Relationship added | related to 0000768 |
| 2012-05-01 14:26 | mutax | Relationship added | related to 0000530 |
| 2012-05-01 14:28 | mutax | Relationship added | related to 0000799 |
| 2012-05-01 14:32 | mutax | Note Added: 0002976 | |
| 2012-05-01 14:39 | NEOatNHNG | Note Added: 0002977 | |
| 2012-05-01 14:39 | NEOatNHNG | Relationship replaced | duplicate of 0000440 |
| 2012-05-01 14:39 | NEOatNHNG | Status | new => solved? |
| 2012-05-01 14:39 | NEOatNHNG | Resolution | open => duplicate |
| 2012-05-01 14:39 | NEOatNHNG | Assigned To | => NEOatNHNG |
| 2012-05-01 14:44 | laforge | Note Added: 0002978 | |
| 2012-05-01 14:44 | laforge | Status | solved? => needs feedback |
| 2012-05-01 14:44 | laforge | Resolution | duplicate => reopened |
| 2012-05-01 14:48 | NEOatNHNG | Note Added: 0002979 | |
| 2012-05-01 15:11 | laforge | Note Added: 0002980 | |
| 2012-05-01 15:11 | laforge | Status | needs feedback => needs work |
| 2012-05-01 15:17 | NEOatNHNG | Note Added: 0002981 | |
| 2012-05-01 15:22 | mutax | Note Added: 0002982 | |
| 2012-05-01 15:23 | macfreek | Note Added: 0002983 | |
| 2012-05-01 15:27 | macfreek | Note Edited: 0002983 | |
| 2012-05-01 16:07 | NEOatNHNG | Note Added: 0002984 | |
| 2012-05-01 16:08 | NEOatNHNG | Note Edited: 0002984 | |
| 2012-05-01 19:11 | macfreek | Note Added: 0002985 | |
| 2012-06-09 13:42 | laforge | Note Added: 0003058 | |
| 2012-09-21 21:57 | Uli60 | Relationship added | related to 0001054 |
| 2012-09-21 22:00 | Uli60 | Note Added: 0003214 | |
| 2012-09-21 22:26 | Uli60 | Note Added: 0003217 | |
| 2013-01-07 21:47 | Werner Dworak | Relationship added | related to 0001101 |
| 2013-09-29 16:27 | Uli60 | Relationship added | has duplicate 0001214 |
| 2014-04-15 22:10 | INOPIAE | Note Added: 0004735 | |
| 2014-04-15 22:10 | INOPIAE | Status | needs work => closed |
| 2014-04-15 22:10 | INOPIAE | Assigned To | NEOatNHNG => |
| 2014-04-15 22:10 | INOPIAE | Resolution | reopened => fixed |
| 2014-04-15 22:10 | INOPIAE | Fixed in Version | => 2014 Q1 |
