Certificate upload Error

Bug
1

NethServer Version: 8

I created a CSR for SoGo and signed it with a Windows CA.

Generate Certificate Signing Request on NS8:

openssl req -new -sha256 -nodes -days 3650 -out \sogo.it-infra.lan.csr -newkey rsa:2048 -keyout \sogo.it-infra.lan.key -config <(
cat <<-EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C=AT
ST=xxxx
L=xxxxxxxxxx
O=…-e.U
OU=IT
CN=sogo.it-infra.lan
emailAddress=…@…at
[ req_ext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = sogo.it-infra.lan
IP.1 = 192.168.xxx.xxx
EOF
)

Generate Certificate from Request on Windows CA:

certreq -submit -attrib “CertificateTemplate:WebServer” “C:\Users\Administrator\Desktop\sogo.it-infra.lan.csr” “C:\Users\Administrator\Desktop\sogo.it-infra.lan.der”

When I try to upload the key and cert I get the following error:

grafik
grafik1213×879 37.8 KB

What does the - list index out of range - mean?

This worked a few weeks ago with other apps/certs:

grafik
grafik2203×768 44.1 KB

2

Suddenly, without interaction, I can see the cert in the list:

grafik
grafik2077×765 39.7 KB

1 Like
3

It seems an error with getting the domain out of the certificate subject but the cert is uploaded tough.

Usually the subject should be CN=sogo.it-infra.lan.
Could you please check the certificate subject and share it so we can hopefully fix this bug.

4

I used sogo.it-infra.lan for the Common Name (CN) and as Alternative Name (DNS)

grafik

5

Could it be the Windows/Unix line break thing? You could check the certificate with for example Notepad++.

The subject is splitted by newline \n but in Windows it’s \r\n

Did you do it the same way this time? Other editor?

6

I opened a txt-file with notepad, copied the txt via clipboard into putty to NS8, then I generated a CSR and copied it to my Windows CA etc…

1 Like
7

Thanks @fausp for pointing that one out.
I can reproduce the error.

I think it’s due to the Windows line breaks in the certificate/key file created by the Windows CA and I think it’s a bug (and changed the topic category).

I converted (save as) a certificate and a key using Windows line breaks using gedit and got the same error on upload.

The only strange thing is that it worked for the older certificates…

You could try to convert the certificate and the key to Unix line breaks using Notepad++ and check if the upload works.

EDIT:

It seems to be another issue. I tried a cert using Unix line breaks and got the same error so I need to recheck…

1 Like
8

If NS is doing anything important on the basis of the Subject: field, that’s very bad practice, as that field’s become all but meaningless in recent years.

1 Like
9

Thanks for clarifying.

Following is used to get the subject:

openssl x509 -noout -subject -in yourcertificate.crt -nameopt sep_multiline -nameopt utf8

Then the domain is extracted out of the subject.
I checked a certificate from CyberGhost and the CN was just a bunch of letters instead of a domain. As far as I can see it’s just used for the redis key name so as long as it’s not empty it shouldn’t matter.