Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

when creating a root CA, get SAN error on key creation #1

Open
kernelsmith opened this issue May 15, 2017 · 7 comments
Open

when creating a root CA, get SAN error on key creation #1

kernelsmith opened this issue May 15, 2017 · 7 comments

Comments

@kernelsmith
Copy link

when running create-root-ca -d $ROOT_CA_DIR, on a default Raspbian distro, from current HEAD (97d8496), I get a config file error during RSA key generation. I don't have the full text of the error, but it's essentially a STR_COPY:variable has no value:conf_def:584:line 91 and line 91 of ca.conf is subjectAltName = $ENV::SAN. If I export an env var SAN="DNS.1=blah" etc, the key creation, and thus create-root-ca, succeeds.

I don't know if I missed something from the README, but if I have not, something should be added to it, or a default value etc provided so an initial run doesn't fail, or if it fails, it fails with some guidance to the user.
@bubbapizza
Copy link

Yep that's definitely a bug. Creating a root CA should at least work with the default values.

@hakt0r
Copy link

hakt0r commented Sep 21, 2017

The issue is caused by newer versions of OpenSSL which enforce subjectAltName in all certificates.
I worked around by adding something like this in bin/create-root-ca:

...
40 source ${HOME}/bin/defaults.conf
41 export SAN=$CA_DOMAIN # set SAN to make new OpenSSL happy
...

Certainly some thought needs to be spent on a sane default for this.

@kernelsmith
Copy link
Author

@redredgroovy any chance of getting this or something similar merged?

@kernelsmith
Copy link
Author

@redredgroovy anything? @hakt0r any chance you could create a pull request to this repo from your fork? It looks like the pull request you created on Sep 21, 2017 is against your own fork

rdammkoehler added a commit to rdammkoehler/easy-ca that referenced this issue Apr 12, 2018
@rdammkoehler
Upgrade for newer OpenSSL
b05df5a 
See redredgroovy#1
This was referenced Apr 12, 2018
Closed
Closed
@rdammkoehler
Copy link

So I tried @hakt0r 's fix, made a presumptive PR (sorry about that) and it still isn't working. I'm looking forward to a solution though, I really need this to work right now ;-) Thanks.

@rdammkoehler rdammkoehler mentioned this issue Apr 12, 2018
Closed
@rdammkoehler
Copy link

OK, now I have a PR that works, #3 . Sorry again @hakt0r but I gotta get it working.

@KrzysztofHajdamowicz
Copy link

I can confirm that #3 works for me

@zqad zqad mentioned this issue Mar 30, 2019
Open
ullgren added a commit to ullgren/easy-ca that referenced this issue Feb 7, 2024
@ullgren
Fix SAN error when creating Root CA
6c2cfaf 
Fixes redredgroovy#1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rdammkoehler @kernelsmith @bubbapizza @hakt0r @KrzysztofHajdamowicz