Hi,
I tried to install my Comodo Wildcard cert via the "Certificate Manager" into ClearOS 7.2.
I selected my certificate and my private key file.
The result is:
I was not able to find anything in the search which was helpful.
Thank you for you response.
Best regards
Christoph
I tried to install my Comodo Wildcard cert via the "Certificate Manager" into ClearOS 7.2.
I selected my certificate and my private key file.
The result is:
Ooops!
Invalid file detected.
I was not able to find anything in the search which was helpful.
Thank you for you response.
Best regards
Christoph
Share this post:
Responses (12)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
@Ben
please note that the following bug is still in there:
/usr/clearos/apps/certificate_manager/libraries/External_Certificates.php
public function validate_intermediate_file($intermediate_file)
{
clearos_profile(__METHOD__, __LINE__);
if ($key_file == 'intermediate_file')
return;
return $this->_check_file(self::TYPE_INTERMEDIATE, $intermediate_file);
}
It should be $intermediate_file and not $key_file inside the IF.
Also here there are some misstakes:
/usr/clearos/apps/certificate_manager/controllers/external.php
function add()
{
// Load libraries
//---------------
$this->lang->load('certificate_manager');
$this->load->library('External_Certificates');
// Set validation rules
//---------------------
$file = $_FILES['cert_file'];
if ($file && $file['name'])
$_POST['cert_file'] = 'cert_file';
$file = $_FILES['key_file'];
if ($file && $file['name'])
$_POST['key_file'] = 'key_file';
$file = $_FILES['ca_file'];
if ($file && $file['name'])
$_POST['ca_file'] = 'ca_file';
$this->form_validation->set_policy('name', 'certificate_manager/External_Certificates', 'validate_name', TRUE);
$this->form_validation->set_policy('cert_file', 'certificate_manager/External_Certificates', 'validate_certificate_file', TRUE);
$this->form_validation->set_policy('key_file', 'certificate_manager/External_Certificates', 'validate_key_file', TRUE);
$this->form_validation->set_policy('intermediate_file', 'certificate_manager/External_Certificates', 'validate_ca_file', FALSE);
$this->form_validation->set_policy('ca_file', 'certificate_manager/External_Certificates', 'validate_ca_file', FALSE);
$form_ok = $this->form_validation->run();
This part should validate the intermediate_file I guess.
$this->form_validation->set_policy('intermediate_file', 'certificate_manager/External_Certificates', 'validate_ca_file', FALSE);
The section for the intermediate_file is missing.
$file = $_FILES['ca_file'];
if ($file && $file['name'])
$_POST['ca_file'] = 'ca_file';
Best regards
Christoph -
Accepted Answer
Ben Chambers wrote:
This ticket is also interesting. Looking forward for this as well.
https://tracker.clearos.com/view.php?id=11401
That improvement was already done too, but the proper place was in the base, not the certificate manager app.
yum --enablerepo=clearos-updates-testing upgrade app-base
Ought to bring you up to version 2.3.0-1. In Webconfig, navigate to System --> Settings --> General Settings to see the new form.
B
Perfect got it.
Good work.
Best regards
Christoph -
Accepted Answer
This ticket is also interesting. Looking forward for this as well.
https://tracker.clearos.com/view.php?id=11401
That improvement was already done too, but the proper place was in the base, not the certificate manager app.
yum --enablerepo=clearos-updates-testing upgrade app-base
Ought to bring you up to version 2.3.0-1. In Webconfig, navigate to System --> Settings --> General Settings to see the new form.
B -
Accepted Answer
Nick Howitt wrote:
I don't know if Ben's updates have made it through yet. I think the update will allow you to replace the certificates in your web server. I don't know if this goes as far as replacing the ca-cert so you generate OpenVPN certificates based on them. Ditto e-mail certificates.
Hi Nick,
thank you for the link.
I tried the updated version from the testing and this is at least solving my issues.
This ticket is also interesting. Looking forward for this as well.
https://tracker.clearos.com/view.php?id=11401
Best regards
Christoph -
Accepted Answer
I don't know if Ben's updates have made it through yet. I think the update will allow you to replace the certificates in your web server. I don't know if this goes as far as replacing the ca-cert so you generate OpenVPN certificates based on them. Ditto e-mail certificates. -
Accepted Answer
Hi All,
please note that I spend some time in debugging the problem and I found the following problems in the code. Some are for sure bugs others are not working as designed.
/usr/clearos/apps/certificate_manager/controllers/external.php
$file = $_FILES['cert_file'];
if ($file && $file['name'])
$_POST['cert_file'] = 'cert_file';
$file = $_FILES['key_file'];
if ($file && $file['name'])
$_POST['key_file'] = 'key_file';
$file = $_FILES['ca_file'];
if ($file && $file['name'])
$_POST['ca_file'] = 'ca_file';
Should look like:
$file = $_FILES['cert_file'];
if (!$file['name'])
$_FILES['cert_file']['tmp_name'] = 'cert_file';
$file = $_FILES['key_file'];
if (!$file['name'])
$_FILES['key_file']['tmp_name'] = 'key_file';
$file = $_FILES['ca_file'];
if (!$file['name'])
$_FILES['ca_file']['tmp_name'] = 'ca_file';
$file = $_FILES['intermediate_file'];
if (!$file['name'])
$_FILES['intermediate_file']['tmp_name'] = 'intermediate_file';
$this->form_validation->set_policy('intermediate_file', 'certificate_manager/External_Certificates', 'validate_ca_file', FALSE);
should look like:
$this->form_validation->set_policy('intermediate_file', 'certificate_manager/External_Certificates', 'validate_intermediate_file', FALSE);
/usr/clearos/apps/certificate_manager/libraries/External_Certificates.php
if (!empty($ca))
Validation_Exception::is_valid($this->validate_ca_file($ca, $cert));
if (!empty($cert)) {
$file = new File($cert);
$file->copy_to(self::PATH_CERTIFICATES . '/' . $name . '.crt');
}
if (!empty($key)) {
$file = new File($key);
$file->copy_to(self::PATH_CERTIFICATES . '/' . $name . '.key');
}
if (!empty($intermediate)) {
$file = new File($intermediate);
$file->copy_to(self::PATH_CERTIFICATES . '/' . $name . '.intermediate');
}
if (!empty($ca)) {
$file = new File($ca);
$file->copy_to(self::PATH_CERTIFICATES . '/' . $name . '.ca');
}
should be:
if (!$ca == 'ca_file')
Validation_Exception::is_valid($this->validate_ca_file($ca, $cert));
if (!$cert == 'cert_file') {
$file = new File($cert);
$file->copy_to(self::PATH_CERTIFICATES . '/' . $name . '.crt');
}
if (!$key == 'key_file') {
$file = new File($key);
$file->copy_to(self::PATH_CERTIFICATES . '/' . $name . '.key');
}
if (!$intermediate == 'intermediate_file') {
$file = new File($intermediate);
$file->copy_to(self::PATH_CERTIFICATES . '/' . $name . '.intermediate');
}
if (!$ca == 'ca_file') {
$file = new File($ca);
$file->copy_to(self::PATH_CERTIFICATES . '/' . $name . '.ca');
}
public function validate_intermediate_file($intermediate_file)
{
clearos_profile(__METHOD__, __LINE__);
if ($key_file == 'intermediate_file')
return;
return $this->_check_file(self::TYPE_INTERMEDIATE, $intermediate_file);
}
should be:
public function validate_intermediate_file($intermediate_file)
{
clearos_profile(__METHOD__, __LINE__);
if ($intermediate_file == 'intermediate_file')
return;
return $this->_check_file(self::TYPE_INTERMEDIATE, $intermediate_file);
}
I hope this helps.
Now I have successfully installed the certificates but I was expecting that the webservice will use them automatically.
So far I was not able to understand why I should upload the Certificates here. They are also not used to sign the openVPN certificates.
Is anyone able to tell me what is the advantage of the certificate manager as it looks like it is only a easy interface to create the self sign certs.
Best regards
Christoph -
Accepted Answer
Ben Chambers wrote:
There's a check that occurs on import...
if ($type === self::TYPE_CERTIFICATE)
$params = 'x509 -noout -modulus -in ' . $filename;
elseif ($type === self::TYPE_KEY)
$params = 'rsa -noout -modulus -in ' . $filename;
elseif ($type === self::TYPE_CA)
$params = 'verify -ignore_critical -CAfile ' . $filename . ' ' . $aux_filename;
elseif ($type === self::TYPE_INTERMEDIATE)
$params = 'x509 -noout -modulus -in ' . $filename;
$exit_code = $shell->execute(self::COMMAND_OPENSSL, $params, TRUE, $options);
$lines = $shell->get_output();
if ($type === self::TYPE_CA) {
if ($exit_code != 0)
return lang('certificate_manager_invalid_file_detected');
} elseif (!preg_match('/^Modulus=[A-F0-9]+$/', $lines[0])) {
return lang('certificate_manager_invalid_file_detected');
}
One (or more) of your certificates is failing this sanity check.
B
Hi all,
thank you for your replies.
I checked both files:
# openssl x509 -noout -modulus -in certificate.crt
# openssl rsa -noout -modulus -in keyfile.key
Both output are the same.
Best regards
Christoph -
Accepted Answer
-
Accepted Answer
There's a check that occurs on import...
if ($type === self::TYPE_CERTIFICATE)
$params = 'x509 -noout -modulus -in ' . $filename;
elseif ($type === self::TYPE_KEY)
$params = 'rsa -noout -modulus -in ' . $filename;
elseif ($type === self::TYPE_CA)
$params = 'verify -ignore_critical -CAfile ' . $filename . ' ' . $aux_filename;
elseif ($type === self::TYPE_INTERMEDIATE)
$params = 'x509 -noout -modulus -in ' . $filename;
$exit_code = $shell->execute(self::COMMAND_OPENSSL, $params, TRUE, $options);
$lines = $shell->get_output();
if ($type === self::TYPE_CA) {
if ($exit_code != 0)
return lang('certificate_manager_invalid_file_detected');
} elseif (!preg_match('/^Modulus=[A-F0-9]+$/', $lines[0])) {
return lang('certificate_manager_invalid_file_detected');
}
One (or more) of your certificates is failing this sanity check.
B -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »