ClearFoundation Tracker - ClearOS
View Issue Details
0015981ClearOSapp-certificate-manager - Certificate Managerpublic2017-08-05 06:522017-09-13 12:09
NickH 
user2 
normaltweakhave not tried
closedfixed 
7.3.1 
7.4.0 Beta 17.4.0 Beta 1 
0015981: ClearOS Certificates need to use subjectAlternativeName
Please see https://www.clearos.com/clearfoundation/social/community/self-signed-certificate-generated-by-clearos-is-not-chrome-58-compliant [^] and https://alexanderzeitler.com/articles/Fixing-Chrome-missing_subjectAltName-selfsigned-cert-openssl/ [^]

It looks like from Chrome 58+, Chrome will not accept certificates without the subjectAlternativeName. This will mean you cannot use Chrome on the Webconfig, and presumably, for access to ClearOS hosted websites using self-signed certificates.

I am not sure which Category to file the bug against as it will affect both the Webconfig and Web Server

At the same time it may be an idea to change the certificates from sha1 to sha256
No tags attached.
Issue History
2017-08-05 06:52NickHNew Issue
2017-08-05 12:42NickHNote Added: 0006051
2017-08-05 13:40user2Categoryapp-base - Base System => app-certificate-manager - Certificate Manager
2017-08-05 13:41user2Statusnew => confirmed
2017-08-05 14:42user2Assigned To => user2
2017-08-05 14:42user2Statusconfirmed => assigned
2017-08-05 14:43user2Severityminor => tweak
2017-08-05 15:00user2Note Added: 0006071
2017-08-05 15:06NickHNote Added: 0006081
2017-08-05 15:08user2Note Added: 0006091
2017-08-12 06:54user2Target Version => 7.4.0 Beta 1
2017-08-18 10:02user2Target Version7.4.0 Beta 1 => 7.4.0 Updates
2017-09-13 09:39user2Target Version7.4.0 Updates => 7.4.0 Beta 1
2017-09-13 09:39user2Note Added: 0006451
2017-09-13 09:39user2Statusassigned => resolved
2017-09-13 09:39user2Fixed in Version => 7.4.0 Beta 1
2017-09-13 09:39user2Resolutionopen => fixed
2017-09-13 12:09user2Statusresolved => closed

Notes
(0006051)
NickH   
2017-08-05 12:42   
In fact the /etc/pki/tls/certs/localhost.crt certificate is already sha256 but only 1024 bit. The sys-0-cert is 2048 bit but sha1. How about aiming for at least 2048 bit and sha256 across the board as a minimum?
(0006071)
user2   
2017-08-05 15:00   
The localhost.crt is the default created by upstream, so we usually leave it alone (i.e. follow upstream).

The default config was changed to SHA256 in ClearOS 7, but I believe SHA1 was kept around in one spot for legacy reasons. There was a review done prior to the release of ClearOS 7 - https://tracker.clearos.com/view.php?id=1862 [^] I added a new tracker to do another review for ClearOS 7.4 - 0015991 I doubt will hit that release target, but at least it's now back on the radar.
(0006081)
NickH   
2017-08-05 15:06   
My bad on localhost.crt and sys-0-cert as I upgraded by doing a 6.x backup into a 7.x restore so my certificates do not reflect a vanilla 7.x
(0006091)
user2   
2017-08-05 15:08   
No worries. It's still worth doing a new review!
(0006451)
user2   
2017-09-13 09:39   
https://github.com/clearos/app-certificate-manager/commit/6bee865ab5812d85ab5e7fbe493042121dbfec9e [^]