Anonymous | Login | 2024-12-22 05:17 MST |
Main | My View | View Issues | Change Log | Roadmap | Repositories |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0017051 | ClearOS | app-certificate-manager - Certificate Manager | public | 2017-09-13 13:54 | 2020-05-04 05:12 | ||||
Reporter | user2 | ||||||||
Assigned To | |||||||||
Priority | normal | Severity | tweak | Reproducibility | have not tried | ||||
Status | closed | Resolution | suspended | ||||||
Platform | OS | OS Version | |||||||
Product Version | 7.4.0 Beta 1 | ||||||||
Target Version | Fixed in Version | ||||||||
Summary | 0017051: Certificate manager should detected embedded intermediate chains | ||||||||
Description | It's fairly common to see intermediate certificates concatenated into the certificate, e.g.: -----BEGIN CERTIFICATE----- ... server certificate ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... intermediate certificate ... -----END CERTIFICATE----- The consumer of the SSL certificates (e.g. Apache) might need this information in order to configure certificates. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
Notes | |
(0006581) NickH (developer) 2017-09-24 01:54 |
Perhaps with the obsoleting of SSLCertificateChainFile in Apache 2.4.8 (https://httpd.apache.org/docs/2.4/mod/mod_ssl.html [^]) this bug may need to be changed such that when an intermediate certificate is imported, it should be concatenated with the certificate file and then drop the SSLCertificateChainFile parameter from flex-443.conf. I don't know how the other certificate using programs (postfix, zarafa and so on) work with a single "fullchain" file. I know cyrus-imap works as this is how it generates its own self-signed certificate. |
(0006591) user2 2017-09-24 12:49 |
The consuming-side of the API call (e.g. Postfix) should be able to request whatever it needs: - Key file - Certificate file - Intermediate - Certificate + Intermediate The flip side: if someone imports a "Certificate", and it's really a "Certificate + Intermediate", the Certificate Manager should detect this use case and handle it appropriately. That will keep everything nice and clean. |
(0006661) NickH (developer) 2017-10-16 12:15 |
My comment re cyrus-imap is a bit wrong but the principle is the same. cyrus-imap uses a combined certificate and key file. Please can we add to the bug that the certificate/chain/key are tested for validity between themselves and the CA before being accepted by the webconfig. A user had something invalid here: https://www.clearos.com/clearfoundation/social/community/lost-connection-with-webconfigurator#reply-191731 [^] and it brought the webconfig down when he applied the certificate. I can open another bug if necessary but I don't know the details. |
(0006671) user2 2017-10-16 15:35 |
There's a check for validity in the API: https://github.com/clearos/app-certificate-manager/blob/master/libraries/External_Certificates.php#L665 [^] But that can be extended as noted in tracker 0016961 |
(0014241) NickH (developer) 2020-05-04 05:12 |
Migrated to https://gitlab.com/clearos/clearfoundation/app-certificate-manager/-/issues/30 [^] |
Issue History | |||
Date Modified | Username | Field | Change |
2017-09-13 13:54 | user2 | New Issue | |
2017-09-24 01:54 | NickH | Note Added: 0006581 | |
2017-09-24 12:41 | user2 | Assigned To | => user2 |
2017-09-24 12:41 | user2 | Status | new => acknowledged |
2017-09-24 12:49 | user2 | Note Added: 0006591 | |
2017-10-16 12:15 | NickH | Note Added: 0006661 | |
2017-10-16 15:35 | user2 | Note Added: 0006671 | |
2018-12-14 12:10 | user2 | Status | acknowledged => assigned |
2018-12-14 12:10 | user2 | Assigned To | user2 => tracker |
2020-05-04 05:12 | NickH | Note Added: 0014241 | |
2020-05-04 05:12 | NickH | Status | assigned => closed |
2020-05-04 05:12 | NickH | Assigned To | tracker => |
2020-05-04 05:12 | NickH | Resolution | open => suspended |