SYSTEM WARNING: 'file_get_contents(https://www.clearos.com/?rendertype=json&get=header): failed to open stream: Connection refused' in '/var/www/virtual/newwrapper/cf_topmenu.inc' line 5

ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015981ClearOSapp-certificate-manager - Certificate Managerpublic2017-08-05 06:522017-09-13 12:09
ReporterNickH 
Assigned Touser2 
PrioritynormalSeveritytweakReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version7.3.1 
Target Version7.4.0 Beta 1Fixed in Version7.4.0 Beta 1 
Summary0015981: ClearOS Certificates need to use subjectAlternativeName
DescriptionPlease see https://www.clearos.com/clearfoundation/social/community/self-signed-certificate-generated-by-clearos-is-not-chrome-58-compliant [^] and https://alexanderzeitler.com/articles/Fixing-Chrome-missing_subjectAltName-selfsigned-cert-openssl/ [^]

It looks like from Chrome 58+, Chrome will not accept certificates without the subjectAlternativeName. This will mean you cannot use Chrome on the Webconfig, and presumably, for access to ClearOS hosted websites using self-signed certificates.

I am not sure which Category to file the bug against as it will affect both the Webconfig and Web Server

At the same time it may be an idea to change the certificates from sha1 to sha256
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0006051)
NickH (developer)
2017-08-05 12:42

In fact the /etc/pki/tls/certs/localhost.crt certificate is already sha256 but only 1024 bit. The sys-0-cert is 2048 bit but sha1. How about aiming for at least 2048 bit and sha256 across the board as a minimum?
(0006071)
user2
2017-08-05 15:00

The localhost.crt is the default created by upstream, so we usually leave it alone (i.e. follow upstream).

The default config was changed to SHA256 in ClearOS 7, but I believe SHA1 was kept around in one spot for legacy reasons. There was a review done prior to the release of ClearOS 7 - https://tracker.clearos.com/view.php?id=1862 [^] I added a new tracker to do another review for ClearOS 7.4 - 0015991 I doubt will hit that release target, but at least it's now back on the radar.
(0006081)
NickH (developer)
2017-08-05 15:06

My bad on localhost.crt and sys-0-cert as I upgraded by doing a 6.x backup into a 7.x restore so my certificates do not reflect a vanilla 7.x
(0006091)
user2
2017-08-05 15:08

No worries. It's still worth doing a new review!
(0006451)
user2
2017-09-13 09:39

https://github.com/clearos/app-certificate-manager/commit/6bee865ab5812d85ab5e7fbe493042121dbfec9e [^]

- Issue History
Date Modified Username Field Change
2017-08-05 06:52 NickH New Issue
2017-08-05 12:42 NickH Note Added: 0006051
2017-08-05 13:40 user2 Category app-base - Base System => app-certificate-manager - Certificate Manager
2017-08-05 13:41 user2 Status new => confirmed
2017-08-05 14:42 user2 Assigned To => user2
2017-08-05 14:42 user2 Status confirmed => assigned
2017-08-05 14:43 user2 Severity minor => tweak
2017-08-05 15:00 user2 Note Added: 0006071
2017-08-05 15:06 NickH Note Added: 0006081
2017-08-05 15:08 user2 Note Added: 0006091
2017-08-12 06:54 user2 Target Version => 7.4.0 Beta 1
2017-08-18 10:02 user2 Target Version 7.4.0 Beta 1 => 7.4.0 Updates
2017-09-13 09:39 user2 Target Version 7.4.0 Updates => 7.4.0 Beta 1
2017-09-13 09:39 user2 Note Added: 0006451
2017-09-13 09:39 user2 Status assigned => resolved
2017-09-13 09:39 user2 Fixed in Version => 7.4.0 Beta 1
2017-09-13 09:39 user2 Resolution open => fixed
2017-09-13 12:09 user2 Status resolved => closed

SYSTEM WARNING: 'file_get_contents(https://www.clearos.com/?rendertype=json&get=footer): failed to open stream: Connection refused' in '/var/www/virtual/newwrapper/cf_footer.inc' line 7