-
-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid openssl exit code #150
Comments
What version of openssl you use? And where are come your serial from? It has a wrong format
Von meinem iPhone gesendet
… Am 30.09.2017 um 11:50 schrieb Gajus Kuizinas ***@***.***>:
After updating from 1.9.7 to 1.12.0 I have started to get the following error:
% openssl x509 -req -sha256 -days 365 -in /var/folders/kd/lbsy0lpn287f96gsxzfy551w0000gn/T/e07648a693c0620ef6215d03b36c0d8bda5f71f0 -CA /var/folders/kd/lbsy0lpn287f96gsxzfy551w0000gn/T/32f421a7870b5e800cf2f5e6c5a69a59bcb5f472 -CAkey /var/folders/kd/lbsy0lpn287f96gsxzfy551w0000gn/T/924e5334137fb6fe1fa367e36fc28a8b38901835 -set_serial 0x0000dbf9d4d6-c348-4c90-8606-063b9933ffef
usage: x509 args
-inform arg - input format - default PEM (one of DER, NET or PEM)
-outform arg - output format - default PEM (one of DER, NET or PEM)
-keyform arg - private key format - default PEM
-CAform arg - CA format - default PEM
-CAkeyform arg - CA key format - default PEM
-in arg - input file - default stdin
-out arg - output file - default stdout
-passin arg - private key password source
-serial - print serial number value
-subject_hash - print subject hash value
-issuer_hash - print issuer hash value
-hash - synonym for -subject_hash
-subject - print subject DN
-issuer - print issuer DN
-email - print email address(es)
-startdate - notBefore field
-enddate - notAfter field
-purpose - print out certificate purposes
-dates - both Before and After dates
-modulus - print the RSA key modulus
-pubkey - output the public key
-fingerprint - print the certificate fingerprint
-alias - output certificate alias
-noout - no certificate output
-ocspid - print OCSP hash values for the subject name and public key
-ocsp_uri - print OCSP Responder URL(s)
-trustout - output a "trusted" certificate
-clrtrust - clear all trusted purposes
-clrreject - clear all rejected purposes
-addtrust arg - trust certificate for a given purpose
-addreject arg - reject certificate for a given purpose
-setalias arg - set certificate alias
-days arg - How long till expiry of a signed certificate - def 30 days
-checkend arg - check whether the cert expires in the next arg seconds
exit 1 if so, 0 if not
-signkey arg - self sign cert with arg
-x509toreq - output a certification request object
-req - input is a certificate request, sign and output.
-CA arg - set the CA certificate, must be PEM format.
-CAkey arg - set the CA key, must be PEM format
missing, it is assumed to be in the CA file.
-CAcreateserial - create serial number file if it does not exist
-CAserial arg - serial file
-set_serial - serial number to use
-text - print the certificate in text form
-C - print out C code forms
-md2/-md5/-sha1/-mdc2 - digest to use
-extfile - configuration file with X509V3 extensions to add
-extensions - section from config file with X509V3 extensions to add
-clrext - delete extensions before signing and input certificate
-nameopt arg - various certificate name options
-engine e - use engine e, possibly a hardware device.
-certopt arg - various certificate text options
at done (/Users/gajus/Documents/dev/applaudience/forward-proxy/node_modules/pem/lib/openssl.js:143:27)
at ChildProcess.<anonymous> (/Users/gajus/Documents/dev/applaudience/forward-proxy/node_modules/pem/lib/openssl.js:160:7)
at emitTwo (events.js:125:13)
at ChildProcess.emit (events.js:213:7)
at maybeClose (internal/child_process.js:927:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:211:5)
Usage:
// @flow
import https from 'https';
import path from 'path';
import fs from 'fs';
import pem from 'pem';
import {
promisify
} from 'bluefeather';
import createSniCallback from './sni/createSniCallback';
const defaultCaCert = fs.readFileSync(path.resolve(__dirname, '../../ca/ca.crt'), 'utf8');
const defaultCaKey = fs.readFileSync(path.resolve(__dirname, '../../ca/ca.key'), 'utf8');
const createCertificate = promisify(pem.createCertificate);
const readCertificateInfo = promisify(pem.readCertificateInfo);
type HttpServerOptionsType = {
+caCert?: string,
+caKey?: string
};
/**
* Creates internal https server.
*/
export default async (router: Object, options: HttpServerOptionsType = {}) => {
const {
serviceKey,
certificate,
csr
} = await createCertificate({
days: 1,
selfSigned: true
});
const caInfo = await readCertificateInfo(defaultCaCert);
// simply let *all* domains appear to be owned by the ca itself.
const sniOptions = {
country: caInfo.country,
emailAddress: caInfo.emailAddress,
locality: caInfo.locality,
organization: caInfo.organization,
organizationUnit: caInfo.organizationUnit,
serviceCertificate: options.caCert || defaultCaCert,
serviceKey: options.caKey || defaultCaKey,
state: caInfo.state
};
const httpsOptions = {
ca: csr,
cert: certificate,
key: serviceKey,
SNICallback: createSniCallback(sniOptions)
};
const internalSsl = https.createServer(httpsOptions, router);
return new Promise((resolve, reject) => {
// eslint-disable-next-line no-undefined
internalSsl.listen(0, undefined, undefined, (error) => {
if (error) {
reject(error);
} else {
resolve(internalSsl);
}
});
});
};
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
OpenSSL 0.9.8zh 14 Jan 2016
I am not entirely sure as to whats the purpose of the serial. I have set it to UUID. // @flow
import {
createSecureContext
} from 'tls';
import uuid from 'uuid';
import pem from 'pem';
import {
promisify
} from 'bluefeather';
import type {
CreateSniCallbackOptionsType
} from '../../../types';
const createCertificate = promisify(pem.createCertificate);
export default (options: CreateSniCallbackOptionsType) => {
const store = options.store || new Map();
return async (domain: string) => {
let context;
if (store.has(domain)) {
context = store.get(domain);
} else {
const pemOptions = {
commonName: domain,
days: 365,
keyBitsize: 2048,
serial: uuid.v4(),
...options
};
const info = await createCertificate(pemOptions);
const certificate = {
cert: info.certificate,
key: info.clientKey
};
context = createSecureContext(certificate).context;
store.set(domain, context);
}
return context;
};
}; Whats the relation between the |
@Papakai i think we should check if serial is a number or a string and convert then to hex. |
Is that the thing here? – I need to convert the serial to hex notation? |
|
@Dexus yes, might be worth to think about, but also to document the purpose of the serial in the readme :) |
@gajus this is an guide on how to find the serial of an existing sslcert: https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/706/17/ In case of an self-signed sslcert, you are the CA and thus for my understanding you can generate your own serial. (just in hex) - but important is that this serial is unique per CA. https://tools.ietf.org/html/rfc3280#section-4.1.2.2 @Dexus feel free to correct me if I am wrong. |
Thats right. But we currently only support numbers and not hex or strings as serial thats why we convert numbers to hex.
So we need to fix the set_serial params strings that we use as hex value internal.
Von meinem iPhone gesendet
… Am 02.10.2017 um 09:58 schrieb Kai Schwarz ***@***.***>:
@gajus this is an example on how to find the serial of an existing sslcert: https://knowledge.geotrust.com/support/knowledge-base/index?page=content&actp=CROSSLINK&id=SO25517
In case of an self-signed sslcert, you are the CA and thus for my understanding you can generate your own serial. (just in hex) - but important is that this serial is unique per CA.
https://tools.ietf.org/html/rfc3280#section-4.1.2.2
@Dexus feel free to correct me if I am wrong.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Supports now: 20 octets Strings like: "stringserial" Hex like: "0x1234567890abcdef", "1234567890abdef" Numbers like: 1234567890
Supports now: 20 octets Strings like: "stringserial" Hex like: "0x1234567890abcdef", "1234567890abdef" Numbers like: 1234567890
Supports now: 20 octets Strings like: "stringserial" Hex like: "0x1234567890abcdef", "1234567890abdef" Numbers like: 1234567890
Supports now: 20 octets Strings like: "stringserial" Hex like: "0x1234567890abcdef", "1234567890abdef" Numbers like: 1234567890
Supports now: 20 octets Strings like: "stringserial" Hex like: "0x1234567890abcdef", "1234567890abdef" Numbers like: 1234567890
Supports now: 20 octets Strings like: "stringserial" Hex like: "0x1234567890abcdef", "1234567890abdef" Numbers like: 1234567890
Supports now: 20 octets Strings like: "stringserial" Hex like: "0x1234567890abcdef", "1234567890abdef" Numbers like: 1234567890 [ci skip]
Supports now: 20 octets Strings like: "stringserial" Hex like: "0x1234567890abcdef", "1234567890abdef" Numbers like: 1234567890 [ci skip]
After updating from
1.9.7
to1.12.0
I have started to get the following error:Usage:
The text was updated successfully, but these errors were encountered: