Invalid openssl exit code

[gajus]

After updating from 1.9.7 to 1.12.0 I have started to get the following error:

% openssl x509 -req -sha256 -days 365 -in /var/folders/kd/lbsy0lpn287f96gsxzfy551w0000gn/T/e07648a693c0620ef6215d03b36c0d8bda5f71f0 -CA /var/folders/kd/lbsy0lpn287f96gsxzfy551w0000gn/T/32f421a7870b5e800cf2f5e6c5a69a59bcb5f472 -CAkey /var/folders/kd/lbsy0lpn287f96gsxzfy551w0000gn/T/924e5334137fb6fe1fa367e36fc28a8b38901835 -set_serial 0x0000dbf9d4d6-c348-4c90-8606-063b9933ffef
usage: x509 args
 -inform arg     - input format - default PEM (one of DER, NET or PEM)
 -outform arg    - output format - default PEM (one of DER, NET or PEM)
 -keyform arg    - private key format - default PEM
 -CAform arg     - CA format - default PEM
 -CAkeyform arg  - CA key format - default PEM
 -in arg         - input file - default stdin
 -out arg        - output file - default stdout
 -passin arg     - private key password source
 -serial         - print serial number value
 -subject_hash   - print subject hash value
 -issuer_hash    - print issuer hash value
 -hash           - synonym for -subject_hash
 -subject        - print subject DN
 -issuer         - print issuer DN
 -email          - print email address(es)
 -startdate      - notBefore field
 -enddate        - notAfter field
 -purpose        - print out certificate purposes
 -dates          - both Before and After dates
 -modulus        - print the RSA key modulus
 -pubkey         - output the public key
 -fingerprint    - print the certificate fingerprint
 -alias          - output certificate alias
 -noout          - no certificate output
 -ocspid         - print OCSP hash values for the subject name and public key
 -ocsp_uri       - print OCSP Responder URL(s)
 -trustout       - output a "trusted" certificate
 -clrtrust       - clear all trusted purposes
 -clrreject      - clear all rejected purposes
 -addtrust arg   - trust certificate for a given purpose
 -addreject arg  - reject certificate for a given purpose
 -setalias arg   - set certificate alias
 -days arg       - How long till expiry of a signed certificate - def 30 days
 -checkend arg   - check whether the cert expires in the next arg seconds
                   exit 1 if so, 0 if not
 -signkey arg    - self sign cert with arg
 -x509toreq      - output a certification request object
 -req            - input is a certificate request, sign and output.
 -CA arg         - set the CA certificate, must be PEM format.
 -CAkey arg      - set the CA key, must be PEM format
                   missing, it is assumed to be in the CA file.
 -CAcreateserial - create serial number file if it does not exist
 -CAserial arg   - serial file
 -set_serial     - serial number to use
 -text           - print the certificate in text form
 -C              - print out C code forms
 -md2/-md5/-sha1/-mdc2 - digest to use
 -extfile        - configuration file with X509V3 extensions to add
 -extensions     - section from config file with X509V3 extensions to add
 -clrext         - delete extensions before signing and input certificate
 -nameopt arg    - various certificate name options
 -engine e       - use engine e, possibly a hardware device.
 -certopt arg    - various certificate text options

    at done (/Users/gajus/Documents/dev/applaudience/forward-proxy/node_modules/pem/lib/openssl.js:143:27)
    at ChildProcess.<anonymous> (/Users/gajus/Documents/dev/applaudience/forward-proxy/node_modules/pem/lib/openssl.js:160:7)
    at emitTwo (events.js:125:13)
    at ChildProcess.emit (events.js:213:7)
    at maybeClose (internal/child_process.js:927:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:211:5)

Usage:

// @flow

import https from 'https';
import path from 'path';
import fs from 'fs';
import pem from 'pem';
import {
  promisify
} from 'bluefeather';
import createSniCallback from './sni/createSniCallback';

const defaultCaCert = fs.readFileSync(path.resolve(__dirname, '../../ca/ca.crt'), 'utf8');
const defaultCaKey = fs.readFileSync(path.resolve(__dirname, '../../ca/ca.key'), 'utf8');

const createCertificate = promisify(pem.createCertificate);
const readCertificateInfo = promisify(pem.readCertificateInfo);

type HttpServerOptionsType = {
  +caCert?: string,
  +caKey?: string
};

/**
 * Creates internal https server.
 */
export default async (router: Object, options: HttpServerOptionsType = {}) => {
  const {
    serviceKey,
    certificate,
    csr
  } = await createCertificate({
    days: 1,
    selfSigned: true
  });

  const caInfo = await readCertificateInfo(defaultCaCert);

  // simply let *all* domains appear to be owned by the ca itself.
  const sniOptions = {
    country: caInfo.country,
    emailAddress: caInfo.emailAddress,
    locality: caInfo.locality,
    organization: caInfo.organization,
    organizationUnit: caInfo.organizationUnit,
    serviceCertificate: options.caCert || defaultCaCert,
    serviceKey: options.caKey || defaultCaKey,
    state: caInfo.state
  };

  const httpsOptions = {
    ca: csr,
    cert: certificate,
    key: serviceKey,
    SNICallback: createSniCallback(sniOptions)
  };

  const internalSsl = https.createServer(httpsOptions, router);

  return new Promise((resolve, reject) => {
    // eslint-disable-next-line no-undefined
    internalSsl.listen(0, undefined, undefined, (error) => {
      if (error) {
        reject(error);
      } else {
        resolve(internalSsl);
      }
    });
  });
};

[Dexus]

What version of openssl you use? And where are come your serial from? It has a wrong format Von meinem iPhone gesendet

…

Am 30.09.2017 um 11:50 schrieb Gajus Kuizinas ***@***.***>: After updating from 1.9.7 to 1.12.0 I have started to get the following error: % openssl x509 -req -sha256 -days 365 -in /var/folders/kd/lbsy0lpn287f96gsxzfy551w0000gn/T/e07648a693c0620ef6215d03b36c0d8bda5f71f0 -CA /var/folders/kd/lbsy0lpn287f96gsxzfy551w0000gn/T/32f421a7870b5e800cf2f5e6c5a69a59bcb5f472 -CAkey /var/folders/kd/lbsy0lpn287f96gsxzfy551w0000gn/T/924e5334137fb6fe1fa367e36fc28a8b38901835 -set_serial 0x0000dbf9d4d6-c348-4c90-8606-063b9933ffef usage: x509 args -inform arg - input format - default PEM (one of DER, NET or PEM) -outform arg - output format - default PEM (one of DER, NET or PEM) -keyform arg - private key format - default PEM -CAform arg - CA format - default PEM -CAkeyform arg - CA key format - default PEM -in arg - input file - default stdin -out arg - output file - default stdout -passin arg - private key password source -serial - print serial number value -subject_hash - print subject hash value -issuer_hash - print issuer hash value -hash - synonym for -subject_hash -subject - print subject DN -issuer - print issuer DN -email - print email address(es) -startdate - notBefore field -enddate - notAfter field -purpose - print out certificate purposes -dates - both Before and After dates -modulus - print the RSA key modulus -pubkey - output the public key -fingerprint - print the certificate fingerprint -alias - output certificate alias -noout - no certificate output -ocspid - print OCSP hash values for the subject name and public key -ocsp_uri - print OCSP Responder URL(s) -trustout - output a "trusted" certificate -clrtrust - clear all trusted purposes -clrreject - clear all rejected purposes -addtrust arg - trust certificate for a given purpose -addreject arg - reject certificate for a given purpose -setalias arg - set certificate alias -days arg - How long till expiry of a signed certificate - def 30 days -checkend arg - check whether the cert expires in the next arg seconds exit 1 if so, 0 if not -signkey arg - self sign cert with arg -x509toreq - output a certification request object -req - input is a certificate request, sign and output. -CA arg - set the CA certificate, must be PEM format. -CAkey arg - set the CA key, must be PEM format missing, it is assumed to be in the CA file. -CAcreateserial - create serial number file if it does not exist -CAserial arg - serial file -set_serial - serial number to use -text - print the certificate in text form -C - print out C code forms -md2/-md5/-sha1/-mdc2 - digest to use -extfile - configuration file with X509V3 extensions to add -extensions - section from config file with X509V3 extensions to add -clrext - delete extensions before signing and input certificate -nameopt arg - various certificate name options -engine e - use engine e, possibly a hardware device. -certopt arg - various certificate text options at done (/Users/gajus/Documents/dev/applaudience/forward-proxy/node_modules/pem/lib/openssl.js:143:27) at ChildProcess.<anonymous> (/Users/gajus/Documents/dev/applaudience/forward-proxy/node_modules/pem/lib/openssl.js:160:7) at emitTwo (events.js:125:13) at ChildProcess.emit (events.js:213:7) at maybeClose (internal/child_process.js:927:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:211:5) Usage: // @flow import https from 'https'; import path from 'path'; import fs from 'fs'; import pem from 'pem'; import { promisify } from 'bluefeather'; import createSniCallback from './sni/createSniCallback'; const defaultCaCert = fs.readFileSync(path.resolve(__dirname, '../../ca/ca.crt'), 'utf8'); const defaultCaKey = fs.readFileSync(path.resolve(__dirname, '../../ca/ca.key'), 'utf8'); const createCertificate = promisify(pem.createCertificate); const readCertificateInfo = promisify(pem.readCertificateInfo); type HttpServerOptionsType = { +caCert?: string, +caKey?: string }; /** * Creates internal https server. */ export default async (router: Object, options: HttpServerOptionsType = {}) => { const { serviceKey, certificate, csr } = await createCertificate({ days: 1, selfSigned: true }); const caInfo = await readCertificateInfo(defaultCaCert); // simply let *all* domains appear to be owned by the ca itself. const sniOptions = { country: caInfo.country, emailAddress: caInfo.emailAddress, locality: caInfo.locality, organization: caInfo.organization, organizationUnit: caInfo.organizationUnit, serviceCertificate: options.caCert || defaultCaCert, serviceKey: options.caKey || defaultCaKey, state: caInfo.state }; const httpsOptions = { ca: csr, cert: certificate, key: serviceKey, SNICallback: createSniCallback(sniOptions) }; const internalSsl = https.createServer(httpsOptions, router); return new Promise((resolve, reject) => { // eslint-disable-next-line no-undefined internalSsl.listen(0, undefined, undefined, (error) => { if (error) { reject(error); } else { resolve(internalSsl); } }); }); }; — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[gajus]

What version of openssl you use?

OpenSSL 0.9.8zh 14 Jan 2016

And where are come your serial from? It has a wrong format

I am not entirely sure as to whats the purpose of the serial. I have set it to UUID.

// @flow

import {
  createSecureContext
} from 'tls';
import uuid from 'uuid';
import pem from 'pem';
import {
  promisify
} from 'bluefeather';
import type {
  CreateSniCallbackOptionsType
} from '../../../types';

const createCertificate = promisify(pem.createCertificate);

export default (options: CreateSniCallbackOptionsType) => {
  const store = options.store || new Map();

  return async (domain: string) => {
    let context;

    if (store.has(domain)) {
      context = store.get(domain);
    } else {
      const pemOptions = {
        commonName: domain,
        days: 365,
        keyBitsize: 2048,
        serial: uuid.v4(),
        ...options
      };

      const info = await createCertificate(pemOptions);

      const certificate = {
        cert: info.certificate,
        key: info.clientKey
      };

      context = createSecureContext(certificate).context;

      store.set(domain, context);
    }

    return context;
  };
};

Whats the relation between the serviceCertificate and the serial?

[Dexus]

@Papakai i think we should check if serial is a number or a string and convert then to hex.

[gajus]

Is that the thing here? – I need to convert the serial to hex notation?

[gajus]

serial: Buffer.from(uuid.v4(), 'UTF8').toString('hex'), seem to work, albeit I still don't understand the use case.

[KaiSchwarz-cnic]

@Dexus yes, might be worth to think about, but also to document the purpose of the serial in the readme :)

[KaiSchwarz-cnic]

@gajus this is an guide on how to find the serial of an existing sslcert: https://support.comodo.com/index.php?/comodo/Knowledgebase/Article/View/706/17/

In case of an self-signed sslcert, you are the CA and thus for my understanding you can generate your own serial. (just in hex) - but important is that this serial is unique per CA.

https://tools.ietf.org/html/rfc3280#section-4.1.2.2

@Dexus feel free to correct me if I am wrong.

[Dexus]

Thats right. But we currently only support numbers and not hex or strings as serial thats why we convert numbers to hex. So we need to fix the set_serial params strings that we use as hex value internal. Von meinem iPhone gesendet

…

Am 02.10.2017 um 09:58 schrieb Kai Schwarz ***@***.***>: @gajus this is an example on how to find the serial of an existing sslcert: https://knowledge.geotrust.com/support/knowledge-base/index?page=content&actp=CROSSLINK&id=SO25517 In case of an self-signed sslcert, you are the CA and thus for my understanding you can generate your own serial. (just in hex) - but important is that this serial is unique per CA. https://tools.ietf.org/html/rfc3280#section-4.1.2.2 @Dexus feel free to correct me if I am wrong. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.