Wildcard certificates (in SAN) broken - cryptography module #467
Comments
|
I have the same issue |
|
Okay I see wildcart certs with the wildcard in the Subject Alternative Names extension is a problem for the new cryptography library we are using. It's been fixed upstream, so the fastest way to fix this is to install the latest upstream package: |
JoshData
changed the title
|
At this point I rolled back to a pre-upgrade snapshot. Just to make sure I am tracking, can I run the above command and then run the upgrade, or do I need to rerun the upgrade, let it break and then run that command? |
|
I'm not sure. If you run pip after upgrading (as I did) you'll just need to |
|
Will test this evening. |
|
UPDATE: it is not possible to run the git command prior to the upgrade as there are dependencies issues. I did do it the way you suggested after and it does appear that resolved the issue. I can also confirm that the 2048 bit DKIM key was made and does appear valid. I will continue to test. |
|
I am still having problems after running the pip upgrade. I am having fewer problems, but still: Traceback (most recent call last): EDIT: Disregard, helps if you concatenate the certificates correctly. The pip upgrade seems to have done the trick. |
|
Actually I just fixed that in master. You might have accidentally picked up the fix if you pulled? |
|
Well, it's fixed upstream at pyca/cryptography#2054 but it has not yet been picked up by package maintainers of main distros. You should force fetching the upstream version of pyca/cryptography#2071 until then because as is, the status_check fail. |
|
Different issues. |
|
@JoshData : I am not talking about the one from @brocktice, but the first one from @PortableTech and @stevetoza. |
|
The cryptography library released 1.0 a few weeks ago, so anyone that upgraded to the latest Mail-in-a-Box should have it and this issue should be resolved. If not, please re-open the issue. |
I ran the upgrade script and something went wrong. The roundcube interface is still working, but the admin console is completely down and returns an error of "Error: Something went wrong, sorry."
There were errors during the setup. I am including the results for reference. I did replace IPs, hostname, and keys to protect the innocent. Also, the HTML in the console output is being interpreted by Github and shown as HTML.
Also, I am not in trouble, I rolled the server back to a snapshot I took right before I did the upgrade. I did tar up the whole /var/log folder before I did though in case any of that would be helpful.
ubuntu@mail:~$ curl -s https://mailinabox.email/bootstrap.sh | sudo bash
Updating Mail-in-a-Box to v0.11b . . .
remote: Counting objects: 54, done.
remote: Compressing objects: 100% (49/49), done.
remote: Total 54 (delta 37), reused 13 (delta 5), pack-reused 0
Unpacking objects: 100% (54/54), done.
From https://github.com/mail-in-a-box/mailinabox
Running migration to Mail-in-a-Box #8...
*** I added this to represent the menu system **
*** Console Menus Started, all defaults accepted. ***
Primary Hostname: mail.somebox.org
Public IP Address: 1.2.3.4
Private IP Address: 1.2.3.4
Mail-in-a-Box Version: v0.11b
Updating system packages...
<title>500 Internal Server Error</title>already installed: python3 (3.4.0-0ubuntu2), python3-dev (3.4.0-0ubuntu2), python3-pip (1.5.4-1ubuntu3), netcat-openbsd (1.105-7ubuntu1), wget (1.15-1ubuntu1.14.04.1), curl (7.35.0-1ubuntu2.5), git (1:1.9.1-1ubuntu0.1), sudo (1.8.9p5-1ubuntu1.1), coreutils (8.21-1ubuntu5.1), bc (1.06.95-8ubuntu1), haveged (1.7c-1), unattended-upgrades (0.82.1ubuntu2.3), cron (3.0pl1-124ubuntu2), ntp (1:4.2.6.p5+dfsg-3ubuntu2.14.04.3), fail2ban (0.8.11-1)
already installed: ufw (0.34~rc-0ubuntu2)
Firewall is active and enabled on system startup
already installed: bind9 (1:9.9.5.dfsg-3ubuntu0.2), resolvconf (1.69ubuntu1.1)
already installed: openssl (1.0.1f-1ubuntu2.15)
already installed: nsd (4.0.1-1ubuntu0.1), ldnsutils (1.6.17-1), openssh-client (1:6.6p1-2ubuntu2)
already installed: postfix (2.11.0-1ubuntu1), postfix-pcre (2.11.0-1ubuntu1), postgrey (1.35-1+miab1), ca-certificates (20141019ubuntu0.14.04.1)
already installed: dovecot-core (1:2.2.9-1ubuntu2.1), dovecot-imapd (1:2.2.9-1ubuntu2.1), dovecot-pop3d (1:2.2.9-1ubuntu2.1), dovecot-lmtpd (1:2.2.9-1ubuntu2.1), dovecot-sqlite (1:2.2.9-1ubuntu2.1), sqlite3 (3.8.2-1ubuntu2), dovecot-sieve (1:2.2.9-1ubuntu2.1), dovecot-managesieved (1:2.2.9-1ubuntu2.1)
installing dovecot-lucene ...
already installed: opendkim (2.9.1-1), opendkim-tools (2.9.1-1), opendmarc (1.2.0+dfsg-1)
already installed: spampd (2.30-22.2), razor (1:2.85-4build2), pyzor (1:0.5.0-2fakesync1), dovecot-antispam (2.0+20130822-2build1)
already installed: nginx (1.4.6-1ubuntu3.2), php5-fpm (5.5.9+dfsg-1ubuntu4.9)
already installed: dbconfig-common (1.8.47+nmu1), php5 (5.5.9+dfsg-1ubuntu4.9), php5-sqlite (5.5.9+dfsg-1ubuntu4.9), php5-mcrypt (5.4.6-0ubuntu5), php5-intl (5.5.9+dfsg-1ubuntu4.9), php5-json (1.3.2-2build1), php5-common (5.5.9+dfsg-1ubuntu4.9), php-auth (1.6.4-1), php-net-smtp (1.6.1-1), php-net-socket (1.0.14-1), php-net-sieve (1.3.2-4), php-mail-mime (1.8.8-1), php-crypt-gpg (1.3.2-1), php5-gd (5.5.9+dfsg-1ubuntu4.9), php5-pspell (5.5.9+dfsg-1ubuntu4.9), tinymce (3.4.8+dfsg0-1), libjs-jquery (1.7.2+dfsg-2ubuntu1), libjs-jquery-mousewheel (8-2), libmagic1 (1:5.14-2ubuntu3.3)
installing Roundcube webmail 1.1.2...
already installed: dbconfig-common (1.8.47+nmu1), php5-cli (5.5.9+dfsg-1ubuntu4.9), php5-sqlite (5.5.9+dfsg-1ubuntu4.9), php5-gd (5.5.9+dfsg-1ubuntu4.9), php5-imap (5.4.6-0ubuntu5), php5-curl (5.5.9+dfsg-1ubuntu4.9), php-pear (5.5.9+dfsg-1ubuntu4.9), php-apc (4.0.2-2build1), curl (7.35.0-1ubuntu2.5), libapr1 (1.5.0-1), libtool (2.4.2-1.7ubuntu1), libcurl4-openssl-dev (7.35.0-1ubuntu2.5), php-xml-parser (1.3.4-6), php5 (5.5.9+dfsg-1ubuntu4.9), php5-dev (5.5.9+dfsg-1ubuntu4.9), php5-gd (5.5.9+dfsg-1ubuntu4.9), php5-fpm (5.5.9+dfsg-1ubuntu4.9), memcached (1.4.14-0ubuntu9), php5-memcache (3.0.8-4build1), unzip (6.0-9ubuntu1.3)
Migrating owncloud/config.php to new location.
installing ownCloud...
upgrading ownCloud to 8.0.4 (backing up existing ownCloud directory to /tmp/owncloud-backup-1923)...
already installed: php-soap (0.13.0-1), php5-imap (5.4.6-0ubuntu5), libawl-php (0.53-1), php5-xsl (5.5.9+dfsg-1ubuntu4.9)
already installed: python3-flask (0.10.1-2build1), links (2.8-1ubuntu1), duplicity (0.6.23-1ubuntu4.1), libyaml-dev (0.1.4-3ubuntu3.1), python3-dnspython (1.11.1-1), python3-dateutil (2.0+dfsg1-1), build-essential (11.6ubuntu6), libssl-dev (1.0.1f-1ubuntu2.15), python3-dev (3.4.0-0ubuntu2)
installing libffi-dev ...
installing munin munin-node ...
updated DNS: phillipslanding.org
Internal Server Error
The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.
Your Mail-in-a-Box is running.
Please log in to the control panel for further instructions at:
Traceback (most recent call last):
File "management/status_checks.py", line 982, in
cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key, warn_if_expiring_soon=False)
File "management/status_checks.py", line 641, in check_certificate
sans = cert.extensions.get_extension_for_oid(OID_SUBJECT_ALTERNATIVE_NAME).value.get_values_for_type(DNSName)
File "/usr/local/lib/python3.4/dist-packages/cryptography/hazmat/backends/openssl/x509.py", line 287, in extensions
value = self._build_subject_alt_name(ext)
File "/usr/local/lib/python3.4/dist-packages/cryptography/hazmat/backends/openssl/x509.py", line 502, in _build_subject_alt_name
general_names = _build_general_names(self._backend, gns)
File "/usr/local/lib/python3.4/dist-packages/cryptography/hazmat/backends/openssl/x509.py", line 86, in _build_general_names
names.append(_build_general_name(backend, gn))
File "/usr/local/lib/python3.4/dist-packages/cryptography/hazmat/backends/openssl/x509.py", line 94, in _build_general_name
return x509.DNSName(idna.decode(data))
File "/usr/local/lib/python3.4/dist-packages/idna/core.py", line 383, in decode
result.append(ulabel(label))
File "/usr/local/lib/python3.4/dist-packages/idna/core.py", line 298, in ulabel
check_label(label)
File "/usr/local/lib/python3.4/dist-packages/idna/core.py", line 252, in check_label
raise InvalidCodepoint('Codepoint {0} at position {1} of {2} not allowed'.format(_unot(cp_value), pos+1, repr(label)))
idna.core.InvalidCodepoint: Codepoint U+002A at position 1 of '*' not allowed
https://1.2.3.4/admin
You will be alerted that the website has an invalid certificate. Check that
the certificate fingerprint matches:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX (yes, I changed this.)
Then you can confirm the security exception and continue.
The text was updated successfully, but these errors were encountered: