NPM is not parsing CN from custom certificate correctly

[MarcoWel]

getCertificateInfoFromFile() function does not parse cert subject correctly.

nginx-proxy-manager/backend/internal/certificate.js

Line 734 in 63d06da

const regex = /(?:subject=)?[^=]+=\s+(\S+)/gim;

It expects the CN as first item (by reading match[1]), which is not always the case.

Example:
openssl x509 -in cert.crt -subject -noout
Output: subject=C = DE, ST = State, L = City, O = MyOrg, OU = -, CN = *.example.com

When loading such a certificate in NPM it seems to work, but accessing the Proxy leads to a ERR_SSL_UNRECOGNIZED_NAME_ALERT error in the browser.

Fix: Make subject parsing regex more robust.
This one should be working:

const regex = /(?:subject=)?CN\s*=\s*(\S+)/gim;

[MarcoWel]

Alternative Solution:
Add -nameopt RFC2253 parameter to this line:

nginx-proxy-manager/backend/internal/certificate.js

Line 731 in 63d06da

return utils.exec('openssl x509 -in ' + certificate_file + ' -subject -noout')

Result:

return utils.exec('openssl x509 -in ' + certificate_file + ' -subject -noout -nameopt RFC2253')

This ensures the standardized order of the subject fields where CN is always the first in order.

[SirWobbyTheFirst]

Hi @MarcoWel,

Could this expain why my Exchange Server has just started popping up an ERR_SSL_UNRECOGNIZED _NAME_ALERT error message recently? It's proxied through NPM and has only recently started doing it today.

[SteveBattista]

You cant use the RFC2253 option as the regex's work with spaces not commas. I have tried a bunch of REGEX This should work but it does not work:
/(?:subject=)?CN\s*=\s*([*[a-z.0-9A-Z]+)

This is what my subject line looks like:
subject=O = schmoocon, OU = schmooball, CN = *.meathead.fun.tld

Any ideas?

[github-actions]

Issue is now considered stale. If you want to keep it open, please comment 👍