help understanding ikectl error messages

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

help understanding ikectl error messages

Andreas Thulin-2
Hi!

Following the example on https://man.openbsd.org/ikectl, I

# ikectl ca test create
...and then
# ikectl ca test certificate sub.domain.com create
...filled out "the form", but after that...
Using configuration from /etc/ssl/test/sub.domain.com-ssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'SE'
organizationName      :ASN.1 12:'cppm'
commonName            :ASN.1 12:'sub.domain.com'
emailAddress          :IA5STRING:'[hidden email]'
ERROR: adding extensions in section x509v3_FQDN
2198743120:error:22FFF06D:X509 V3 routines:func(4095):invalid null
value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355:
2198743120:error:22FFF069:X509 V3 routines:func(4095):invalid extension
string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=DNS:
2198743120:error:22FFF080:X509 V3 routines:func(4095):error in
extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName,
value=DNS:

I'm probably doing something stupid, so if anyone can point me in the right
direction, that would be highly appreciated.

BR
Andreas
Reply | Threaded
Open this post in threaded view
|

Re: help understanding ikectl error messages

Stuart Henderson
On 2018-01-09, Andreas Thulin <[hidden email]> wrote:

> Hi!
>
> Following the example on https://man.openbsd.org/ikectl, I
>
> # ikectl ca test create
> ...and then
> # ikectl ca test certificate sub.domain.com create
> ...filled out "the form", but after that...
> Using configuration from /etc/ssl/test/sub.domain.com-ssl.cnf
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> countryName           :PRINTABLE:'SE'
> organizationName      :ASN.1 12:'cppm'
> commonName            :ASN.1 12:'sub.domain.com'
> emailAddress          :IA5STRING:'[hidden email]'
> ERROR: adding extensions in section x509v3_FQDN
> 2198743120:error:22FFF06D:X509 V3 routines:func(4095):invalid null
> value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355:
> 2198743120:error:22FFF069:X509 V3 routines:func(4095):invalid extension
> string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=DNS:
> 2198743120:error:22FFF080:X509 V3 routines:func(4095):error in
> extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName,
> value=DNS:
>
> I'm probably doing something stupid, so if anyone can point me in the right
> direction, that would be highly appreciated.
>
> BR
> Andreas
>

Which version are you running? (See "Include important information"
on http://www.openbsd.org/mail.html).


Reply | Threaded
Open this post in threaded view
|

Re: help understanding ikectl error messages

Andreas Thulin-2
Sorry, my bad!

6.2-stable. And after sending my e-mail, I found a post about this issue,
that ended up in ikeca.c (?) having been patched on 8 November last year to
resolve the same issue, I believe. I have installed 6.2-current on another
machine to figure out if that solves the problem.

BR, Andreas
sön 14 jan. 2018 kl. 23:03 skrev Stuart Henderson <[hidden email]>:

> On 2018-01-09, Andreas Thulin <[hidden email]> wrote:
> > Hi!
> >
> > Following the example on https://man.openbsd.org/ikectl, I
> >
> > # ikectl ca test create
> > ...and then
> > # ikectl ca test certificate sub.domain.com create
> > ...filled out "the form", but after that...
> > Using configuration from /etc/ssl/test/sub.domain.com-ssl.cnf
> > Check that the request matches the signature
> > Signature ok
> > The Subject's Distinguished Name is as follows
> > countryName           :PRINTABLE:'SE'
> > organizationName      :ASN.1 12:'cppm'
> > commonName            :ASN.1 12:'sub.domain.com'
> > emailAddress          :IA5STRING:'[hidden email]'
> > ERROR: adding extensions in section x509v3_FQDN
> > 2198743120:error:22FFF06D:X509 V3 routines:func(4095):invalid null
> > value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355:
> > 2198743120:error:22FFF069:X509 V3 routines:func(4095):invalid extension
> >
> string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=DNS:
> > 2198743120:error:22FFF080:X509 V3 routines:func(4095):error in
> > extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName,
> > value=DNS:
> >
> > I'm probably doing something stupid, so if anyone can point me in the
> right
> > direction, that would be highly appreciated.
> >
> > BR
> > Andreas
> >
>
> Which version are you running? (See "Include important information"
> on http://www.openbsd.org/mail.html).
>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: help understanding ikectl error messages

Stuart Henderson
On 2018/01/15 06:35, Andreas Thulin wrote:
> Sorry, my bad!
>
> 6.2-stable. And after sending my e-mail, I found a post about this issue, that ended up in
> ikeca.c (?) having been patched on 8 November last year to resolve the same issue, I believe. I
> have installed 6.2-current on another machine to figure out if that solves the problem.
>
> BR, Andreas

Thanks - -current should fix this. (I did think that it had been fixed
before 6.2 which is why I asked about the version, but yes it looks like
this one wasn't fixed until 8 Nov).

Reply | Threaded
Open this post in threaded view
|

Re: help understanding ikectl error messages

Andreas Thulin-2
Thanks Stuart for replies! I can confirm that I could proceed without
issues on 6.2-current. :-)

BR, Andreas
mån 15 jan. 2018 kl. 10:31 skrev Stuart Henderson <[hidden email]>:

> On 2018/01/15 06:35, Andreas Thulin wrote:
> > Sorry, my bad!
> >
> > 6.2-stable. And after sending my e-mail, I found a post about this
> issue, that ended up in
> > ikeca.c (?) having been patched on 8 November last year to resolve the
> same issue, I believe. I
> > have installed 6.2-current on another machine to figure out if that
> solves the problem.
> >
> > BR, Andreas
>
> Thanks - -current should fix this. (I did think that it had been fixed
> before 6.2 which is why I asked about the version, but yes it looks like
> this one wasn't fixed until 8 Nov).
>
>