# [solved] certificate request signing problem / TinyCA+openss

## drrrl

Hi,

for last two years I was using SSL certificate for my web server, generated by TinyCA. As it has expired yesterday, I tried to renew it, but this is the error message I get:

```
/usr/bin/openssl ca -batch -passin env:SSLPASS -notext -config /home/grzes/.TinyCA/ca.my.com/openssl.cnf -name server_ca -in "/home/grzes/.TinyCA/ca.my.com/req/xxxxxx.pem" -days 365 -preserveDN -md md5

Using configuration from /home/grzes/.TinyCA/ca.my.com/openssl.cnf

Error Loading extension section server_cert

11829:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:329:group=server_ca name=email_in_dn

11829:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:432:

11829:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=dummy
```

Year ago the renewal procedure worked without problems, and I dod not change the configuration of neither openssl nor TinyCA (at least in my awareness), so the only thing I suspect is that something has changed in behaviour of openssl (or, less probable, in TinyCA) during updates that was done in last year.

Any idea?

Version and history:

```
# genlop openssl

 * dev-libs/openssl

     Thu Feb  9 08:50:35 2006 >>> dev-libs/openssl-0.9.7i

     Thu Jun 29 14:36:54 2006 >>> dev-libs/openssl-0.9.7j

     Thu Aug 31 14:52:09 2006 >>> dev-libs/openssl-0.9.7j

     Thu Aug 31 19:14:52 2006 >>> dev-libs/openssl-0.9.7j

     Wed Sep  6 11:29:55 2006 >>> dev-libs/openssl-0.9.8c

     Fri Sep  8 03:56:52 2006 >>> dev-libs/openssl-0.9.8c

     Sun Sep 10 11:22:19 2006 >>> dev-libs/openssl-0.9.8c

     Fri Sep 15 09:05:47 2006 >>> dev-libs/openssl-0.9.8c

     Sun Sep 17 11:12:15 2006 >>> dev-libs/openssl-0.9.8c-r1

     Tue Sep 19 21:47:42 2006 >>> dev-libs/openssl-0.9.8c-r2

     Tue Sep 19 22:09:29 2006 >>> dev-libs/openssl-0.9.8c-r2

     Fri Sep 29 22:48:30 2006 >>> dev-libs/openssl-0.9.8d

# genlop tinyca

 * app-crypt/tinyca

     Thu Aug 31 23:49:43 2006 >>> app-crypt/tinyca-0.5.4-r1

     Tue Nov 21 14:36:35 2006 >>> app-crypt/tinyca-2.0.7.3

     Sat Jan 13 16:03:50 2007 >>> app-crypt/tinyca-2.0.7.5

```

openssl.cnf:

```
[ ca ]

default_ca      = server_ca

[ policy_client ]

countryName             = optional

stateOrProvinceName     = optional

organizationName        = optional

organizationalUnitName  = optional

commonName              = supplied

emailAddress            = optional

[ policy_server ]

countryName             = optional

stateOrProvinceName     = optional

organizationName        = optional

organizationalUnitName  = optional

commonName              = supplied

emailAddress            = optional

[ policy_ca ]

[ req ]

default_bits            = 2048

default_keyfile         = privkey.pem

distinguished_name      = req_distinguished_name

attributes              = req_attributes

x509_extensions = v3_ca

string_mask = nombstr

req_extensions = v3_req

[ req_distinguished_name ]

countryName                     = Country Name (2 letter code)

countryName_default             = AU

countryName_min                 = 2

countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)

stateOrProvinceName_default     = Some-State

localityName                    = Locality Name (eg, city)

0.organizationName              = Organization Name (eg, company)

0.organizationName_default      = Internet Widgits Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)

commonName                      = Common Name (eg, YOUR name)

commonName_max                  = 64

emailAddress                    = Email Address

emailAddress_max                = 40

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

[ req_attributes ]

challengePassword               = A challenge password

challengePassword_min           = 4

challengePassword_max           = 20

unstructuredName                = An optional company name

[ v3_ca ]

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid:always,issuer:always

basicConstraints = critical,CA:true

nsCertType = sslCA, emailCA

issuerAltName = issuer:copy

nsComment = "TinyCA Generated Certificate"

subjectAltName = email:copy

keyUsage = critical, keyCertSign

[ crl_ext ]

authorityKeyIdentifier = keyid:always,issuer:always

[ server_ca ]

dir = /home/grzes/.TinyCA/ca.my.com

certs = $dir/certs

crl_dir = $dir/crl

database = $dir/index.txt

new_certs_dir = $dir/newcerts

certificate = $dir/cacert.pem

serial = $dir/serial

crl = $dir/crl.pem

private_key = $dir/cacert.key

RANDFILE = $dir/.rand

x509_extensions = server_cert

default_days = 365

default_crl_days = 30

default_md = md5

preserve = no

policy = policy_server

unique_subject = yes

[ client_ca ]

dir = /home/grzes/.TinyCA/ca.my.com

certs = $dir/certs

crl_dir = $dir/crl

database = $dir/index.txt

new_certs_dir = $dir/newcerts

certificate = $dir/cacert.pem

serial = $dir/serial

crl = $dir/crl.pem

private_key = $dir/cacert.key

RANDFILE = $dir/.rand

x509_extensions = client_cert

default_days = 365

default_crl_days = 30

default_md = md5

preserve = no

policy = policy_client

unique_subject = yes

[ ca_ca ]

dir = /home/grzes/.TinyCA/ca.my.com

certs = $dir/certs

crl_dir = $dir/crl

database = $dir/index.txt

new_certs_dir = $dir/newcerts

certificate = $dir/cacert.pem

serial = $dir/serial

crl = $dir/crl.pem

private_key = $dir/cacert.key

RANDFILE = $dir/.rand

x509_extensions = server_cert

default_days = 365

default_crl_days = 30

default_md = md5

preserve = no

policy = policy_server

unique_subject = yes

[ client_cert ]

basicConstraints = CA:FALSE

nsCertType = client, email, objsign

nsComment = "TinyCA Generated Certificate"

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer:always

issuerAltName = issuer:copy

subjectAltName = email:copy

keyUsage = critical, digitalSignature, keyEncipherment

[ server_cert ]

basicConstraints = CA:FALSE

nsCertType = server

nsComment = "TinyCA Generated Certificate"

subjectKeyIdentifier = hash

authorityKeyIdentifier = keyid,issuer:always

issuerAltName = issuer:copy

subjectAltName = $ENV::SUBJECTALTNAMEIP

```

TIA, GrzesLast edited by drrrl on Sun Feb 11, 2007 9:23 pm; edited 1 time in total

----------

## depontius

OK, I'm probably not the most knowledgeable here, but since this has sat almost 24 hours, I'll give a stab.

Yes, in the past few months there have been several OpenSSL updates. I seem to remember seeing that at least one of those updates require a revdep-rebuild in order to fix calling programs. It looks to me as if this might be your problem. There are options to do a more "focused" revdep-rebuild that will tell it to just look for things depending on specific OpenSSL libs, but to tell the truth, I'm not that versed on it. I would suggest doing a "revdep-rebuild -p" (pretend) and see what it spits out. I would expect to see some noise about OpenSSL in there. Then, based on what else you see, you might run "revdep-rebuild" without the "-p" to fix everything it found, or go for the specific "emerge -1 (package-names)" that are needed for your problems.

----------

## drrrl

Hi,

thanks for answer and suggestions. As far as I remember I run revdep-rebuild after upgrade, as I try to do it every time after libs are changed. But to be sure I tried to do it now and unfortunately no - no package has to be rebuild due to libssl.so dependency.

Besides, my latest version of TinyCA was compiled on Jan 13, 2007, after last upgrade of openssl (Sep 29, 2006). I don't think any other package is related to this problem.

But anyway, thanks!

----------

## depontius

I was under the impression that tinyCA was perl, in which case the compilation date of the perl libs would matter. But then again, you've taken care of that.

Just FYI, there's an outfit called "cacert.org" that issues "real" certificates, as opposed to self-signed, or the certificates I've issued as my own CA. I've signed on, but haven't actually used the service yet.

----------

## drrrl

Hi,

it seems that finally I found a solution. Although my first idea was that something went terribly wrong during upgrades (as depontius suggested too), the existence of the problem after few recompilations showed that this was not a reason. Finally I defined new CA via TinyCA interface and started to look for differences. 

My guess was openssl.cnf file, as it was openssl which produced error messages. The most suspicious place was a single line in "[ server_cert ]" section:

Original:

```

[ server_cert ]

subjectAltName = $ENV::SUBJECTALTNAMEIP

```

New:

```

[ server_cert ]

subjectAltName = email:copy

```

I have changed it and voilla! I can issue or renew certificates again  :Smile: 

But there were also some other things in other sections and I wonder how this changes influence the whole CA - especialy in "[ ca_ca ]" section (only lines that differ shown):

Original lines:

```

[ policy_ca ]

< empty>

[ ca_ca ]

x509_extensions = server_cert

policy = policy_server

[ v3_ca ]

keyUsage = critical, keyCertSign

```

Lines in newly generated openssl.cnf:

```

[ policy_ca ]

countryName             = optional

stateOrProvinceName     = optional

organizationName        = optional

organizationalUnitName  = optional

commonName              = supplied

emailAddress            = optional

[ ca_ca ]

x509_extensions = v3_ca

policy = policy_ca

[ v3_ca ]

keyUsage = critical, keyCertSign, cRLSign

```

Is there any openssl guru that could explain?  :Wink: 

----------

