luci icon indicating copy to clipboard operation
luci copied to clipboard

Published 20 hours ago verified publisher icon openwrt

luci-app-uhttpd: generated certificate from gui does not contain alt_name resulting in error in browser Edge and Chrome

Open swtrse opened this issue 1 year ago • 35 comments

Steps to reproduce:

  1. go to: Services → uHTTPd→ uHTTPd Self-signed Certificate Parameters
  2. set parameters to your liking
  3. Save & Apply
  4. click "remove old certificate and key" button

Actual behavior:

  1. The generated certificate will not be accepted by modern browsers

Expected behavior:

A certificate that will be accepted by modern browsers

Additional Information:

The effect you can see on windows and edge for example is. That if you have not trusted the certificate edge will show an NET::ERR_CERT_AUTHORITY_INVALID error. This error can be ignored and the website can be accessed. However, to get rid of the certificate error the normal way is to download the certificate and install it in the "Trusted Root Certificate" store for the local machine. The problem is, if you use the current generated certificate you get an NET:ERR_CERT_INVALID error which you not be ignored and you can not access the website until you removed the certificate from the certificate store again.

As a workaround you can create the certificate manually The commands are

openssl ecparam -name prime256v1 > ec.param
openssl req -x509 -nodes -days 3650 -newkey ec:ec.param -keyout mycert.key -out mycert.crt -config myconfig.conf

The used config looks like this

[req]
distinguished_name  = req_distinguished_name
x509_extensions     = v3_req
prompt              = no
string_mask         = utf8only
utf8            = yes

[req_distinguished_name]
C                   = <Country>
ST                  = <State>
L                   = <local>
O                   = <organisation>
OU                  = <organisation unit>
CN                  = <fqdn of openwrt device (openwrt.lan)>

[v3_req]
keyUsage            = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage    = serverAuth
subjectAltName      = @alt_names

[alt_names]
DNS.1               = <fqdn of openwrt device (openwrt.lan)>
IP.1                = <ipv4 of openwrt device (10.0.0.1)>
IP.2                = <ipv6 of openwrt dervice (fd18:211d:d95::1)>
<add more IPs if needed>

The certificate generated this way gets accepted and the certificate error vanishes as soon as the certificate is installed in the certificate store.

The workaround makes it clear that the certificates generated over the ui lacks the alternative names which seems to be a requirement for modern browsers.

swtrse avatar Nov 16 '23 02:11 swtrse