Error Loading Extension Section Ssl Server
Contents |
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings error loading extension section server openvpn and policies of this site About Us Learn more about Stack Overflow error loading extension section certauth the company Business Learn more about hiring developers or posting ads with us Stack Overflow Questions Jobs Documentation error loading extension section usr_cert Tags Users Badges Ask Question x Dismiss Join the Stack Overflow Community Stack Overflow is a community of 4.7 million programmers, just like you, helping each other. Join them; it error loading extension section ssl_client only takes a minute: Sign up Error Loading extension section usr_cert up vote 6 down vote favorite I am running openvpn on an Ubuntu 14.04 box. The setup was fine until an OpenSSL upgrade, then when I try to create new client cert with easy-rsa, I got this message: root@:easy-rsa# ./pkitool onokun Using Common Name: onokun Generating a 2048 bit RSA
Openssl Error Loading Request Extension Section V3_req
private key .+++ ........+++ writing new private key to 'onokun.key' ----- Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf Error Loading extension section usr_cert 3074119356:error:0E06D06C:configuration file routines:NCONF_get_string:no value:conf_lib.c:335:group=CA_default name=email_in_dn 3074119356:error:2207507C:X509 V3 routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:537: 3074119356:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=onokun This problem is different from a reported bug that the which opensslcnf script can not find an matching version of openssl.cnf to use (above message shows openssl-1.0.0.cnf). I performed a Google search but did not find an answer. Here are some environment information: ## openvpn OpenVPN 2.3.2 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 4 2014 Originally developed by James Yonan ## openssl OpenSSL 1.0.1f 6 Jan 2014 ## dpkg --get-selections | grep ssl libgnutls-openssl27:i386 install libio-socket-ssl-perl install libnet-smtp-ssl-perl install libnet-ssleay-perl install libssl-dev:i386 install libssl-doc install libssl0.9.8:i386 install libssl1.0.0:i386 install openssl install ssl-cert install What should I look at to solve this? Thanks, ssl openssl openvpn share|improve this question edited Feb 27 '15 at 23:56 jww 35.4k21112222 asked Jun 17 '14 at 3:18 Jindan Zhou 161313 add a comment| 4 Answers 4 active oldest votes up vote 2
certificate should match. SubjectAltName can contain email addresses, IP addresses, regular DNS host names, etc. There's a clean enough list of
Group= Name=unique_subject
browser compatibility here. Changing /etc/ssl/openssl.cnf isn't too hard. Although most the do_ext_nconf:unknown extension name documentation is hard to grasp, especially if you're only trying to make requests. From this, I developed these email_in_dn changes to a standard config provided by debian/ubuntu. Edit openssl.cnf and uncomment "x509_extensions = v3_ca" in the [ req ] section. Annoyingly, nobody appears to have figured out http://stackoverflow.com/questions/24255205/error-loading-extension-section-usr-cert how to get openssl to ask you for this value. I thought I was clever putting ‘subjectAltName=email:move' in the v3_req section, which would put the email address you type in the subjectAltName field. I'd put in "foo@example.org, DNS:www1.example.org, DNS:www2.example.org" in the email field when ‘openssl req' asked for it. Visually it worked, but the browsers didn't like http://blog.loftninjas.org/2008/11/11/configuring-ssl-requests-with-subjectaltname-with-openssl/ it. This appears to be functionality to deal with part 4.1.2.6 of the RFC, moving email address into subjectAltName. I thought about writing a script that would copy openssl.cnf, ask me for the value of SubjectAltName, run sed against it, then start openssl. It would appear seamless, but of course be a hack. A better answer lies here, you can configure openssl to use environment variables. At the top of openssl.cnf under where it set's HOME="…" I added SAN="email:noc@example.com" And in [ v3_req ] I added: subjectAltName=${ENV::SAN} So if you run openssl like this: SAN="DNS:www.1example.org, DNS:www2.example.org" \ openssl req -new -key www.example.org.key -out www.example.org.csr It will fill in subjectAltName with the contents of the SAN variable, otherwise will fill it with the contents specified at the top of the file. There's no way to use conditionals (I assume).If you just leave it blank, or leave it out altogether, you get these errors: Unable to load config info from /usr/lib/ssl/openssl.cnf and respectively, Error Loading request extension section v3_req 27687:error:2206D06C:X509 V3 routines:X509V3_PARSE_LIS
Start here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss http://serverfault.com/questions/596909/openssl-generate-certificate-request-with-non-dns-subject-alternative-names the workings and policies of this site About Us Learn more about Stack Overflow the company Business Learn more about hiring developers or posting ads with us Server Fault Questions https://lists.debian.org/debian-apache/2013/08/msg00117.html Tags Users Badges Unanswered Ask Question _ Server Fault is a question and answer site for system and network administrators. Join them; it only takes a minute: Sign up error loading Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up and rise to the top openssl: generate certificate request with non-DNS subject alternative names up vote 5 down vote favorite 1 To create a certificate request containing subject alternative names (SANs) for a host, with openssl, I can use a config error loading extension file like this (snipped): [req] req_extensions = v3_req [ v3_req ] subjectAltName = @alt_names [alt_names] DNS = xyz.example.com If I need to provide a distinguished name or a user principal name, how should I configure the alt_names section for a user certificate request? For example, I tried [alt_names] UPN = xyz@example.com But I got this error: Error Loading request extension section v3_req 5356:error:22075075:X509 V3 routines:v2i_GENERAL_NAME_ex:unsupported option:.\crypto\x509v3\v3_alt.c:557:name=userPrincipalName 5356:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:.\crypto\x509v3\v3_conf.c:93:name=subjectAltName, value=@alt_names openssl certificate share|improve this question edited May 19 '14 at 9:05 asked May 19 '14 at 8:35 Paolo Tedesco 44131120 add a comment| 2 Answers 2 active oldest votes up vote 6 down vote accepted You can specify pretty much anything that your CA allows. The relevant RFC is RFC5280. It says in section 4.2.1.6. "Subject Alternative Name" The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address,
ssl cert gerneration instructions don't work From: "Jean-Michel Vourgère"