[Eisfair] Zertifikatserstellung nach Serverumzug nicht möglich.
Frank Meyer
frank at meyer.vc
So Mär 22 13:47:07 CET 2020
Hallo zusammen,
ich komme hier einfach nicht weiter und benötige Hilfe...
Nach einem Serverumzug habe ich das CERTS-Paket neu installiert und die Inhalte von /var/certs/ssl vom alten Server kopiert, und die hashes upgedatet.
Alle Zertifikate (Mail, Domain, Subdomains) wurden erkannt und das System funktionierte.
Nachdem ich eine weitere Subdomain hinzugefügt habe, sollte ein neues eigenes Zertifikat erstellt werden.
Beim Signieren des Zertifikates tritt wiederholt ein Fehler auf.
Hier der Verlauf:
Certificate generation
Parameters
1 - change/set certificate type: client/server
2 - change/set certificate name: <please enter certificate name>
Certificate Authority (CA)
6 - show CA key and certificate file location
Server/service/client certificate (sha384) (2048bits)
== - [_] create a new key or select an existing one
== - [_] create certificate request
== - [_] sign certificate request with CA key
== - [_] create Diffie-Hellman parameters (takes appr. 5min)
== - [_] create .pem certificate and copy it to /usr/local/ssl/certs
== - [_] create PKCS#12 document
== - [_] check package dependent symbolic links
== - show certificate file details
Please select (1-2,6), change (b)its/(h)ash, (q)uit? 2
Change/set certificate name
Do you want to create a (n)ew certificate or
select and (e)xisting certificate, (q)uit [q]? n
Please enter a certificate name,
e.g. 'my-server.local.lan', (q)uit [q]? sub.name.tld
Certificate generation
Parameters
1 - change/set certificate type: client/server
2 - change/set certificate name: sub.name.tld
Certificate Authority (CA)
6 - show CA key and certificate file location
Server/service/client certificate (sha384) (2048bits)
10 - [✓] create new key/select existing one [sub.name.tld] (2048bits)
11 - [✓] create certificate request
12 - [>] sign certificate request with CA key
13 - [_] create Diffie-Hellman parameters (takes appr. 5min)
14 - [_] create .pem certificate and copy it to /usr/local/ssl/certs
15 - [_] create PKCS#12 document
16 - [_] check package dependent symbolic links
17 - show certificate file details
Please select (1-2,6,10-17), change (b)its/(h)ash, (q)uit? 11
Create certificate request
A certificate request /usr/local/ssl/csr/sub.name.tld.csr already exists.
Remove previously generated files (.csr, .crt, .pem, .p12),
proceed anyway (y/n) [n]? y
/usr/local/ssl/csr/sub.name.tld.csr
Do you really want to remove these files (y/n) [n]? y
... archived.
Country code (2 letter code) [DE]?
State or province name [Nordrhein Westfalen]?
Locality name [Herten]?
Organization or company name [Heimweichware]?
Organizational unit or section name [web]?
Common name, e.g. (sub.name.tld) [ ]? sub.name.tld
Email address [frank at name.tld]? frank at name.tld
Do you want to continue (y/n) [n]? y
... done.
Press ENTER to continue
Certificate generation
Parameters
1 - change/set certificate type: client/server
2 - change/set certificate name: sub.name.tld
Certificate Authority (CA)
6 - show CA key and certificate file location
Server/service/client certificate (sha384) (2048bits)
10 - [✓] create new key/select existing one [sub.name.tld] (2048bits)
11 - [✓] create certificate request
12 - [>] sign certificate request with CA key
13 - [_] create Diffie-Hellman parameters (takes appr. 5min)
14 - [_] create .pem certificate and copy it to /usr/local/ssl/certs
15 - [_] create PKCS#12 document
16 - [_] check package dependent symbolic links
17 - show certificate file details
Please select (1-2,6,10-17), change (b)its/(h)ash, (q)uit? 12
Sign certificate request with CA key
The certificate database hasn't been updated
since 20.03.2020, update it now (y/n) [y]?
0. Passphrase of your CA key.
Press ENTER to continue
Using configuration from /usr/local/ssl/openssl.cnf
Enter pass phrase for /var/certs/ssl/private/ca.key:
Sign certificate request with CA key
CSR details:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Subject: C = DE, ST = Nordrhein Westfalen, L = Herten, O = Heimweichware, OU = web, CN = sub.name.tld, emailAddress = frank at name.tld
X509v3 Subject Alternative Name: DNS:sub.name.tld
Signature Algorithm: sha384WithRSAEncryption
Do you want to continue (y/n) [n]? y
You will be asked to enter the following data, after pressing ENTER:
1 - Select key usage.
2 - Select start date/validity.
3 - Passphrase of your CA key.
Press ENTER to continue
1 - Server usage (server)
2 - Client usage (email)
Please choose usage type (1-2) [1]?
1 - use default start date/validity: 2020-03-22 12:59:05 / 365 days
2 - set individual start date/validity
Please choose desired option (1-2) [1]?
Using configuration from /usr/local/ssl/openssl-tmp.cnf
Enter pass phrase for /var/certs/ssl/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :PRINTABLE:'Nordrhein Westfalen'
localityName :PRINTABLE:'Herten'
organizationName :PRINTABLE:'Heimweichware'
organizationalUnitName:PRINTABLE:'web'
commonName :PRINTABLE:'sub.name.tld'
emailAddress :IA5STRING:'frank at name.tld'
ERROR:There is already a certificate for /C=DE/ST=Nordrhein Westfalen/L=Herten/O=Heimweichware/OU=web/CN=sub.name.tld/emailAddress=frank at name.tld
The matching entry has the following details
Type :Valid
Expires on :210320014424Z
Serial Number :27
File name :unknown
Subject Name :/C=DE/ST=Nordrhein Westfalen/L=Herten/O=Heimweichware/OU=web/CN=sub.name.tld/emailAddress=frank at name.tld
2888787712:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:273:group=Server_CA name=email_in_dn
2888787712:error:0E06D06C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:273:group=Server_CA name=rand_serial
... certificate generation unsuccessful!
A valid certificate file wasn't found.
Press ENTER to continue
Vielen Dank im Voraus für eure Hilfe
Frank
Mehr Informationen über die Mailingliste Eisfair