mod_md: Generate a self-signed placeholder certificate for use when real certificate not available

Steps to reproduce:

Run Apache with a failing MD config (e.g. see #31), and try to connect via SSL (e.g. curl -k https://172.17.0.2:443).

Expected result: Bogus certificate

Actual result:

curl: (35) gnutls_handshake() failed: Error in the pull function.

In the Apache error logs, I see:

[Sat Aug 19 15:49:00.906790 2017] [ssl:error] [pid 9] [client 172.17.0.1:58708] AH01962: Unable to create a new SSL connection from the SSL context
[Sat Aug 19 15:49:00.907038 2017] [ssl:error] [pid 9] SSL Library Error: error:02001002:system library:fopen:No such file or directory (fopen('/apache/md/domains/powerdns.crud.net/pkey.pem','r'))
[Sat Aug 19 15:49:00.907101 2017] [ssl:error] [pid 9] SSL Library Error: error:2006D080:BIO routines:BIO_new_file:no such file
[Sat Aug 19 15:49:00.907110 2017] [ssl:error] [pid 9] SSL Library Error: error:02001002:system library:fopen:No such file or directory (fopen('/apache/md/domains/powerdns.crud.net/pkey.pem','r'))
[Sat Aug 19 15:49:00.907134 2017] [ssl:error] [pid 9] SSL Library Error: error:2006D080:BIO routines:BIO_new_file:no such file
[Sat Aug 19 15:49:00.907143 2017] [ssl:error] [pid 9] SSL Library Error: error:02001002:system library:fopen:No such file or directory (fopen('/apache/md/domains/powerdns.crud.net/pkey.pem','r'))
[Sat Aug 19 15:49:00.907151 2017] [ssl:error] [pid 9] SSL Library Error: error:2006D080:BIO routines:BIO_new_file:no such file
[Sat Aug 19 15:49:00.907204 2017] [ssl:error] [pid 9] SSL Library Error: error:140BA0C3:SSL routines:SSL_new:null ssl ctx

Ideally mod_md should generate a placeholder self-signed certificate for use when there is no real cert available, so handshakes can be completed. This will also avoid spamming the error logs in such a situation.

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 23 (19 by maintainers)

Commits related to this issue

* Improved interface to mod_ssl for fallback handling. Backward compatible to previous mod_ssl patch, but fallbacks will not work. * Provide a temporary, self-signed certificate with a speaking c... — committed to icing/mod_md by deleted user 7 years ago
* When building against 2.4.x, one probably needs to configure without ```--enable-werror```, since there were some warnings fixed in Apache httpd trunk. * Removed obsolete function from interfac... — committed to icing/mod_md by deleted user 7 years ago

Most upvoted comments

Thanks, this should be fixed in v0.9.7 now.

icing on Sep 26, 2017

Aha, gnutls-cli provides more info. Specifically, “extensions present in certificate with version 1.” I think you need to set the certificate version to 3 (as in x509v3). Also, I’d recommend setting CA:FALSE instead of TRUE, just to avoid any potential confusion or trouble.

$ gnutls-cli  -p 443 powerdns.crud.net -d 2
Processed 173 CA certificate(s).
Resolving 'powerdns.crud.net'...
Connecting to '45.55.14.235:443'...
|<2>| error: extensions present in certificate with version 1
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

$ gnutls-cli --version
gnutls-cli 3.4.10
Copyright (C) 2000-2016 Free Software Foundation, and others, all rights reserved.
This is free software. It is licensed for use, modification and
redistribution under the terms of the GNU General Public License,
version 3 or later <http://gnu.org/licenses/gpl.html>


Please send bug reports to:  <bugs@gnutls.org>

jsha on Sep 20, 2017

JFTR I finally got to creating libapache2-mod-md package available from ppa:ondrej/apache2.

oerdnj on Sep 4, 2017

I like this proposal. However I need to touch the mod_md/mod_ssl interface for this one. So, I prefer to delay any change here until I touch that part again.

icing on Aug 31, 2017