Who is responsible for the UK grid certificates?
I had no response from several emails sent of the support email address ([log in to unmask]) over the last 3 days
dan
________________________________________
From: Daniel Traynor <[log in to unmask]>
Sent: 19 April 2024 11:14
To: [log in to unmask]
Cc: [log in to unmask]
Subject: Fw: cert renewal with Subject Alternative Names for webdav.esc.qmul.ac.uk
trying to some debug I note that the temp config script that is produced has
...
[SAN]
subjectAltName=DNS:webdav.esc.qmul.ac.uk,DNS:se03.esc.qmul.ac.uk,DNS:se04.esc.qmul.ac.uk,DNS:se05.esc.qmul.ac.uk
where webdav.esc.qmul.ac.uk is the CN and the SEs are the actual servers
This matches the entries in the original certificate
X509v3 Subject Alternative Name:
DNS:webdav.esc.qmul.ac.uk, DNS:se03.esc.qmul.ac.uk, DNS:se04.esc.qmul.ac.uk, DNS:se05.esc.qmul.ac.uk
so why does the renew request produce the error
bin/cli -d renew -c PeCR.cfg --keyout newwebdavhostkey.pem --server --authkey webdavhostkey.pem --authcert webdavhostcert.pem
....
running: /usr/bin/openssl req -new -key newwebdavhostkey.pem -subj "/C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=webdav.esc.qmul.ac.uk" -config /tmp/7bKh7Io3YO -reqexts SAN
....
Error in your request. Server returned
<?xml version="1.0" standalone="no"?><error><request><method>POST</method><location>/CSR</location><time>2024-04-19 10:52:41</time></request><status><major><code>9</code><text>Deprecated - check minor element</text></major><minor><code>9</code><text>SANS_DO_NOT_MATCH_EXISTING_CERT: The Subject Alternate Names for this host certificate request do not match those of the existing certificate. We do not support renewal with adding or removing SANs, please re-apply. SANS_DO_NOT_MATCH_EXISTING_CERT: The Subject Alternate Names for this host certificate request do not match those of the existing certificate. We do not support renewal with adding or removing SANs, please re-apply. SANS_DO_NOT_MATCH_EXISTING_CERT: The Subject Alternate Names for this host certificate request do not match those of the existing certificate. We do not support renewal with adding or removing SANs, please re-apply. </text></minor></status></error>
error appears to comes from the server side!
dan
________________________________________
From: Daniel Traynor <[log in to unmask]>
Sent: 18 April 2024 15:16
To: [log in to unmask]
Subject: Fw: cert renewal with Subject Alternative Names for webdav.esc.qmul.ac.uk
I still can't renew this request for webdav.esc.qmul.ac.uk
I've started with a fresh install of the CLI tool on el9 and still no luck
I need to renew this certificate by tomorrow(friday) or our storage will stop working
bin/cli renew -c PeCR.cfg --keyout newwebdavhostkey.pem --pin 6579765798 --server --authkey webdavhostkey.pem --authcert webdavhostcert.pem
bin/cli renew -c PeCR.cfg --cn webdav.esc.qmul.ac.uk --keyout newwebdavhostkey.pem --pin 6579765798 --server --authkey webdavhostkey.pem --authcert webdavhostcert.pem
bin/cli renew -c PeCR.cfg --cn webdav.esc.qmul.ac.uk --keyout newwebdavhostkey.pem --pin 6579765798 --server --authkey webdavhostkey.pem --authcert webdavhostcert.pem --san se03.esc.qmul.ac.uk --san se04.esc.qmul.ac.uk --san se05.esc.qmul.ac.uk
all give the same error
Error in your request. Server returned
<?xml version="1.0" standalone="no"?><error><request><method>POST</method><location>/CSR</location><time>2024-04-18 15:13:55</time></request><status><major><code>9</code><text>Deprecated - check minor element</text></major><minor><code>9</code><text>SANS_DO_NOT_MATCH_EXISTING_CERT: The Subject Alternate Names for this host certificate request do not match those of the existing certificate. We do not support renewal with adding or removing SANs, please re-apply. SANS_DO_NOT_MATCH_EXISTING_CERT: The Subject Alternate Names for this host certificate request do not match those of the existing certificate. We do not support renewal with adding or removing SANs, please re-apply. SANS_DO_NOT_MATCH_EXISTING_CERT: The Subject Alternate Names for this host certificate request do not match those of the existing certificate. We do not support renewal with adding or removing SANs, please re-apply. </text></minor></status></error>
dan
________________________________________
From: Daniel Traynor <[log in to unmask]>
Sent: 17 April 2024 16:16
To: [log in to unmask]
Subject: cert renewal with Subject Alternative Names
I've manged to get the CLI tool to submit a request for a new certificate but am unable to get a renewal request for certificate with a SAN. e.g.
I have a cert (webdav.esc.qmul.ac.uk) with Subject Alternative Names
X509v3 Subject Alternative Name:
DNS:webdav.esc.qmul.ac.uk, DNS:se03.esc.qmul.ac.uk, DNS:se04.esc.qmul.ac.uk, DNS:se05.esc.qmul.ac.uk
I've tried a number of combinations to renew but get the same error that the SAN of the request do not match existing certificate
bin/cli renew -c PeCR.cfg --keyout webdav.esc.qmul.ac.uk.key.pem --pin xxxxxxxxx --server --authkey hostkey.pem.se03 --authcert hostcert.pem.se03
or
bin/cli renew -c PeCR.cfg --cn webdav.esc.qmul.ac.uk --san se03.esc.qmul.ac.uk --san se04.esc.qmul.ac.uk --san se05.esc.qmul.ac.uk --keyout webdav.esc.qmul.ac.uk.key.pem --pin XXXXXXXXXXX--server --authkey hostkey.pem.se03 --authcert hostcert.pem.se03
+ others
result is
Please enter the passphrase to protect your new private key with
PEM pass phrase:
Please retype passphrase for verification
PEM pass phrase:
Generating RSA private key, 2048 bit long modulus
....................................+++
.......................................................................................+++
e is 65537 (0x10001)
No email address found in certificate hostcert.pem.se03, using email address from configuration at /home/hep/traynor/PeCR/lib/PeCR.pm line 91.
requesting dn: /C=UK/O=eScience/OU=QueenMaryLondon/L=Physics/CN=webdav.esc.qmul.ac.uk
PEM pass phrase:
errors: 1
Error in your request. Server returned
<?xml version="1.0" standalone="no"?><error><request><method>POST</method><location>/CSR</location><time>2024-04-17 16:04:55</time></request><status><major><code>9</code><text>Deprecated - check minor element</text></major><minor><code>9</code><text>SANS_DO_NOT_MATCH_EXISTING_CERT: The Subject Alternate Names for this host certificate request do not match those of the existing certificate. We do not support renewal with adding or removing SANs, please re-apply. SANS_DO_NOT_MATCH_EXISTING_CERT: The Subject Alternate Names for this host certificate request do not match those of the existing certificate. We do not support renewal with adding or removing SANs, please re-apply. SANS_DO_NOT_MATCH_EXISTING_CERT: The Subject Alternate Names for this host certificate request do not match those of the existing certificate. We do not support renewal with adding or removing SANs, please re-apply. </text></minor></status></error>
########################################################################
To unsubscribe from the TB-SUPPORT list, click the following link:
https://www.jiscmail.ac.uk/cgi-bin/WA-JISC.exe?SUBED1=TB-SUPPORT&A=1
This message was issued to members of www.jiscmail.ac.uk/TB-SUPPORT, a mailing list hosted by www.jiscmail.ac.uk, terms & conditions are available at https://www.jiscmail.ac.uk/policyandsecurity/
|