Solved ssl-admin bss_file.c

Sparkee

Sparkee

I have ssl-admin-1.2.1_1 installed and it looks I can't generate certificates anymore.
This has worked before, it's been a few months since I generated a certificate for the last time and since then a few pkg and system updates has been done. When I'm trying to generate a new certificate I get the following error
Code: 
 % sudo ssl-admin
This program will walk you through requesting, signing,
organizing and revoking SSL certificates.

ssl-admin installed Fri Jul 26 22:28:51 UTC 2019
OPTIONAL: I can't find your OpenVPN client config.  Please copy your config to
/usr/local/etc/ssl-admin/packages/client.ovpn

=====================================================
#               SSL-ADMIN v~~~VERSION~~~                    #
=====================================================
Please enter the menu option from the following list:
1) Update run-time options:
     Key Duration (days): 3650
     Current Serial #: 17
     Key Size (bits): 4096
     Intermediate CA Signing: NO
2) Create new Certificate Request
3) Sign a Certificate Request
4) Perform a one-step request/sign
5) Revoke a Certificate
6) Renew/Re-sign a past Certificate Request
7) View current Certificate Revokation List
8) View index information for certificate.
i) Generate a user config with in-line certifcates and keys.
z) Zip files for end user.
dh) Generate Diffie Hellman parameters.
CA) Create new Self-Signed CA certificate.
S) Create new Signed Server certificate.
q) Quit ssl-admin

Menu Item: 4
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner []: hostname.com


File names will use hostname.com.
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner [hostname.com]:
Would you like to password protect the private key (y/n): n
Invalid command 'req_v3'; type "help" for a list.
===> Serial Number = 17
=========> Signing request for hostname.com
Using configuration from /usr/local/etc/ssl-admin/openssl.conf
34371153920:error:02001002:system library:fopen:No such file or directory:/usr/src/crypto/openssl/crypto/bio/bss_file.c:69:fopen('hostname.com.csr','r')
34371153920:error:2006D080:BIO routines:BIO_new_file:no such file:/usr/src/crypto/openssl/crypto/bio/bss_file.c:76:
There was an error during openssl execution.  Please look for error messages above. at /usr/local/bin/ssl-admin line 161, <> line 4.

bss_file.c and is indeed missing
Code: 
% file /usr/src/crypto/openssl/crypto/bio/bss_file.c
/usr/src/crypto/openssl/crypto/bio/bss_file.c: cannot open `/usr/src/crypto/openssl/crypto/bio/bss_file.c' (No such file or directory)
% ll /usr/src
total 9
drwxr-xr-x   2 root  wheel     2B Dec  7  2018 .
drwxr-xr-x  16 root  wheel    16B Jul 22  2019 ..
[code]

Re-installing ssl-admin didn't help. 
Any ideas?
 
it's part of the system source tree
i have it on both 12.3 and 13.0
install src of use git/gitup to fetch it
 
I think those are debug messages to say where in the source files the error is thrown.

it can’t open a file called “hostname.com.csr”

You entered “hostname.com” and it is looking for a .csr file.
 
Thank you covacat, I did install the src but I'm getting almost the same error, the only difference is the numbers in front of the "error".
The files do exits
Code: 
% ll /usr/src/crypto/openssl/crypto/bio/bss_file.c
-rw-r--r--  1 root  wheel    11K Dec  1 19:21 /usr/src/crypto/openssl/crypto/bio/bss_file.c
Code: 
File names will use hostname.com.
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner [hostname.com]: hostname.com
Would you like to password protect the private key (y/n): n
Invalid command 'req_v3'; type "help" for a list.
===> Serial Number = 17
=========> Signing request for hostname.com
Using configuration from /usr/local/etc/ssl-admin/openssl.conf
34371141632:error:02001002:system library:fopen:No such file or directory:/usr/src/crypto/openssl/crypto/bio/bss_file.c:69:fopen('hostname.com.csr','r')
34371141632:error:2006D080:BIO routines:BIO_new_file:no such file:/usr/src/crypto/openssl/crypto/bio/bss_file.c:76:
There was an error during openssl execution.  Please look for error messages above. at /usr/local/bin/ssl-admin line 161, <> line 4.

richardtoohey2 ssl-admin should be generating the CSR's, at least it used to a few months ago. Though I did try creating one myself and placing it under /usr/local/etc/ssl-admin/csr/, didn't help.
 
i didn't read the first log careful enough
the error comes from /usr/src/crypto/openssl/crypto/bio/bss_file.c but the file is not actually needed
it's just where openssl bombs because it can't open the csr file
richardtoohey2 is probably right
 
covacat, I also tried a fresh install of ssl-admin on a fresh VM, has the same error.
In October there was an update to ssl-admin but not seeing CSR related updates.
 
Last edited:
I tried doing a 2) Create new Certificate Request
Code: 
Menu Item: 2
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner []: hostname.com


File names will use hostname.com.
Please enter certificate owner's name or ID.
Usual format is first initial-last name (jdoe) or
hostname of server which will use this certificate.
All lower case, numbers OK.
Owner [hostname.com]: hostname.com
Would you like to password protect the private key (y/n): n
Invalid command 'req_v3'; type "help" for a list.

req_v3 I think can be found here
Code: 
grep req /usr/local/etc/ssl-admin/openssl.conf
[ req ]
distinguished_name        = req_distinguished_name
req_extensions            = v3_req
[ req_distinguished_name ]
[ v3_req ]
 
try this patch, or edit it manual at /usr/local/bin/ssl-admin

Code: 
--- ssl-admin   2022-01-17 10:30:56.000000000 +0200
+++ ssl-admin_v2        2022-01-30 23:40:55.362215000 +0200
@@ -141,9 +141,9 @@
                chomp($yn = <>);
        } until $yn =~ m/^[yn]$/;
        if ($yn eq "y") {
-               system("cd $working_dir && openssl req_v3 -new -keyout $cn.key -out $cn.csr -config $key_config -batch");
+               system("cd $working_dir && openssl req -new -keyout $cn.key -out $cn.csr -config $key_config -batch -extensions v3_req");
        } elsif ($yn eq "n") {
-               system("cd $working_dir && openssl req_v3 -nodes -new -keyout $cn.key -out $cn.csr -config $key_config -batch");
+               system("cd $working_dir && openssl req -nodes -new -keyout $cn.key -out $cn.csr -config $key_config -batch -extensions v3_req");
        }
 }

Note:
ssl-admin is not updated and some defaults are changed in openssl.cnf like default message digest which is set to SHA1. You may want to change it to SHA256 but you will need new CA cert.
 
VladiBG said:
try this patch, or edit it manual at /usr/local/bin/ssl-admin

Code: 
--- ssl-admin   2022-01-17 10:30:56.000000000 +0200
+++ ssl-admin_v2        2022-01-30 23:40:55.362215000 +0200
@@ -141,9 +141,9 @@
                chomp($yn = <>);
        } until $yn =~ m/^[yn]$/;
        if ($yn eq "y") {
-               system("cd $working_dir && openssl req_v3 -new -keyout $cn.key -out $cn.csr -config $key_config -batch");
+               system("cd $working_dir && openssl req -new -keyout $cn.key -out $cn.csr -config $key_config -batch -extensions v3_req");
        } elsif ($yn eq "n") {
-               system("cd $working_dir && openssl req_v3 -nodes -new -keyout $cn.key -out $cn.csr -config $key_config -batch");
+               system("cd $working_dir && openssl req -nodes -new -keyout $cn.key -out $cn.csr -config $key_config -batch -extensions v3_req");
        }
 }

Note:
ssl-admin is not updated and some defaults are changed in openssl.cnf like default message digest which is set to SHA1. You may want to change it to SHA256 but you will need new CA cert.
Click to expand...
I patched security/ssl-admin with this - it solved the problem in question. However, I think removing the patch solves another problem: "unsupported certificate purpose" see https://github.com/ecrist/ssl-admin/issues/5
 
VladiBG said:
Check version 3 key usages of x509

/docs/man3.0/man5/x509v3_config.html

www.openssl.org www.openssl.org
Click to expand...
Don't make me comprehend man pages. They hurt. ;)

From that man page, serverAuth and clientAuth stand out. I suppose I need to learn more about them and do some tests. However, if you understand more, please spell it out for me.

That seems to fit in with TLS Web Client Authentication which I found in the text of issue #5

extendedKeyUsage appears within /usr/local/etc/ssl-admin/openssl.conf in two places:

Code: 
[ server ]
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints=CA:FALSE
nsCertType          = server
nsComment           = "ssl-admin (OpenSSL) Generated Server Certificate"
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid,issuer:always
extendedKeyUsage        = serverAuth
keyUsage            = digitalSignature, keyEncipherment

and

Code: 
[ v3_req ]
basicConstraints        = CA:FALSE
keyUsage            = keyAgreement, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage        = clientAuth
crlDistributionPoints       = $ENV::KEY_CRL_LOC
 
[ v3_req ]

# Extensions to add to a certificate request
Click to expand...

[ usr_cert ]

# These extensions are added when 'ca' signs a request.
Click to expand...

I can take a more detailed look during the weekend to see when you ask one-step request/sign what exactly is performing by ssl-admin script. More likely you are trying to add v3_req section into client certificate which fail to add the key usages for the client certificate.

Here's a good example of different cert types and they key usages:
superuser.com

OpenSSL CA keyUsage extension

I want to set up a chain of certificates, with a self signed 'root' CA at the top that signs sub CAs, which can then sign client and server certificates. When setting up openssl.cnf, I noticed a ke...
superuser.com superuser.com

Edit:
I don't use ssl-admin so it will take some time till i check the code meantime you can see easy-rsa from the OpenVPN project which is essentially the same CA mgmt script same as ssl-admin.
 
VladiBG said:
Edit:
I don't use ssl-admin so it will take some time till i check the code meantime you can see easy-rsa from the OpenVPN project which is essentially the same CA mgmt script same as ssl-admin.
Click to expand...
It may be time to make a change.

I see I used that tool back in 2008 and I I don't see why or when I started using ssl-admin.

I think ssl-admin is now unmaintained whereas security/easy-rsa seems active.

It might be easier to change tools, hoping I can continue using the old certs - I'd be using the same CA.
 
On the clean install with default config ssl-admin is working. Can you share your ssl-admin.conf (you can remove personal info from it) and /usr/local/etc/ssl-admin/openssl.conf
 
I just did a diff, I have minor changes from the sample file.

Full file attached. Diff supplied here:

Code: 
[17:03 mydev dan ~] % sudo diff -ruN /usr/local/etc/ssl-admin/openssl.conf.sample /usr/local/etc/ssl-admin/openssl.conf 
--- /usr/local/etc/ssl-admin/openssl.conf.sample    2023-08-01 08:26:04.000000000 +0000
+++ /usr/local/etc/ssl-admin/openssl.conf    2022-11-23 01:08:04.030585000 +0000
@@ -12,8 +12,8 @@
 certificate            = $dir/active/ca.crt
 private_key            = $dir/active/ca.key
 default_days            = $ENV::KEY_DAYS
-default_crl_days        = 30
-default_md            = sha1
+default_crl_days        = 3650
+default_md            = sha256
 preserve            = no
 email_in_dn            = yes
 nameopt                = default_ca
@@ -40,7 +40,7 @@
 [ req ]
 default_bits            = $ENV::KEY_SIZE
 default_keyfile         = privkey.pem
-default_md            = md5
+default_md            = sha256
 string_mask            = nombstr
 distinguished_name        = req_distinguished_name
 req_extensions            = v3_req
 

Attachments

  • openssl.conf
    2.5 KB · Views: 51
I can't reproduce the error on 13.2-RELEASE with OpenSSL 1.1.1-t-freebsd 7 Feb 2023
Which version of OpenSSL do you use?
 
Code: 
[20:02 mydev dan ~] % uname -a
FreeBSD mydev.int.unixathome.org 13.2-RELEASE-p2 FreeBSD 13.2-RELEASE-p2 GENERIC amd64

[20:02 mydev dan ~] % openssl version
OpenSSL 1.1.1t-freebsd  7 Feb 2023
 
There are two things which come to mind:

* ssl-admin has a local patch to fix the original problem mentioned in this ticket
* that patch introduced the 'unsupported certificate purpose' problem I recently mentioned

To reproduce the original problem, build ssl-admin without the file/patch-* file - I don't know the file right now
 
i'm building it from latest ports
TIMESTAMP = 1631537220
SHA256 (ecrist-ssl-admin-v1.2.1_GH0.tar.gz) = 7afeb320398a3ef6474b1db446ba0115297401d205da8dc44165c1e1d0e05557

The patch is included in it.

I've just created a new VM to test it and i can't reproduce the error on fresh install.

Edit:
I hit another error. If i use intermediate CA the script does include "-batch" and fail to sign the certificate

Here's the relevant part:
Code: 
 elsif ($intermediate eq "YES"){
                print "=========> Signing new Intermediate CA request for $cn\n";
                `cd $working_dir && openssl ca -config $key_config -policy policy_new_ca -out $cn.crt -extensions v3_ca -infiles $cn.csr -batch`;

18668416876544:error:02001002:system library:fopen:No such file or directory:/usr/src/crypto/openssl/crypto/bio/bss_file.c:69:fopen('-batch','r')
18668416876544:error:2006D080:BIO routines:BIO_new_file:no such file:/usr/src/crypto/openssl/crypto/bio/bss_file.c:76:
There was an error during openssl execution. Please look for error messages above. at /usr/local/bin/ssl-admin line 161, <> line 22.
Click to expand...

It should look like this:

Code: 
--- ssl-admin   2023-08-18 18:01:05.073455000 +0300
+++ ssl-admin_patched   2023-08-18 23:38:29.088574000 +0300
@@ -156,7 +156,7 @@
                `cd $working_dir && openssl ca -config $key_config -days $key_days -out $cn.crt -in $cn.csr -batch -extensions v3_req`;
        } elsif ($intermediate eq "YES"){
                print "=========> Signing new Intermediate CA request for $cn\n";
-               `cd $working_dir && openssl ca -config $key_config -policy policy_new_ca -out $cn.crt -extensions v3_ca -infiles $cn.csr -batch`;
+               `cd $working_dir && openssl ca -config $key_config -policy policy_new_ca -out $cn.crt -extensions v3_ca -infiles $cn.csr`;
        }
        if ($? != 0){ die "There was an error during openssl execution.  Please look for error messages above."; }
        print "=========> Moving certificates and keys to $working_dir/active for production.\n";

Regarding your issue it may be related with the extendedKeyUsage of your CA certificate. Can you post the output of

openssl x509 -noout -purpose -in /usr/local/etc/ssl-admin/active/ca.crt

Certificate purposes:
SSL client : Yes
SSL client CA : Yes
SSL server : Yes
SSL server CA : Yes
Netscape SSL server : Yes
Netscape SSL server CA : Yes
S/MIME signing : Yes
S/MIME signing CA : Yes
S/MIME encryption : Yes
S/MIME encryption CA : Yes
CRL signing : Yes
CRL signing CA : Yes
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : Yes
Time Stamp signing : No
Time Stamp signing CA : Yes
Click to expand...
 
You must log in or register to reply here.
Back
Top