Shell SSL certificate generation begins date wrong.

[bsaidus]

Hello.
I've made a script that generate an SSL certificate for squid proxy.
the certificate genarated normally, but when downloading it and trying to install it on windows, It shows the wrong date begin.
The script is called from a cgi module executed by lighttpd.

#!/bin/sh
#------------------------------------------------------------------
# Program to generate SSL certificate for squid.
#------------------------------------------------------------------
# BSDCommands
#------------------------------------------------------------------
 C_mkdir="/bin/mkdir"
 C_cp="/bin/cp"
 C_mv="/bin/mv"
 C_rm="/bin/rm"
 C_service="/usr/sbin/service"
 C_chown="/usr/sbin/chown"
 C_openssl="/usr/bin/openssl"
 C_wget="/usr/local/bin/wget"
 C_security_file_certgen="/usr/local/libexec/squid/security_file_certgen"
 C_stat="/usr/bin/stat"
 C_squid="/usr/local/sbin/squid"
#------------------------------------------------------------------
# Directories&files
#------------------------------------------------------------------
 C_squid_fldr_root="/var/ucos/sslkeys/squid/"
 C_squid_fldr_certs="${C_squid_fldr_root}certs/"
 C_squid_fldr_certs_db="/var/squid/cache/db"
 C_squid_pem_cert="${C_squid_fldr_certs}squidCA.pem"
 C_squid_mep_cert="${C_squid_fldr_certs}squidCA.mep"
 C_squid_der_cert="/ucos/www/webfilter/squidCA.der"
 C_squid_pem_cacert="/var/ucos/sslkeys/squid/cacert.pem"
 C_squid_pem_cacert_def="/etc/ucdefs/cacert.pem"
 
 C_subj="/C=DZ/ST=BEJAIA/L=BEJAIA/O=UCOS/CN=ucos.net"
#------------------------------------------------------------------
# Stop squid service
#------------------------------------------------------------------
 "${C_service}" squid stop >/dev/null 2>&1
 
 while ps axg | grep -vw grep | grep -w squid > /dev/null; do sleep 1; done
#------------------------------------------------------------------
# See if dest dir not exists then create
#------------------------------------------------------------------
 if [ ! -d "$C_squid_fldr_certs" ]; then
   "${C_mkdir}" -p "$C_squid_fldr_certs" >/dev/null 2>&1
 fi
#------------------------------------------------------------------
# See if pem file exists then rename
#------------------------------------------------------------------
 if [ -f "$C_squid_pem_cert" ]; then
   "${C_mv}" -f "$C_squid_pem_cert" "$C_squid_mep_cert" >/dev/null 2>&1
 fi
#------------------------------------------------------------------
# See if .der file exists then delete
#------------------------------------------------------------------
 if [ -f "$C_squid_der_cert" ]; then
   "${C_rm}" -f "$C_squid_der_cert" >/dev/null 2>&1
 fi
#------------------------------------------------------------------
# Call openssl commande Generate ssl certificate
#------------------------------------------------------------------
 "${C_openssl}" req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj "$C_subj" -keyout "$C_squid_pem_cert" -out "$C_squid_pem_cert" >/dev/null 2>&1
 
  while ps axg | grep -vw grep | grep -w openssl > /dev/null; do sleep 1; done
#------------------------------------------------------------------
# Generate .der certificate
#------------------------------------------------------------------
 "${C_openssl}" x509 -in "$C_squid_pem_cert" -outform DER -out "$C_squid_der_cert" >/dev/null 2>&1
 
 while ps axg | grep -vw grep | grep -w openssl > /dev/null; do sleep 1; done
#------------------------------------------------------------------
# Generate db certgen
#------------------------------------------------------------------
 if [ -d "$C_squid_fldr_certs_db" ]; then
   "${C_rm}" -R "$C_squid_fldr_certs_db"
 fi
 "${C_security_file_certgen}" -c -s "$C_squid_fldr_certs_db" -M 4MB >/dev/null 2>&1
 
 while ps axg | grep -vw grep | grep -w security_file_certgen > /dev/null; do sleep 1; done
#------------------------------------------------------------------
#Getcacertfromcurlsite
#------------------------------------------------------------------
 "${C_wget}" --no-check-certificate -t 2 -T 10 -q -O "$C_squid_pem_cacert" https://curl.se/ca/cacert.pem >/dev/null 2>&1
 fcacert_sz=$("${C_stat}" -f%z "${C_squid_fldr_certs}")
 if [ "${fcacert_sz}" -lt 10000 ]; then
    "${C_cp}" "$C_squid_pem_cacert_def" "$C_squid_fldr_certs" >/dev/null 2>&1
 fi
#------------------------------------------------------------------
# Chown to squid
#------------------------------------------------------------------
 "${C_chown}" -R squid:squid "${C_squid_fldr_root}"
#------------------------------------------------------------------
# starts quid
#------------------------------------------------------------------
 "${C_service}" squid start >/dev/null 2>&1
#"${C_squid}" -k reconfigure

 exit

So What's wrong?? the generation is made today but in the certificate it indicate that the validity begans in 21/05/2023.
The system datetime is OK

root@uc-rpi:/ucos/bin # date
Thu Oct 12 20:57:59 CEST 2023

PS: This code when executed (called) in shell manually it generate the SSL certificate normally, with begin validity date of today.



See picture.

 

[SirDice]

Just something I noticed, not related to the date issue.

ps axg | grep -vw grep | grep -w openssl

pgrep(1)

 

[ralphbsz]

So What's wrong??

I have no idea. And running and debugging your script would take me way too much time. So let me really quickly give you a hint:

You run all the heavy-weight commands (openssl, certgen, wget) without any error checking, and with their outputs (both stdout and stderr) being discarded. Is it possible that one of those commands is printing an error message or a warning message? Or perhaps even outright fails? Some of these commands create files, which are then used in further stages of your script. If one of these commands fails, is it possible that one of the old files simply continues to exist, and is used in further stages?

Suggestion: Instead of "foo > /dev/null 2>&1", try something like this:

foo > /tmp/$$.foo.stdout 2> /tmp/$$.foo.stderr ; err_foo=$?
if [ $err_foo -ne 0 ] ; then
  echo Command foo returned status $err_foo
  exit
fi

And then after a run, manually review all the files created in /tmp/ to see whether there are any hints of problems.

By the way, kudos for your shell coding style, which is extremely defensive. You define all the commands (so the path is not used), you quote all variable expansions, and so on. Some would say that your coding style is excessive, since (a) many commands like stat, mkdir and mv are guaranteed to exist on the path, and (b) many variables can't have spaces or special characters in them, for example because you set them a moment ago to a constant. Being over-protective may make your code hard to read to some. But tastes are different, and more importantly the target audience of the code is different, so you do you.

 

[SirDice]

Another thing, with regards to starting commands and redirecting their output, the commands won't return until they're done. So you don't have to check if they're still running after it. They're finished, that's why the next command in the script gets executed. You're not executing those commands in the background, or some subshell.

"${C_service}" squid stop >/dev/null 2>&1 
while ps axg | grep -vw grep | grep -w squid > /dev/null; do sleep 1; done

If you stop the service, that's going to wait until the service is stopped or time out. If the service is stopped it will have a return code of 0. You don't need to check if the service is still running. The service(8) command successfully stopped it. If it wasn't able to stop it, the return code would not be 0.

"${C_openssl}" req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj "$C_subj" -keyout "$C_squid_pem_cert" -out "$C_squid_pem_cert" >/dev/null 2>&1 
while ps axg | grep -vw grep | grep -w openssl > /dev/null; do sleep 1; done

The $C_openssl} command won't return until it is finished executing. So you don't need to loop and wait until it's finished afterwards. The command isn't executed in the background. It's finished, that's why the next command in the script is executed.

 

[bsaidus]

Thank you SirDice , ralphbsz for your advices and hints.
I'll try to debug, understand the problem.
I'll add debugging code to my script to see what happen.

 

[bsaidus]

Hello,
Just to notice that this problem persists, OpenSSL generate outdated ssl key.

 

[bsaidus]

I think the problem is on windows, when trying to install certificate, it gives me wrong begin and end dates.
but when trying to read infos for certificates using openssl command it's good.
What to do ??

root@uc1:~ # openssl x509 -in /var/uccenos/keys/squidCA.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:1c:3b:ad:98:22:39:94:08:a1:20:d0:d3:b1:0b:77:6b:a3:73:c0
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DZ, ST = BEJAIA, L = BEJAIA, O = UCCEN, CN = uccenos.net
Validity
Not Before: Jul 5 11:28:13 2024 GMT
Not After : Jul 3 11:28:13 2034 GMT
Subject: C = DZ, ST = BEJAIA, L = BEJAIA, O = UCCEN, CN = uccenos.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:41:d5:83:c3:9b:51:93:56:2b:79:e2:10:ae:
1c:86:31:90:46:88:6d:f4:5e:1a:af:ce:b5:c2:ae:
2c:e3:c5:55:d7:99:d0:23:13:11:85:98:52:85:cf:
76:8b:f6:38:71:46:32:8d:e8:06:4a:59:84:7c:a4:
0c:31:cf:70:e7:e2:f0:90:3c:d2:00:69:9c:c6:b2:
e5:75:29:d5:3d:04:df:94:02:46:e5:51:4b:cd:b9:
40:06:8c:20:0c:6d:30:50:b8:1d:2c:1c:5d:d3:ea:
9c:76:1b:61:08:fd:e4:f0:87:70:a2:f0:e0:50:77:
3f:ab:d2:b3:81:41:00:f3:a7:19:82:6b:78:a6:f5:
9f:c9:46:ea:be:ca:1e:de:63:4b:c0:1b:81:28:89:
a6:26:d6:17:61:3c:3c:89:08:9a:67:30:56:cb:3b:
83:a4:ed:e1:1e:13:78:be:03:f5:be:30:ff:cf:22:
01:8a:92:06:61:8b:ff:75:3b:81:31:b1:34:36:fc:
41:b9:bf:52:43:22:99:e6:82:db:56:c9:aa:44:4a:
be:9b:84:30:01:9b:43:7c:9f:88:a2:77:be:92:92:
90:c4:9e:8b:3d:ff:b2:d3:6e:08:4f:3f:44:d7:48:
d5:cd:24:05:47:df:d5:aa:13:b1:22:7d:ce:72:0c:
f6:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
2F:11:27:DC:B8:0B:02:43:2B:CE:2A:14:79:A4:9C:4F:D9:9A:30:2F
X509v3 Authority Key Identifier:
2F:11:27:DC:B8:0B:02:43:2B:CE:2A:14:79:A4:9C:4F:D9:9A:30:2F
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
68:2b:e0:32:f1:9f:81:86:33:23:ef:b3:6b:03:09:15:bc:c7:
d8:08:ba:65:df:fa:09:ad:b7:17:1f:66:8e:f8:df:08:44:2b:
41:af:5c:85:67:8d:68:9d:70:6a:9d:80:10:c0:c6:6e:ae:a0:
c6:f1:08:3b:2a:ed:f2:6c:be:fe:2c:57:b6:b5:f3:bc:4b:44:
8d:e2:3e:f8:87:39:91:1a:4c:22:9b:71:29:41:2c:9d:ff:f9:
99:07:ab:72:b2:67:4b:66:d7:47:2f:46:10:ff:69:aa:19:ff:
e4:c2:aa:37:c9:ae:dc:28:c1:65:e8:cc:b3:ff:07:09:d4:4c:
9a:34:4d:dc:ed:45:d9:d6:b6:bd:7c:d3:96:6a:f3:a5:2b:21:
fa:25:64:81:bd:28:70:02:d8:7e:dc:19:1b:94:f2:7f:e5:ab:
5d:8d:71:a8:16:e5:6c:ce:0c:1c:01:e9:be:d8:f1:ec:b9:32:
8d:c0:53:8d:20:18:d5:7b:9d:32:32:76:c1:76:83:b5:08:56:
64:9e:29:3c:af:8a:50:e7:25:99:87:ec:09:fa:25:a7:7e:cc:
9d:96:b1:c0:fd:b9:80:87:fe:34:cf:d9:f6:6d:da:fa:06:b2:
28:38:4e:22:64:e8:9b:dd:c8:7e:f1:f0:e2:7c:a2:78:61:5a:
93:45:6c:03
root@uc1:~ # openssl x509 -in /uccenos/htdocs/uwf/squidCA.der -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:1c:3b:ad:98:22:39:94:08:a1:20:d0:d3:b1:0b:77:6b:a3:73:c0
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DZ, ST = BEJAIA, L = BEJAIA, O = UCCEN, CN = uccenos.net
Validity
Not Before: Jul 5 11:28:13 2024 GMT
Not After : Jul 3 11:28:13 2034 GMT
Subject: C = DZ, ST = BEJAIA, L = BEJAIA, O = UCCEN, CN = uccenos.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b2:41:d5:83:c3:9b:51:93:56:2b:79:e2:10:ae:
1c:86:31:90:46:88:6d:f4:5e:1a:af:ce:b5:c2:ae:
2c:e3:c5:55:d7:99:d0:23:13:11:85:98:52:85:cf:
76:8b:f6:38:71:46:32:8d:e8:06:4a:59:84:7c:a4:
0c:31:cf:70:e7:e2:f0:90:3c:d2:00:69:9c:c6:b2:
e5:75:29:d5:3d:04:df:94:02:46:e5:51:4b:cd:b9:
40:06:8c:20:0c:6d:30:50:b8:1d:2c:1c:5d:d3:ea:
9c:76:1b:61:08:fd:e4:f0:87:70:a2:f0:e0:50:77:
3f:ab:d2:b3:81:41:00:f3:a7:19:82:6b:78:a6:f5:
9f:c9:46:ea:be:ca:1e:de:63:4b:c0:1b:81:28:89:
a6:26:d6:17:61:3c:3c:89:08:9a:67:30:56:cb:3b:
83:a4:ed:e1:1e:13:78:be:03:f5:be:30:ff:cf:22:
01:8a:92:06:61:8b:ff:75:3b:81:31:b1:34:36:fc:
41:b9:bf:52:43:22:99:e6:82:db:56:c9:aa:44:4a:
be:9b:84:30:01:9b:43:7c:9f:88:a2:77:be:92:92:
90:c4:9e:8b:3d:ff:b2:d3:6e:08:4f:3f:44:d7:48:
d5:cd:24:05:47:df:d5:aa:13:b1:22:7d:ce:72:0c:
f6:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
2F:11:27:DC:B8:0B:02:43:2B:CE:2A:14:79:A4:9C:4F:D9:9A:30:2F
X509v3 Authority Key Identifier:
2F:11:27:DC:B8:0B:02:43:2B:CE:2A:14:79:A4:9C:4F:D9:9A:30:2F
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
68:2b:e0:32:f1:9f:81:86:33:23:ef:b3:6b:03:09:15:bc:c7:
d8:08:ba:65:df:fa:09:ad:b7:17:1f:66:8e:f8:df:08:44:2b:
41:af:5c:85:67:8d:68:9d:70:6a:9d:80:10:c0:c6:6e:ae:a0:
c6:f1:08:3b:2a:ed:f2:6c:be:fe:2c:57:b6:b5:f3:bc:4b:44:
8d:e2:3e:f8:87:39:91:1a:4c:22:9b:71:29:41:2c:9d:ff:f9:
99:07:ab:72:b2:67:4b:66:d7:47:2f:46:10:ff:69:aa:19:ff:
e4:c2:aa:37:c9:ae:dc:28:c1:65:e8:cc:b3:ff:07:09:d4:4c:
9a:34:4d:dc:ed:45:d9:d6:b6:bd:7c:d3:96:6a:f3:a5:2b:21:
fa:25:64:81:bd:28:70:02:d8:7e:dc:19:1b:94:f2:7f:e5:ab:
5d:8d:71:a8:16:e5:6c:ce:0c:1c:01:e9:be:d8:f1:ec:b9:32:
8d:c0:53:8d:20:18:d5:7b:9d:32:32:76:c1:76:83:b5:08:56:
64:9e:29:3c:af:8a:50:e7:25:99:87:ec:09:fa:25:a7:7e:cc:
9d:96:b1:c0:fd:b9:80:87:fe:34:cf:d9:f6:6d:da:fa:06:b2:
28:38:4e:22:64:e8:9b:dd:c8:7e:f1:f0:e2:7c:a2:78:61:5a:
93:45:6c:03



Wow, enven openssl version for windows prints wrong validation dates.

D:\tmp\OpenSSL-Win32>openssl x509 -in squidCA.der -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
68:32:88:f0:49:b4:2e:ac:8f:7f:68:d3:c7:8d:21:4f:ea:e9:28:1c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DZ, ST = BEJAIA, L = BEJAIA, O = UCCEN, CN = uccenos.net
Validity
Not Before: Jan 1 00:00:28 2010 GMT
Not After : Dec 30 00:00:28 2019 GMT
Subject: C = DZ, ST = BEJAIA, L = BEJAIA, O = UCCEN, CN = uccenos.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d5:01:a2:c0:a5:ac:3a:a8:65:66:d2:e1:ce:8b:
48:8d:78:ae:66:08:a3:e5:a0:bf:f2:1c:72:80:e8:
91:22:14:61:3b:88:fa:3f:cd:ee:44:88:96:97:e4:
81:17:ba:be:5c:1c:7a:72:50:37:26:2e:41:b9:46:
42:e2:9e:4b:37:bc:3d:c8:26:d5:05:9e:22:3b:f9:
bc:62:ed:1a:20:5e:fd:7e:33:19:43:ea:2f:35:01:
56:d9:10:40:72:b8:42:61:92:4d:b8:53:64:58:a6:
e0:a5:67:a8:00:0b:5d:49:b7:d3:71:81:be:2a:22:
f3:b3:47:b0:bc:44:98:21:ae:8d:28:3d:aa:39:10:
fb:5b:ee:14:6e:4f:78:bd:13:d2:cd:17:45:50:50:
29:26:eb:2b:58:b1:56:ba:7d:9a:c9:88:b0:fb:16:
ba:c4:44:a3:42:c6:40:35:48:fb:c0:33:43:3f:c4:
9c:e4:32:9b:36:1a:45:64:ea:92:66:40:89:d8:88:
14:f4:2e:9f:65:65:41:1c:5a:99:91:16:3c:ec:8e:
77:09:ad:58:0d:0d:7a:35:6b:6b:0a:89:e9:d9:38:
c6:6b:84:4d:78:43:67:76:2c:fa:d9:cc:84:fa:1a:
55:3f:26:e9:28:d7:45:4d:2a:7d:97:90:bf:bd:82:
24:9b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
62:19:BD:65:FA:14:2B:94:5A:94:5F:E8:B6:07:3D:69:01:24:A4:C4
X509v3 Authority Key Identifier:
62:19:BD:65:FA:14:2B:94:5A:94:5F:E8:B6:07:3D:69:01:24:A4:C4
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
31:f9:e0:f5:5f:12:3d:5e:d4:6c:67:7f:38:a1:33:b1:23:58:
55:13:50:09:1a:bc:81:02:e4:fc:ba:ed:a8:d8:eb:35:af:b8:
4b:45:74:dd:d1:00:77:1b:6b:f9:85:2d:c7:4a:7e:14:7d:60:
d7:29:06:69:41:e1:7d:55:d6:3b:c1:6b:9e:7f:e3:78:9e:ad:
61:40:7c:2d:ee:c6:f8:38:f6:d3:e0:93:5b:29:0b:fc:8b:c5:
1b:ea:b0:ae:be:7f:86:9c:40:48:c0:76:84:95:c2:4c:e5:86:
f8:ac:26:82:c0:ed:6f:89:48:5c:ff:df:8f:79:bb:1a:28:bd:
03:5e:cd:4b:d3:1c:f5:73:aa:54:1d:2f:dc:aa:af:81:6d:77:
3e:f9:de:1c:db:de:da:2e:7a:7a:5c:d5:c3:ca:0c:3c:52:ec:
5c:9a:b1:88:1c:80:9d:85:b4:38:e2:ed:74:9a:a4:43:7c:44:
d1:1a:74:62:d3:2b:42:0c:4d:05:f9:c3:a8:fc:2b:45:ad:81:
8b:8b:f4:34:c8:3f:e2:fe:48:f9:5e:4a:03:a6:57:c9:22:c7:
6e:c8:47:ce:78:cc:60:81:b7:40:76:00:d5:f5:69:dd:b8:b2:
3f:d5:ce:82:b4:39:3e:46:8e:37:2f:b3:3e:5f:3c:ed:6b:16:
7e:0e:b4:81

D:\tmp\OpenSSL-Win32>openssl version
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

freebsd openssl version :
root@uc1:~ # openssl version
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)


 

[tingo]

If you haven't already; make sure that date and time are correct on your machine before running openssl.

 

[bsaidus]

All is correct on my machine (as you see ssl key dump).
Finally I found that Mocrosoft Edge is the problem (It is stupid, but I do not know how ).
When I download the Key (on my freebsd I installed lighttpd webserver) using Firefox or Chrom, all is OK, but when I use Edge it not work(very strange).