🏡 Home > 📍
Regenerate Server’s Certificate
2020.12.07
I’ve got a new Macbook for Xmas! :-)
In my network, it has a new/different IP address. The server’s certificate generated previous is no longer work. If it was signed with wildcard for domain name, it should have been alright.
I retraced the steps to generate .crt, see: https://primecoder.github.io/Documentation/CreatingCertsForSecureAPI.html
It turned out, this is very simple. However, I don’t want to keep doing this again, i.e. when deploying to a new VM instance on GCP, etc. So let’s see, if I can sign .crt file with wildcard ip address.
[ req ]
prompt = no
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = AU
localityName = YOUR_LOCAL_NAME
organizationName = YOUR_ORG_NAME
commonName = Pyingerra <-- I changed this from IP addr to a name 'Pyingerra'
[ req_ext ]
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
IP.1 = 192.168.0.* <-- Try wildcard?
IP.2 = 127.0.0.1
IP.3 = YOUR_OTHER_IP
This didn’t work. The signing process complained right away.
$ openssl req -new -key development.key -config config.cnf -out development.csr
Error Loading request extension section req_ext
4375400108:error:22FFF076:X509 V3 routines:func(4095):bad ip address:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.40.4/libressl-2.8/crypto/x509v3/v3_alt.c:529:value=192.168.0.*
4375400108:error:22FFF080:X509 V3 routines:func(4095):error in extension:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-56.40.4/libressl-2.8/crypto/x509v3/v3_conf.c:100:name=subjectAltName, value=@alt_names
I also tried
[alt_names]
DNS.1 = localhost
IP.1 = 192.168.0.0 <-- Try 0.0?
IP.2 = 127.0.0.1
This didn’t work either. The signing process was ok, however, when curl, it complained.
$ curl \
-H "Accept: application/json" \
-H "Authorization: Bearer $AUTH_TOKEN" \
--cacert $CA_CERT \
$ENDPOINT_GETALL
curl: (60) SSL: no alternative certificate subject name matches target host name '192.168.0.147'
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Darn!
So, for now, I had to use specific IP address. But things weren’t so bad, only step 6 and step 7 needed to be repeated (see: https://primecoder.github.io/Documentation/CreatingCertsForSecureAPI.html) I did create a makefile to facilitate this.
#!make
#
# Make a new server certificate file.
#
# Only an output certificate file (from 'gen_server_crt' target) needs to be
# distributed to a server.
#
# References:
# 1. https://primecoder.github.io/Documentation/CreatingCertsForSecureAPI.html
#
.PHONY: hello gen_server_csr gen_server_crt
hello:
@echo "Make util to generate new self-sign certificate for server."
@echo "Usage:\n"
@echo '\t$$ make gen_server_csr \t\t# Generate a request'
@echo "\t$$ make gen_server_crt \t\t# Generate a certificate"
@echo "\t$$ make gen_all \t\t\t# Generate a request and certificate"
gen_server_csr:
# Do step 6 from [1]
@echo "Generate Certificate Request for Server"
openssl req -new -key ../i-1/development.key -config config.cnf -out development.csr
gen_server_crt:
# Do step 7 from [1]
@echo "Generate server certificate"
openssl x509 -req \
-in development.csr \
-CA ../i-1/development-ca.crt \
-CAkey ../i-1/development-ca.key \
-CAcreateserial \
-out development.crt \
-days 365 -sha256 \
-extfile config.cnf \
-extensions req_ext
gen_all: gen_server_csr gen_server_crt
# Do step 6 and 7 from [1]
Notice that I only needed to update config.cnf file and regenerated server’s .csr and .crt files.
The good thing is, only the new .crt file needs to be redistributed to a server (python/flask).
All clients (web, curl, iPhone, iPad, etc) remained untouched!
–Peace–