[SOLVED] Error: HTTPS certs for webadmin
#1
Hello,

i try to use https for the webadmin but i doesn't seem to work. At first i used my own certificate from my own CA but it failed so i tried to use the script GenerateSelfSignedHTTPSCertUsingOpenssl.sh and i got the same error:

[21:37:28] WebServer: Cannot read HTTPS certificate: -0x2180

i look into the code it seems the error is from the src/HTTP/HTTPServer.cpp:
int res = Cert->Parse(CertFile.data(), CertFile.size());
if (res == 0)
{
auto CertPrivKey = std::make_shared<cCryptoKey>();
res = CertPrivKey->ParsePrivate(KeyFile.data(), KeyFile.size(), "");
if (res == 0)
{
// Modifyable locally but otherwise must be const
auto Config = cSslConfig::MakeDefaultConfig(false);
Config->SetOwnCert(Cert, CertPrivKey);
m_SslConfig = std::move(Config);
}
else
{
// Reading the private key failed, reset the cert:
LOGWARNING("WebServer: Cannot read HTTPS certificate private key: -0x%x", -res);
}
}
else
{
LOGWARNING("WebServer: Cannot read HTTPS certificate: -0x%x", -res);
}

Thank you for your time.
Reply
Thanks given by:
#2
The -0x2180 error is POLARSSL_ERR_X509_INVALID_FORMAT. That means that the file is in a format not supported by the TLS library. Which is weird, considering that the Generate script always has worked so far.

Could you post the generated cert and key? (You won't be using it anyway, so it shouldn't be a security concern Smile
Reply
Thanks given by:
#3
(09-11-2017, 05:37 PM)xoft Wrote: The -0x2180 error is POLARSSL_ERR_X509_INVALID_FORMAT. That means that the file is in a format not supported by the TLS library. Which is weird, considering that the Generate script always has worked so far.

Could you post the generated cert and key? (You won't be using it anyway, so it shouldn't be a security concern Smile

First, sorry for the response time. I couldn't go on internet before today.

EDIT:i remove them because i let my email adress in it

Thanks by advance for your time
Reply
Thanks given by:
#4
I meant for you to post the whole files.

When I copy-paste the certificate and privkey data from your listings into a fresh new pair of files, my Cuberite accepts them without any problem. But I tried on an older executable built with PolarSSL, I'll retry the new one with mbedTLS sometime in the afternoon.
Reply
Thanks given by:
#5
(09-18-2017, 11:25 PM)xoft Wrote: I meant for you to post the whole files.

When I copy-paste the certificate and privkey data from your listings into a fresh new pair of files, my Cuberite accepts them without any problem. But I tried on an older executable built with PolarSSL, I'll retry the new one with mbedTLS sometime in the afternoon.

 i uploaded you both files


Attached Files
.txt   httpscert.crt.txt (Size: 1.45 KB / Downloads: 291)
.txt   httpskey.pem.txt (Size: 1.66 KB / Downloads: 293)
Reply
Thanks given by:
#6
Right, so the files work in the old PolarSSL version, but not in the mbedTLS version. I'll investigate this. Thanks for the report and the data.
Reply
Thanks given by:
#7
I've found the cause and made a pull request with a fix: https://github.com/cuberite/cuberite/pull/4036

In the meantime, you can use your certificates if you convert them from PEM to DER (but keep their filenames).
( openssl x509 -inform pem -in certificate.pem -outform der -out certificate.crt )
Reply
Thanks given by:
#8
(09-19-2017, 07:37 PM)xoft Wrote: I've found the cause and made a pull request with a fix: https://github.com/cuberite/cuberite/pull/4036

In the meantime, you can use your certificates if you convert them from PEM to DER (but keep their filenames).
( openssl x509 -inform pem -in certificate.pem -outform der -out certificate.crt )

i saw your pull request has been merged. Thank you, i will try it and tell you the resulthttps://forum.cuberite.org/newreply.php?tid=3017&replyto=28601

EDIT: it works well thank you again
Reply
Thanks given by:




Users browsing this thread: 9 Guest(s)