Opened 6 years ago

Closed 3 years ago

#4573 closed defect (fixed)

Consider using SSL_CTX_use_certificate_chain_file in module-webif-lib.c

Reported by: delilah23 Owned by: WIDI RISTIANTO
Priority: trivial Component: Webinterface
Severity: low Keywords: ssl
Cc: Sensitive: no




Issue Description

Oscam webif won't send out a complete cert chain to the browser when using SSL webif

When the issue occurs

It occours when a cert is used that needs to send out an intermediate cert to give the browser the possibility to check the complete cert chain.

How the issue is reproducable

use a typical intermediate signed cert, f.i. given out from Let's Encrypt.

I attached a (trivial) patch which would solve this issue. The given pem file is searched for a complete cert chain, which is sent out to the client then.

Attachments (1)

ssl_chain.patch (434 bytes ) - added by delilah23 6 years ago.

Download all attachments as: .zip

Change History (8)

by delilah23, 6 years ago

Attachment: ssl_chain.patch added

comment:1 by WIDI RISTIANTO, 6 years ago

Owner: set to WIDI RISTIANTO
Status: newassigned

comment:2 by xeonpj, 6 years ago

Hi friend, I try to apply the patch but it still does not work chain.pem from let's encrypt.

comment:3 by delilah23, 6 years ago

@xeonpj You have to use fullchain.pem (including 2 certificates in one file) - chain.pem does only include the intermediate cert not the issued client cert itself.

comment:4 by xeonpj, 6 years ago

patch aplicated to oscam r11390:

error of console, SSL not working:

1993090144:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY
1993090144:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:635:

rute: /etc/letsencrypt/live/URL_DNS/fullchain.pem

comment:5 by delilah23, 5 years ago

Well, you have to

cat /etc/letsencrypt/live/<domainname>/privkey.pem > /etc/oscam/oscam.pem
cat /etc/letsencrypt/live/<domainname>/fullchain.pem >> /etc/oscam/oscam.pem

(depending on where your Oscam Config lives, /etc/oscam in my case)

This copies private key and cert chain to oscam.pem.

You have to repeat this, every time certbot regenerates the certificate with a new one.
For security reasons, oscam.pem should only be readable by oscam process.

In oscam.conf shoud be a

httpcert                      = /etc/oscam/oscam.pem

Oscam expects cert and private key in just one file.

comment:6 by xeonpj, 5 years ago

work !!! Thank you!!!
the patch indicated above is not necessary.

just follow your steps and everything is right!

Last edited 5 years ago by xeonpj (previous) (diff)

comment:7 by felixka, 3 years ago

Resolution: fixed
Status: assignedclosed

fixed -> r11570

Note: See TracTickets for help on using tickets.