Opened 7 years ago
Closed 4 years ago
#4573 closed defect (fixed)
Consider using SSL_CTX_use_certificate_chain_file in module-webif-lib.c
Reported by: | delilah23 | Owned by: | WIDI RISTIANTO |
---|---|---|---|
Priority: | trivial | Component: | Webinterface |
Severity: | low | Keywords: | ssl |
Cc: | Sensitive: | no |
Description
Revision
11350
Issue Description
Oscam webif won't send out a complete cert chain to the browser when using SSL webif
When the issue occurs
It occours when a cert is used that needs to send out an intermediate cert to give the browser the possibility to check the complete cert chain.
How the issue is reproducable
use a typical intermediate signed cert, f.i. given out from Let's Encrypt.
I attached a (trivial) patch which would solve this issue. The given pem file is searched for a complete cert chain, which is sent out to the client then.
Attachments (1)
Change History (8)
by , 7 years ago
Attachment: | ssl_chain.patch added |
---|
comment:1 by , 7 years ago
Owner: | set to |
---|---|
Status: | new → assigned |
comment:2 by , 7 years ago
comment:3 by , 7 years ago
@xeonpj You have to use fullchain.pem (including 2 certificates in one file) - chain.pem does only include the intermediate cert not the issued client cert itself.
comment:4 by , 7 years ago
patch aplicated to oscam r11390:
error of console, SSL not working:
1993090144:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: ANY PRIVATE KEY
1993090144:error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib:ssl_rsa.c:635:
rute: /etc/letsencrypt/live/URL_DNS/fullchain.pem
comment:5 by , 6 years ago
Well, you have to
cat /etc/letsencrypt/live/<domainname>/privkey.pem > /etc/oscam/oscam.pem cat /etc/letsencrypt/live/<domainname>/fullchain.pem >> /etc/oscam/oscam.pem
(depending on where your Oscam Config lives, /etc/oscam in my case)
This copies private key and cert chain to oscam.pem.
You have to repeat this, every time certbot regenerates the certificate with a new one.
For security reasons, oscam.pem should only be readable by oscam process.
In oscam.conf shoud be a
httpcert = /etc/oscam/oscam.pem
Oscam expects cert and private key in just one file.
comment:6 by , 6 years ago
thanks friend, I have tried what you say, it still does not work. I have tested the certificate on the apache web server that I have on the same machine and it works perfectly.
I have verified that the oscam.pem file is generated correctly.
the patch indicated must be applied? Yes or no?
I do not know what else to do....:(
oscam version:
Unix starttime: 1508173676
Starttime: 16.10.2017 19:07:56
Version: oscam-1.20-unstable_svn-r11384
Compiler: x86_64-linux-gnu-ssl
Box type: generic (generic)
PID: 1386
TempDir: /tmp/.oscam
ConfigDir: /usr/local/etc/
WebifPort: 1010
GBox tmp_dir: not defined using: /tmp/.oscam
value read during start up, not refreshed if changed later in webif!
Web interface support: yes
LiveLog support: yes
jQuery support intern: yes
Touch interface support: no
SSL support: yes
DVB API support: no
Irdeto guessing: no
Anti-cascading support: yes
Debug mode: no
Monitor: no
Loadbalancing support: yes
Cache exchange support: yes
CW Cycle Check support: yes
LCD support: no
LED support: no
Clockfix with realtime clock: yes
IPv6 support: no
VPS server ubuntu x64 16
thanks!!!!
Hi friend, I try to apply the patch but it still does not work chain.pem from let's encrypt.