host certificate is not RFC3280 complian

Questions to IPFire Addons.
Post Reply
phil9x
Posts: 4
Joined: April 20th, 2016, 9:44 pm

host certificate is not RFC3280 complian

Post by phil9x » January 29th, 2019, 9:11 pm

Hello
I am getting this message after deleting X509 cert and client packages & generating new ones.
:o ??? :-\ :'(
Your host certificate is not RFC3280 compliant.
Please update to the latest IPFire version and generate as soon as possible a new root and host certificate.

Seems like I am stuck with ns-cert-type in my *****-TO-IPFire.ovpn file.

How can I get the tls server type and remove the message?
Thank you in advance for any help I may receive



All OpenVPN clients needs then to be renewed!
#OpenVPN Client conf
tls-client
client
nobind
dev tun
proto udp
tun-mtu 1400
remote **-****-***-**-static.hfc.comcastbusiness.net 1194
pkcs12 *********.p12
cipher AES-256-CBC
auth SHA256
tls-auth ta.key
comp-lzo
verb 3
ns-cert-type server
verify-x509-name **-****-***-**-static.hfc.comcastbusiness.net name
Last edited by phil9x on January 30th, 2019, 3:28 am, edited 1 time in total.

phil9x
Posts: 4
Joined: April 20th, 2016, 9:44 pm

Re: host certificate is not RFC3280 complian

Post by phil9x » January 29th, 2019, 10:41 pm

Apparently, my post :-[ & then Error message is meaningless, as I followed the instructions deleted x509 and regenerated cert and client packages. went to remote location and viola It Worked, IPFire is still displaying the same warning though.
Hopefully the devs will work this out for next update.
I love IPFIre

LouR
Posts: 17
Joined: June 3rd, 2019, 7:49 pm

Re: host certificate is not RFC3280 complian

Post by LouR » June 27th, 2019, 5:02 pm

Same error message (not RFC3280 compliant) here the vpn works just fine I just get the error, I have completed all of the steps you mentioned. build 133.

User avatar
H&M
Posts: 471
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: host certificate is not RFC3280 complian

Post by H&M » June 27th, 2019, 7:22 pm

Download the certificate and open it in windows.
See if all fiels are there: CN, SAN, IAN, CRL publishers... etc

RFC3280 is usefull - the table of contents list all fields certificates should contains.

CN and SAN are mandatory as far as I remember...

ummeegge
Community Developer
Community Developer
Posts: 5001
Joined: October 9th, 2010, 10:00 am

Re: host certificate is not RFC3280 complian

Post by ummeegge » July 1st, 2019, 10:28 am

Hi all,
phil9x wrote:
January 29th, 2019, 9:11 pm
Seems like I am stuck with ns-cert-type in my *****-TO-IPFire.ovpn file.
the ovpnmain.cgi investigates if the servercert.pem includes 'TLS Web Server Authentication' --> https://git.ipfire.org/?p=ipfire-2.x.gi ... 6716e96f85 if that isn´t the case and you did recreate the PKI, there is probably a old openssl.cnf (can happen causing backups) on the system. The following entries need to be in openssl.cnf --> https://git.ipfire.org/?p=ipfire-2.x.gi ... 6716e96f85 if they are in, the key extension ('TLS Web Server Authentication') should be in servercert.pem.

Greetings,

UE
Image
Image

Post Reply