Error creating Nginx TLS certificate

Question

Error creating Nginx TLS certificate

Closed this issue a year ago · 3 comments

rgutierrez2004 commented a year ago

New installation throws the following error when trying to setup Nginx with TLS certificates:
OS: Ubuntu 18.04

Creating a new Nginx TLS Certificate...
Error Loading extension section v3_req
139864759878080:error:220A4076:X509 V3 routines:a2i_GENERAL_NAME:bad ip address:../crypto/x509v3/v3_alt.c:461:value=
139864759878080:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=@alt_names
Failed. See /home/ubuntu/guac-setup/guacamole_setup.log
Self signed certificate configured for Nginx

Answer 1 · 2023-10-11T00:52:16.000Z

I tested on a fresh Ubuntu 18.04 just now it installed fine with Nginx & TLS. The script works.

This error relates to invalid options being sent to the certificate generation process. Parameters the 4a script is receiving are out of bounds somehow. Double check with the custom options you are using to make sure you are not sending incompatible config settings such as more than TWO letters for country code.

Do a test run with only the script defaults as downloaded. During the install, when the installer reaches the below section on screen does it depict clear parameters like below?.. or still an error?

New self-signed TLS certificate attributes are shown below...
[req]
distinguished_name  = req_distinguished_name
x509_extensions     = v3_req
prompt              = no
string_mask         = utf8only

[req_distinguished_name]
C                   = AU
ST                  = Victoria
L                   = Melbourne
O                   = Itiligent
OU                  = I.T.
CN                  = *.lan

[v3_req]
keyUsage            = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage    = serverAuth, clientAuth, codeSigning, emailProtection
subjectAltName      = @alt_names

[alt_names]
DNS.1               = test.lan
DNS.2               = *.lan
IP.1                = 192.168.1.50

If you still get an an error there is something about your system that might be having isses discovering the local IP address (many nics?), or some other TLS library conflict. You cold try hard coding the certificate settings above by editing the 4a script and then commenting out its download line in script 1-setup to stop overwrite of your changes. At least thats where to start.

Unbuntu 18.x went EOL as of May 23 so better to move to something more recent, I wont be supporting 18.x into the future if packages diverge and things break in future.

Answer 2 · 2023-10-11T06:35:32.000Z

Yes, I believe the problem only happens with Ubuntu distributions in cloud providers (which usually have public and private IPs) like Oracle cloud, where once the image is deployed, the OS does not get the private IP instead gets 127.0.1.1, which I believe result in the script "4a-install-tls-self-signed-nginx.sh" being unable to update the "IP.1" parameter accordingly. What I did is after getting the error from the initial install, I manually updated variable "DEFAULT_IP" with the public IP of my Ubuntu instance and run the script again, this time completed successfully generating the certificates.

Answer 3 · 2023-10-11T22:11:13.000Z

Thanks for the feeback. I'm glad you found the $DEFAULT_IP setting (I should have thought of that) . I tried to keep all the config options clear and up front for this sort of troublshooting so I hope it didnt take too long to find and sort out. I'm not sure how I could solve this specific error scenario in the script, maybe just an updated note on the readme.