You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/11/20 07:02:09 UTC
[GitHub] [pulsar] qq516249940 opened a new issue #12903: standalone Authentication using TLS general admin.csr.pem erorr
qq516249940 opened a new issue #12903:
URL: https://github.com/apache/pulsar/issues/12903
**Describe the bug**
standalone TLS general admin.csr.pem erorr
pulsar 2.8.1
[root@dev-pulsar-standalone my-ca]# openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
**To Reproduce**
Steps to reproduce the behavior:
```bash
[root@dev-pulsar-standalone my-ca]# openssl genrsa -out admin.key.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..............+++++
...................................+++++
e is 65537 (0x010001)
[root@dev-pulsar-standalone my-ca]# openssl pkcs8 -topk8 -inform PEM -outform PEM \
> -in admin.key.pem -out admin.key-pk8.pem -nocrypt
[root@dev-pulsar-standalone my-ca]# openssl req -config openssl.cnf \
> -key admin.key.pem -new -sha256 -out admin.csr.pem
req: Error on line 30 of config file "openssl.cnf"
139684859553600:error:0E065068:configuration file routines:str_copy:variable has no value:crypto/conf/conf_def.c:638:line 30
[root@dev-pulsar-standalone my-ca]# ls
admin.key.pem admin.key-pk8.pem broker.cert.pem broker.csr.pem broker.key.pem broker.key-pk8.pem certs crl index.txt index.txt.attr index.txt.old newcerts openssl.cnf private serial serial.old
[root@dev-pulsar-standalone my-ca]# openssl req -config openssl.cnf \
> -key admin.key.pem -new -sha256 -out admin.csr.pem
req: Error on line 30 of config file "openssl.cnf"
140223356573504:error:0E065068:configuration file routines:str_copy:variable has no value:crypto/conf/conf_def.c:638:line 30
[root@dev-pulsar-standalone my-ca]#
[root@dev-pulsar-standalone my-ca]#
[root@dev-pulsar-standalone my-ca]# openssl req -config openssl.cnf \
> -key admin.key.pem -new -sha256 -out admin.csr.pem
req: Error on line 30 of config file "openssl.cnf"
140330148505408:error:0E065068:configuration file routines:str_copy:variable has no value:crypto/conf/conf_def.c:638:line 30
```
**Desktop (please complete the following information):**
[root@dev-pulsar-standalone my-ca]# cat /etc/redhat-release
CentOS Linux release 8.5.2111
**Additional context**
```conf
[root@dev-pulsar-standalone my-ca]# cat openssl.cnf
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#
#
# Configuration file for testing certificate authority.
# The environment variable, CA_HOME, must be set to point to the directory
# containing this file before running any openssl commands.
#
[ ca ]
# `man ca`
default_ca = CA_default
[ CA_default ]
# Directory and file locations.
dir = $ENV::CA_HOME
certs = $dir/certs
crl_dir = $dir/crl
new_certs_dir = $dir/newcerts
database = $dir/index.txt
serial = $dir/serial
RANDFILE = $dir/private/.rand
# The root key and root certificate.
private_key = $dir/private/ca.key.pem
certificate = $dir/certs/ca.cert.pem
# For certificate revocation lists.
crlnumber = $dir/crlnumber
crl = $dir/crl/ca.crl.pem
crl_extensions = crl_ext
default_crl_days = 30
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
name_opt = ca_default
cert_opt = ca_default
default_days = 375
preserve = no
policy = policy_strict
[ policy_strict ]
# The root CA should only sign intermediate certificates that match.
# See the POLICY FORMAT section of `man ca`.
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_loose ]
# Allow the intermediate CA to sign a more diverse range of certificates.
# See the POLICY FORMAT section of the `ca` man page.
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
# Options for the `req` tool (`man req`).
default_bits = 2048
distinguished_name = req_distinguished_name
string_mask = utf8only
# SHA-1 is deprecated, so use SHA-2 instead.
default_md = sha256
# Extension to add when the -x509 option is used.
x509_extensions = v3_ca
[ req_distinguished_name ]
# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name
localityName = Locality Name
0.organizationName = Organization Name
organizationalUnitName = Organizational Unit Name
commonName = Common Name
emailAddress = Email Address
# Optionally, specify some defaults.
countryName_default = US
stateOrProvinceName_default = California
localityName_default = Palo Alto
0.organizationName_default = My company
organizationalUnitName_default = IT
emailAddress_default =
[ v3_ca ]
# Extensions for a typical CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ v3_intermediate_ca ]
# Extensions for a typical intermediate CA (`man x509v3_config`).
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "OpenSSL Generated Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
[ crl_ext ]
# Extension for CRLs (`man x509v3_config`).
authorityKeyIdentifier=keyid:always
[ ocsp ]
# Extension for OCSP signing certificates (`man ocsp`).
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, OCSPSigning
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] github-actions[bot] commented on issue #12903: standalone Authentication using TLS general admin.csr.pem erorr
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on issue #12903:
URL: https://github.com/apache/pulsar/issues/12903#issuecomment-1052936683
The issue had no activity for 30 days, mark with Stale label.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org