Wednesday, November 01, 2017

Re: ikectl errors

On Wed, Nov 01, 2017 at 09:08:08AM +0000, Andreas Thulin wrote:
> Hi!
>
> I'm trying to set up iked on machine A, to create a tunnel between machines
> A and B. ikectl produces errors when creating a certificate with my "test"
> ca, and I have failed to understans why:
>
> # ikectl ca test certificate 192.168.1.1 create
> Generating RSA private key, 2048 bit long modulus
> ......................................+++
> ..........+++
> e is 65537 (0x10001)
> You are about to be asked to enter information that will be incorporated
> into your certificate request.
> What you are about to enter is what is called a Distinguished Name or a DN.
> There are quite a few fields but you can leave some blankFor some fields
> there will be a default value,
> If you enter '.', the field will be left blank.
> -----
> Country Name (2 letter code) [DE]:
> State or Province Name (full name) [Lower Saxony]:
> Locality Name (eg, city) [Hanover]:
> Organization Name (eg, company) [OpenBSD]:
> Organizational Unit Name (eg, section) [iked]:
> Common Name (eg, fully qualified host name) [192.168.1.1]:
> Email Address [reyk@openbsd.org]:
> Using configuration from /etc/ssl/test/192.168.1.1-ssl.cnf
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> countryName :PRINTABLE:'DE'
> stateOrProvinceName :ASN.1 12:'Lower Saxony'
> localityName :ASN.1 12:'Hanover'
> organizationName :ASN.1 12:'OpenBSD'
> organizationalUnitName:ASN.1 12:'iked'
> commonName :ASN.1 12:'192.168.1.1'
> emailAddress :IA5STRING:'reyk@openbsd.org'
> ERROR: adding extensions in section x509v3_IPAddr
> 2226969360:error:22FFF06D:X509 V3 routines:func(4095):invalid null
> value:/usr/src/lib/libcrypto/x509v3/v3_utl.c:355:
> 2226969360:error:22FFF069:X509 V3 routines:func(4095):invalid extension
> string:/usr/src/lib/libcrypto/x509v3/v3_conf.c:143:name=subjectAltName,section=IP:
> 2226969360:error:22FFF080:X509 V3 routines:func(4095):error in
> extension:/usr/src/lib/libcrypto/x509v3/v3_conf.c:96:name=subjectAltName,
> value=IP:
> #
>
> The machine is i386 running 6.2-stable.
>
> I assume I'm doing something wrong, or have missed something in previous
> steps (I followed the example steps from the ikectl man page). Any tips on
> where to start digging/understanding/learning/fixing would be highly
> appreciated.
>
> BR, Andreas

Search the archives, there's a diff to fix this from Oct 25 or so, but it
has not been committed yet.

-ml

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)