Solved Cannot upload self-signed cert for web UI

[unsynaps]

I have been trying to upload a self-signed cert to the web UI and it seems to refuse to be accepted. Best I can tell it worked fine in the past.
Logs are throwing the following:

Mar 19 23:46:35 httpd: Can't get subject/authority key identifier. ([F6:2C:1C:3]/[NULL])
Mar 19 23:46:35 httpd: Delete uploaded certificate

No other errors are given.
Certs generated in XCA.

 

[ColinTaylor]

Importing own certificate broken on 3004.388.6 ?

Hi, I upgraded from 3004.388.5 to 3004.388.6 on my AX88U Pro and saw in the changelog there was something about certificates that changed. So as expected after the upgrade my certificate seemed broken so I decided to just reupload my own certificate files but this does not work. After choosing...

www.snbforums.com

 

[unsynaps]

Importing own certificate broken on 3004.388.6 ?

Hi, I upgraded from 3004.388.5 to 3004.388.6 on my AX88U Pro and saw in the changelog there was something about certificates that changed. So as expected after the upgrade my certificate seemed broken so I decided to just reupload my own certificate files but this does not work. After choosing...

www.snbforums.com

Uh... OK?
Really tired of this mentality of people thinking they are helping just posting a link with zero explanation. Especially when the link offers no sensible solution to the problem.

 

[ColinTaylor]

Uh... OK?
Really tired of this mentality of people thinking they are helping just posting a link with zero explanation. Especially when the link offers no sensible solution to the problem.

OK Given that exactly the same error was reported in that thread I thought Merlin's response might have been of some help. Next time I won't bother trying to help.

 

[unsynaps]

After some sleep and coffee, I found the answer.

 

[bennor]

After some sleep and coffee, I found the answer.

Please post "the answer" for others who may have the same issue and read your thread.

 

[JuanGF]

After some sleep and coffee, I found the answer.

This is the kind of answer you expect from someone complaining abour others not being helpful.

 

[zquestz]

I am experiencing a new error uploading my own certs. They worked fine for years, and the latest update the router switched to "Auto" and generated a new cert.

I see nothing in the system logs. What would be the best way to diagnose this?

I am using mkcert (https://github.com/FiloSottile/mkcert) which has worked great in the past.

 

[zquestz]

Actually I found the issue.

b_constr = x509v3ext2str_by_nid(x509_cert, NID_basic_constraints);
if (!b_constr) {
_dprintf("%s: Can't get basic constrain from %s\n", __func__, cert_fn);
logmessage("httpd", "Can't get basic constrain from %s", cert_fn);
ret = -7;
goto err_set_uploaded_cert_as_cacert;
}


When I logged all, it finally showed up. Is this absolutely required? The mkcert generated certs worked fine, and now they no longer function. =(

I also started a discussion on the mkcert github. https://github.com/FiloSottile/mkcert/discussions/583

 

[zquestz]

I was able to hack mkcert to get it working. Here's the patch for anyone interested -> https://github.com/zquestz/mkcert/commit/8e6f1214971366d17ddb80804456894bc779904f

 

[unostar]

Also using mkcert to issue self-signed certificates. Thanks for the solution, will give it a try.
Hope mkcert could implement the fix.

 

[awast2021]

其实我找到了问题。

b_constr = x509v3ext2str_by_nid(x509_cert, NID_basic_constraints);
if (!b_constr) {
_dprintf("%s: Can't get basic constrain from %s\n", __func__, cert_fn);
logmessage("httpd", "Can't get basic constrain from %s", cert_fn);
ret = -7;
goto err_set_uploaded_cert_as_cacert;
}


当我记录完所有内容时,它终于出现了。这是绝对必需的吗？mkcert 生成的证书运行良好,现在它们不再运行。=(

我还开始讨论 mkcert github。 https://github。com/FiloSottile/mkcert/discussions/583

The author of MKCert has not been updated. Can you recompile it?