tls: error related to IP SANs

[Archos]

Using a TLS conection, I get the next error:

== Server
2013/04/06 11:48:55 rpc: rpc: server cannot decode request: remote error: bad certificate

== Client
x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs

At the first my configuration template for OpenSSL had not configured the SAN [1] (Subject_Alternative_Name), but then I added IP SANs although it is got the same error.

[1]: http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_


The configuration file used to generate the self-signed certificate is:
* * *
RANDFILE = /dev/urandom

[ req ]
default_bits       = 2048
default_md         = rmd160
default_keyfile    = privkey.pem
distinguished_name = req_distinguished_name
prompt             = no
policy             = policy_anything
req_extensions     = v3_req
x509_extensions    = v3_req

[ req_distinguished_name ]
commonName = fenix

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
#
IP.1 = 192.168.1.100
IP.2 = 127.0.0.1

[ v3_req ]
basicConstraints = CA:FALSE
* * *

Why is such error and how to fix it? Thanks in advance!

[agl]

On Saturday, April 6, 2013 6:59:42 AM UTC-4, Archos wrote:

== Client
x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs

Why is such error and how to fix it? Thanks in advance!

Please include the certificate or, if it is sensitive, please email me directly.

Cheers

AGL 

[Archos]

I uploaded to one of my repositories from I could not send them through this ML:

https://github.com/kless/gotool/tree/master/go.mkcert/test-tls/

I added also the OpenSSL config. file, and the Go file with the certificate in []byte.

[agl]

On Saturday, April 6, 2013 10:23:39 AM UTC-4, Archos wrote:

I uploaded to one of my repositories from I could not send them through this ML:

https://github.com/kless/gotool/tree/master/go.mkcert/test-tls/

I added also the OpenSSL config. file, and the Go file with the certificate in []byte.

If you run the certificate through openssl x509 -text you'll see that it really doesn't have any IP SANs (see below). Also, the RIPEMD hash function will cause issues I suspect.

I'd recommend taking the subjectAltNames config from the OpenSSL docs: https://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_

Cheers

AGL

 Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 9346580130822416404 (0x81b5b91bd264e814)

    Signature Algorithm: ripemd160WithRSA

        Issuer: CN=fenix

        Validity

            Not Before: Apr  6 13:50:18 2013 GMT

            Not After : Apr  4 13:50:18 2020 GMT

        Subject: CN=fenix

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (4096 bit)

                Modulus:

                    00:e9:da:a7:93:1f:d5:fa:17:23:f8:be:85:42:3b:

                    db:f7:5c:ab:e9:e8:b4:dd:65:a7:8d:f0:b0:9d:65:

                    55:8c:4b:82:f0:d7:f1:2f:0c:64:bc:00:8f:3a:3d:

                    46:16:24:f1:08:6d:1a:83:2c:73:d9:fb:80:b2:91:

                    78:b4:52:8a:ff:a3:62:f3:d1:72:68:d8:00:c0:24:

                    80:f6:ad:c0:5f:98:6c:d7:58:4c:82:eb:51:d7:80:

                    29:79:24:c9:eb:77:39:2f:7b:1e:f4:0d:66:cc:55:

                    3a:0b:f8:60:7a:6b:74:72:f8:cf:0b:d0:bf:b4:de:

                    e6:5c:2e:90:66:b8:00:db:aa:bd:92:50:3f:eb:f4:

                    ef:75:ab:98:de:40:1e:0e:8e:c4:77:40:43:ae:d7:

                    81:36:56:f0:6f:c8:07:a0:0f:95:7b:f2:b3:b3:f7:

                    b3:e7:cf:31:b7:16:38:45:a6:be:36:84:61:27:e3:

                    5f:40:e1:29:d4:3b:97:6a:5d:1f:11:c7:85:ec:8b:

                    39:cb:50:d7:69:fa:c3:ef:fa:24:ff:e3:f8:a3:2d:

                    f2:87:e2:ce:66:d3:ae:12:5c:61:9f:e4:d3:f4:56:

                    e7:9f:9b:45:19:14:a7:54:56:92:11:df:55:5b:63:

                    82:4d:33:52:78:92:16:ed:44:d8:96:5d:cd:c9:34:

                    29:e1:e3:13:70:2f:72:ea:37:30:cb:c9:5a:d4:68:

                    33:4a:be:56:76:f9:45:9c:3b:17:3b:ab:99:53:9f:

                    32:6c:82:c5:d1:a8:1d:ba:6b:92:f9:7e:e4:54:10:

                    cf:93:6d:b9:d2:38:b0:de:eb:28:90:05:d4:39:6f:

                    0a:00:d8:0a:a6:f8:48:6f:31:8e:05:ec:ac:e1:af:

                    f7:63:59:9a:ff:98:15:3e:fe:08:b5:0b:35:b3:20:

                    c3:a9:b4:3c:83:ed:b5:86:77:8a:4c:27:db:df:0a:

                    f7:86:40:0a:08:47:1f:1f:e2:4e:d2:0b:e8:67:fd:

                    c5:89:58:1a:c6:d1:75:4f:1e:ba:06:4d:ef:c6:7d:

                    d5:48:97:92:4e:73:90:23:85:04:29:00:15:c4:02:

                    d3:75:00:fc:cd:c4:33:70:58:eb:0c:43:c2:dd:25:

                    87:bf:af:5c:fe:93:19:d8:72:ee:a7:2b:84:8b:b7:

                    b7:71:e7:21:04:f3:cc:2e:58:28:33:65:69:57:b2:

                    1b:30:7e:6d:4a:61:31:1b:a9:4e:e1:42:18:8e:90:

                    85:24:b7:37:46:06:f6:32:39:b5:b6:f0:aa:8f:b7:

                    c3:34:bb:20:03:b8:0b:a8:6c:0a:5f:48:35:65:5a:

                    bb:fa:a6:b0:f4:36:69:81:6c:44:59:ca:57:f6:aa:

                    9e:42:cf

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

    Signature Algorithm: ripemd160WithRSA

         ba:30:05:04:da:7a:f1:ba:91:cc:11:40:dc:21:5b:be:fd:ad:

         e4:3a:70:0e:6e:04:c7:d5:59:3c:03:a0:5b:95:8f:0d:1f:c7:

         02:52:0b:0e:32:51:cb:92:11:9a:95:d6:ca:94:1d:9c:ef:2b:

         21:bb:c8:9b:8f:50:06:b6:7b:8c:a4:3a:8f:b6:c4:d3:71:17:

         39:a1:95:fd:48:36:ee:32:3c:7e:d0:1b:92:78:b0:c2:5b:9a:

         df:e9:e4:74:93:50:e4:63:14:0f:68:0f:4b:9f:fa:13:96:ab:

         53:74:47:7f:14:e1:15:00:05:ed:5b:6e:a8:de:46:82:2f:14:

         75:45:2c:22:76:19:91:63:89:f9:62:88:26:66:50:b8:c5:ff:

         41:6e:fb:d8:dc:f1:dd:47:c3:97:19:47:b2:31:aa:16:b6:7a:

         f5:d0:6a:bb:bc:8c:e6:a8:8d:41:4a:0f:59:bf:9d:97:54:50:

         d5:c6:93:13:58:45:ef:26:8e:de:d2:1b:77:0c:20:1e:9c:85:

         b7:fd:f4:96:e0:ba:f8:62:e2:0a:53:51:eb:b1:83:d4:6c:66:

         68:75:61:cc:a3:7d:82:9c:dc:a7:1e:86:20:c5:7b:ed:fe:91:

         1e:37:4e:3b:c7:92:07:f8:7e:7a:5b:11:76:4e:c0:7e:5f:2e:

         8d:43:cd:5b:66:84:17:1a:12:8c:1f:aa:24:1d:b5:82:db:2f:

         aa:ad:4b:7a:82:3f:e0:fd:d7:73:8c:74:37:f7:96:3e:b0:65:

         76:ce:78:f5:12:46:35:ec:91:a9:30:4f:fc:f5:22:44:3c:83:

         f5:81:28:05:9e:e2:3a:67:d4:d1:4d:db:28:f1:3e:40:90:00:

         1e:ac:c5:15:48:5a:df:5e:d3:dc:4c:9d:2a:ad:7b:07:1e:dd:

         cd:f5:ca:c4:c7:13:b6:10:47:c7:dc:38:f9:ea:a4:5d:f1:5c:

         5b:10:bb:9e:09:14:54:c0:c4:23:36:9d:9a:4b:d1:40:3c:3e:

         e7:77:be:a9:bf:10:4e:1a:47:a3:91:9d:ae:37:08:93:c8:c0:

         5a:64:a9:a7:ed:c9:8a:61:de:01:47:c3:1c:aa:b3:7b:fc:15:

         9d:aa:88:5f:32:01:41:ae:d4:a3:01:5b:86:24:80:b7:18:36:

         bd:de:b5:f6:af:c6:a2:d6:1a:05:13:5e:8f:47:a6:da:b0:c0:

         fe:87:10:b5:23:d6:30:29:c9:29:75:5c:31:79:f7:f9:a3:05:

         ae:d3:d0:68:53:79:cd:b4:db:4d:cd:6c:fc:b2:04:4e:4a:9e:

         08:e4:07:de:37:3f:1f:a2:23:1e:80:7b:e3:83:5f:6b:2e:0c:

         73:23:88:ce:09:31:1d:a8

[Archos]

The RIPEMD hash function is not the issue source.
The OpenSSL' help is not very good, but at then end I could fix it, adding "subjectAltName" in section "v3_req":

***

[ v3_req ]
basicConstraints = CA:FALSE

subjectAltName = @alt_names

[ alt_names ]

IP.1 = 192.168.1.100
IP.2 = 127.0.0.1

***

Although now the error is: "x509: certificate signed by unknown authority". And I am not going to pay to a third part...