This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Error Re-generating CA after 9.201 update

I noticed that Sophos has edited their KB article on heardbleed and is now asking for us to re-gen the CA before the certs? Great.... since I already had all users in the organization uninstall and re-install the VPN client. Would have been great to know two days ago when reading the old version of the KB.

I am getting an error while re-generating the CA. Any ideas? I see a reference to country code. All I can say with regards to this is the country is populated with Unites States in System Settings->Organization.

 127.0.0.1 MAIN > RAW
Switched to RAW mode.
                                                                                'UTMhostname', email=>'mailaddress@maildomain.com'})
Calling Confd function ca_generate_signing_ca({name=>'webadmin ca', key_size=>2048, country=>'CountryAcronym', state=>'StateName', city=>'CityName', organization=>'OrganizationName', common_name=>'UTMhostname', email=>'mailaddress@maildomain.com'})
result: 0
fatal: [
          {
            'Aattrs' => [
                          'class',
                          'type',
                          'attr'
                        ],
            'attr' => 'country',
            'attrs' => [
                         'maxlen'
                       ],
            'class' => 'ca',
            'fatal' => 1,
            'format' => 'Cannot create certificate: the %_A attribute must not be longer than %s bytes.',
            'maxlen' => 2,
            'msgtype' => 'CA_RDN_LENGTH',
            'name' => 'Cannot create certificate: the country attribute must not be longer than 2 bytes.',
            'never_hide' => 0,
            'type' => 'signing_ca'
          }
        ]
                                                                                'UTMhostname', email=>'mailaddress@maildomain.com'})
Calling Confd function ca_generate_signing_ca({name=>'webadmin ca', key_size=>2048, country=>'CountryAcronym', state=>'StateName', city=>'CityName', organization=>'OrganizationName', common_name=>'UTMhostname', email=>'mailaddress@maildomain.com'})
result: 0
fatal: [
          {
            'Aattrs' => [
                          'class',
                          'type',
                          'attr'
                        ],
            'attr' => 'country',
            'attrs' => [
                         'maxlen'
                       ],
            'class' => 'ca',
            'fatal' => 1,
            'format' => 'Cannot create certificate: the %_A attribute must not be longer than %s bytes.',
            'maxlen' => 2,
            'msgtype' => 'CA_RDN_LENGTH',
            'name' => 'Cannot create certificate: the country attribute must not be longer than 2 bytes.',
            'never_hide' => 0,
            'type' => 'signing_ca'
          }
        ]
                                                                                127.0.0.1 RAW >

This thread was automatically locked due to age.

Parents

0 brassardv over 11 years ago

Same error here with Canada in System Settings->Organization.
Do you think this change have impact on VPN ? not juste webadmin and portal ?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 brassardv over 11 years ago

Same error here with Canada in System Settings->Organization.
Do you think this change have impact on VPN ? not juste webadmin and portal ?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Jimstigator over 11 years ago in reply to brassardv

I mean... this is a pain in the ass to be honest. Sounds like it has an impact on EVERYTHING SSL related.

So I put the entire company up in arms 2 days ago, re-generated the certs based on the KB, then it changed and now recommends this step. I can definitely appreciate Sophos advising the proper steps, but its a bummer that we will likely have to re-generate all certs again, meaning all SSL VPN users will need to re-do the config yet again.

-Jim
Cancel
Vote Up 0 Vote Down

Cancel
0 Jimstigator over 11 years ago in reply to Jimstigator

For those with the same issue...

"The error you get is because you used a too long name in the country part of the command:

Quote:
country=>'CountryAcronym'
Valid country codes are US, DE and so on. I hope that helps."

Seems that you need to put in "US" as the country code. Also, another user stated that this step (command line) is only required for the Webadmin piece. So, if you already did the SSL VPN certs, and deployed, you should be ok. I am still waiting for confirmation on this.

-Jim
Cancel
Vote Up 0 Vote Down

Cancel
0 Jimstigator over 11 years ago in reply to Jimstigator

Another member, Mino, confirmed this step is only necessary for Webadmin.. thank god.

-Jim
Cancel
Vote Up 0 Vote Down

Cancel