openssl ca works, but with error messages

Robert Moskowitz rgm at htt-consult.com
Mon May 15 19:35:01 UTC 2023


David,

thank you for answering.

So ignore and eventually Fedora will get updated.  :)

On 5/15/23 14:12, David von Oheimb wrote:
> Hi Bob,
>
> the below weird behavior is due to minor bugs in certain situations 
> where the CA app looks for config file entries like "email_in_dn" that 
> are not present.
> Usually these (needless) error messages get discarded, but for 
> instance when both "default_startdate" and "default_enddate" are 
> given, this is not done so far.
> Fix is in https://github.com/openssl/openssl/pull/20971
>
> David
>
> On Sun, 2023-05-14 at 19:23 -0400, Robert Moskowitz wrote:
>> I am using:
>>
>> openssl ca -config $dir/openssl-root.cnf    -extensions v3_ca
>>
>> With customizations in the cnf.
>>
>> The command generates the cert to sign, but on doing that (or if I say
>> N) throws the errors:
>>
>> Certificate is to be certified until Jun  1 00:00:00 2024 GMT (385 days)
>> Sign the certificate? [y/n]:y
>> 402C4AD0637F0000:error:0700006C:configuration file
>> routines:NCONF_get_string:no
>> value:crypto/conf/conf_lib.c:315:group=CA_default name=email_in_dn
>> 402C4AD0637F0000:error:0700006C:configuration file
>> routines:NCONF_get_string:no
>> value:crypto/conf/conf_lib.c:315:group=CA_default name=rand_serial
>> 402C4AD0637F0000:error:0700006C:configuration file
>> routines:NCONF_get_string:no
>> value:crypto/conf/conf_lib.c:315:group=CA_default name=default_days
>>
>>
>> 1 out of 1 certificate requests certified, commit? [y/n]y
>> Write out database with 1 new entries
>> Data Base Updated
>>
>> I am using specific dates:
>>
>> default_startdate = $ENV::startdate
>> default_enddate   = $ENV::enddate
>>
>>          Validity
>>              Not Before: May  1 00:00:00 2023 GMT
>>              Not After : Jun  1 00:00:00 2024 GMT
>>
>> and it is getting the serial number
>>
>> serial            = $dir/serial
>>
>>          Serial Number:
>>              98:3f:27:9d:c7:3c:69:13
>>
>> And why complaining about email_in_dn?
>>
>> I do get the cert out, but why these errors and what should I be doing
>> about them?
>>
>> thanks
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230515/9b07a1da/attachment-0001.htm>


More information about the openssl-users mailing list