Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error generating certificate with OpenSSL to sign documents #3773

Open
Calebestofel opened this issue Oct 4, 2024 · 6 comments
Open

Error generating certificate with OpenSSL to sign documents #3773

Calebestofel opened this issue Oct 4, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@Calebestofel
Copy link

Calebestofel commented Oct 4, 2024
edited by vitormattos
Loading

Describe the bug
Can't get documents signed in through web application

To Reproduce
Steps to reproduce the behavior:

  • As admin
  • Upload document
  • Go to 'Files'
  • Click on a file
  • Click on Sign>Sign the document>Confirm
  • See error

Expected behavior
Document should be signed by the end of the steps

Screenshots
If applicable, add screenshots to help explain your problem.

Environment information (please complete the following information):

  • OS: Rocky Linux 9.4 (Blue Onyx)
  • Browser: Edge
  • LibreSign Version: 9.3.1
  • Nextcloud Server Version: 29.0.6.1
  • OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
  • PHP 8.3.11 (cli) (built: Aug 27 2024 19:16:34) (NTS gcc x86_64)
  • Log on /var/www/html/nextcloud/data/nextcloud.log:

{"reqId":"ZwAm2MlNNCnUvFjphbqV4gAAAAA","level":3,"time":"2024-10-04T17:33:12+00:00","remoteAddr":"127.0.0.1","user":"--","app":"PHP","method":"POST","url":"/ocs/v2.php/apps/libresign/api/v1/sign/uuid/1a2c53e0-e5f3-4edc-ba63-4e566806dc84","message":"openssl_csr_sign(): Failed to sign it at /var/www/html/nextcloud/apps/libresign/lib/Handler/CertificateEngine/OpenSslHandler.php#102","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0","version":"29.0.6.1","data":{"app":"PHP"}}

photo_2024-10-04_12-36-41
image
@Calebestofel Calebestofel added the bug Something isn't working label Oct 4, 2024
@github-project-automation github-project-automation bot moved this to 0. Needs triage in Roadmap Oct 4, 2024
@vitormattos vitormattos changed the title Error upon signing of documents on Libresign 9.3.1 Error generating certificate with OpenSSL to sign documents Oct 7, 2024
@vitormattos
Copy link
Member

Could you try to bump your OpenSSL version and check again?

@JBBERLIN77
Copy link

The same error here with us.

RHEL 9.4
Nextcloud 29.0.8
OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
PHP 8.2.26 (cli) (built: Nov 19 2024 17:11:09) (NTS gcc x86_64)

@vitormattos
Copy link
Member

vitormattos commented Nov 26, 2024
edited
Loading

@JBBERLIN77 is you getting the same error at your log? I can't reproduce this, I haven't the same environment and haven't any customer with this problem to help us

@JBBERLIN77
Copy link

yep, here my two error msg:

The 1st:

{"reqId":"Z0Y1SQTUn8JfFzAuz1WKRgAAxg4","level":3,"time":"2024-11-26T21:53:29+01:00","remoteAddr":"-MY_IP_ADDRESS-","user":"-MY_NEXTCLOUD_ADMIN_USER-","app":"PHP","method":"POST","url":"/ocs/v2.php/apps/libresign/api/v1/account/signature","message":"openssl_csr_sign(): Failed to sign it at -MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Handler/CertificateEngine/OpenSslHandler.php#101","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","version":"29.0.8.1","data":{"app":"PHP"}}

and the 2nd:

{"reqId":"Z0Y1SQTUn8JfFzAuz1WKRgAAxg4","level":3,"time":"2024-11-26T21:53:29+01:00","remoteAddr":"-MY_IP_ADDRESS-","user":"-MY_NEXTCLOUD_ADMIN_USER-","app":"no app in context","method":"POST","url":"/ocs/v2.php/apps/libresign/api/v1/account/signature","message":"OCA\\Libresign\\Handler\\CertificateEngine\\AEngineHandler::exportToPkcs12(): Argument #1 ($certificate) must be of type OpenSSLCertificate|string, bool given, called in -MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Handler/CertificateEngine/OpenSslHandler.php on line 107 in file '-MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Handler/CertificateEngine/AEngineHandler.php' line 89","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","version":"29.0.8.1","exception":{"Exception":"Exception","Message":"OCA\\Libresign\\Handler\\CertificateEngine\\AEngineHandler::exportToPkcs12(): Argument #1 ($certificate) must be of type OpenSSLCertificate|string, bool given, called in -MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Handler/CertificateEngine/OpenSslHandler.php on line 107 in file '-MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Handler/CertificateEngine/AEngineHandler.php' line 89","Code":0,"Trace":[{"file":"-MY_NEXTCLOUD_FOLDER-/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"-MY_NEXTCLOUD_FOLDER-/lib/private/Route/Router.php","line":331,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"-MY_NEXTCLOUD_FOLDER-/ocs/v1.php","line":66,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"-MY_NEXTCLOUD_FOLDER-/ocs/v2.php","line":23,"args":["-MY_NEXTCLOUD_FOLDER-/ocs/v1.php"],"function":"require_once"}],"File":"-MY_NEXTCLOUD_FOLDER-/lib/private/AppFramework/Http/Dispatcher.php","Line":170,"Previous":{"Exception":"TypeError","Message":"OCA\\Libresign\\Handler\\CertificateEngine\\AEngineHandler::exportToPkcs12(): Argument #1 ($certificate) must be of type OpenSSLCertificate|string, bool given, called in -MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Handler/CertificateEngine/OpenSslHandler.php on line 107","Code":0,"Trace":[{"file":"-MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Handler/CertificateEngine/OpenSslHandler.php","line":107,"function":"exportToPkcs12","class":"OCA\\Libresign\\Handler\\CertificateEngine\\AEngineHandler","type":"->"},{"file":"-MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Handler/Pkcs12Handler.php","line":172,"function":"generateCertificate","class":"OCA\\Libresign\\Handler\\CertificateEngine\\OpenSslHandler","type":"->"},{"file":"-MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Controller/AccountController.php","line":186,"function":"generateCertificate","class":"OCA\\Libresign\\Handler\\Pkcs12Handler","type":"->"},{"file":"-MY_NEXTCLOUD_FOLDER-/lib/private/AppFramework/Http/Dispatcher.php","line":232,"function":"signatureGenerate","class":"OCA\\Libresign\\Controller\\AccountController","type":"->"},{"file":"-MY_NEXTCLOUD_FOLDER-/lib/private/AppFramework/Http/Dispatcher.php","line":138,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"-MY_NEXTCLOUD_FOLDER-/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"-MY_NEXTCLOUD_FOLDER-/lib/private/Route/Router.php","line":331,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"-MY_NEXTCLOUD_FOLDER-/ocs/v1.php","line":66,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"-MY_NEXTCLOUD_FOLDER-/ocs/v2.php","line":23,"args":["-MY_NEXTCLOUD_FOLDER-/ocs/v1.php"],"function":"require_once"}],"File":"-MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Handler/CertificateEngine/AEngineHandler.php","Line":89},"message":"OCA\\Libresign\\Handler\\CertificateEngine\\AEngineHandler::exportToPkcs12(): Argument #1 ($certificate) must be of type OpenSSLCertificate|string, bool given, called in -MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Handler/CertificateEngine/OpenSslHandler.php on line 107 in file '-MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Handler/CertificateEngine/AEngineHandler.php' line 89","exception":{},"CustomMessage":"OCA\\Libresign\\Handler\\CertificateEngine\\AEngineHandler::exportToPkcs12(): Argument #1 ($certificate) must be of type OpenSSLCertificate|string, bool given, called in -MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Handler/CertificateEngine/OpenSslHandler.php on line 107 in file '-MY_NEXTCLOUD_FOLDER-/apps/libresign/lib/Handler/CertificateEngine/AEngineHandler.php' line 89"}}

@JBBERLIN77
Copy link

I have investigated this issue further and I think the problem is with RHEL 9 / Rocky Linux 9 and how OpenSSL handles the certificates on the OS

The OpenSSL tries to write the user certificates in /etc/pki/CA/certs where the apache user (www user) has no write access (which is correct)

@vitormattos
Copy link
Member

I didn't check the C code of the OpenSSL PHP extension, but the function openssl_csr_new creates the certificate in memory, and the function openssl_csr_sign does the same.

The point of the LibreSign code is this:

libresign/lib/Handler/CertificateEngine/OpenSslHandler.php

Lines 84 to 91 in be41c77

$csr = openssl_csr_new($this->getCsrNames(), $privateKey);
$x509 = openssl_csr_sign($csr, $rootCertificate, $rootPrivateKey, 365, [
'config' => $temporaryFile,
// This will set "basicConstraints" to CA:FALSE, the default is CA:TRUE
// The signer certificate is not a Certificate Authority
'x509_extensions' => 'v3_req',
]);
return parent::exportToPkcs12($x509, $privateKey);

A possible way to check what's happening is by debugging the code execution step by step, but it is necessary to do this in an environment similar to the one you are using.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Roadmap
Status: 0. Needs triage
Milestone
No milestone
Development

No branches or pull requests
4 participants
@vitormattos @Calebestofel @JBBERLIN77 and others