openssl error due to openssl.cnf.tmpl file provided by OpenStack

This is only an issue in the new version of openssl, it would be nice to figure out why California doesn't match California (perhaps one is unicode), although it makes sense to put in this workaround in the meantime.

Vish

On Feb 24, 2011, at 5:45 AM, Philippe Berthault wrote:

> Public bug reported:
>
> The command line "nova-manage project zipfile ..." generates an exception and returns the following message:
> Unexpected error while running command.
> Command: openssl ca -batch -out /tmp/tmpIYutU2/outbound.csr -config ./openssl.cnf -infiles /tmp/tmpIYutU2/inbound.csr
> Exit code: 1
> Stdout: ''
> Stderr: "Using configuration from ./openssl.cnf\nCheck that the request matches the signature\nSignature ok\nThe Subject's Distinguished Name is as follows\ncountryName :PRINTABLE:'US'\nstateOrProvinceName :ASN.1 12:'California'\nlocalityName :ASN.1 12:'MountainView'\norganizationName :ASN.1 12:'AnsoLabs'\norganizationalUnitName:ASN.1 12:'NovaDev'\ncommonName :ASN.1 12:'admin-admin-2011-02-24T13:46:26Z'\nThe stateOrProvinceName field needed to be the same in the\nCA certificate (California) and the request (California)\n"
> The above error may show that the certificate db has not been created.
> Please create a database by running a nova-api server on this host.
>
> By running the openssl command from the CA directory of OpenStack, I've the same error:
> [root]# openssl ca -config openssl.cnf -infiles ../inboud.csr
> Using configuration from openssl.cnf
> Check that the request matches the signature
> Signature ok
> The Subject's Distinguished Name is as follows
> countryName :PRINTABLE:'US'
> stateOrProvinceName :ASN.1 12:'California'
> localityName :ASN.1 12:'MountainView'
> organizationName :ASN.1 12:'AnsoLabs'
> organizationalUnitName:ASN.1 12:'NovaDev'
> commonName :ASN.1 12:'admin-admin-2011-02-24T13:05:13Z'
> The stateOrProvinceName field needed to be the same in the
> CA certificate (California) and the request (California)
>
> The problem comes from the openssl.cnf template file provided by OpenStack which contains:
> countryName = match
> stateOrProvinceName = match
>
> This policy is too restrictive and generates the previous error.
>
> By replacing this policy by:
> countryName = supplied
> stateOrProvinceName = optional
> in the openssl.cnf file, then the "nova-manage project zipfile ..." command line is OK.
> So I suggest to specifiy these values in the openssl.cnf.tmpl file.
>
> ** Affects: nova
> Importance: Undecided
> Status: New
>
> --
> You received this bug notification because you are a member of Nova Bug
> Team, which is subscribed to OpenStack Compute (nova).
> https://bugs.launchpad.net/bugs/724317
>
> Title:
> openssl error due to openssl.cnf.tmpl file provided by OpenStack
>
> Status in OpenStack Compute (Nova):
> New
>
> Bug description:
> The command line "nova-manage project zipfile ..." generates an exception and returns the following message:
> Unexpected error while running command.
> Command: openssl ca -batch -out /tmp/tmpIYutU2/outbound.csr -config ./openssl.cnf -infiles /tmp/tmpIYutU2/inbound.csr
...

Seems to be an interoperability issue:
http://rt.openssl.org/Ticket/Display.html?id=2378&user=guest&pass=guest

Just to make sure, Philippe could you confirm what version of OpenSSL you're using and post the output of:
openssl x509 -noout -subject -nameopt show_type,sep_multiline -in FILE | grep ST
for FILE=/var/lib/nova/CA/cacert.pem and FILE=your.csr ?

@Philippe: any chance you could provide the requested information ? We can't really make progress on this without your input.

Just my $0.0.2: I have that problem with openssl-1.0.0-4.el6.x86_64 in RHEL6.

Here is my workaround for Nova: https://github.com/abrindeyev/openstack-nova-rhel6/blob/master/SOURCES/openstack-nova-openssl-relaxed-policy.patch

That link might help:
http://old.nabble.com/utf8string-vs-printablestring-mismatch-in-certificate-checking-td27232471.html

I was able to reproduce this on my Fedora 14 workstation using 'run_tests.sh -N test_auth'.

[dan.prince@dovetail CA]$ openssl ca -batch -out /tmp/tmpYM2x64/outbound.csr -config ./openssl.cnf -infiles /tmp/tmpYM2x64/inbound.csr
Using configuration from ./openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :ASN.1 12:'California'
localityName :ASN.1 12:'MountainView'
organizationName :ASN.1 12:'AnsoLabs'
organizationalUnitName:ASN.1 12:'NovaDev'
commonName :ASN.1 12:'testproj-test1-2011-04-08T16:28:00Z'
The stateOrProvinceName field needed to be the same in the
CA certificate (California) and the request (California)
---

Here is the output for the certificate and the request:

[dan.prince@dovetail CA]$ openssl x509 -noout -subject -nameopt show_type,sep_multiline -in cacert.pem
subject=
    O=PRINTABLESTRING:NOVA ROOT
    L=PRINTABLESTRING:Mountain View
    ST=PRINTABLESTRING:California
    C=PRINTABLESTRING:US

[dan.prince@dovetail CA]$ openssl req -noout -subject -nameopt show_type,sep_multiline -in /tmp/tmpYM2x64/inbound.csr
subject=
    C=PRINTABLESTRING:US
    ST=UTF8STRING:California
    L=UTF8STRING:MountainView
    O=UTF8STRING:AnsoLabs
    OU=UTF8STRING:NovaDev
    CN=UTF8STRING:testproj-test1-2011-04-08T16:28:00Z

The auth tests which generate x509 certificates both failed.

Setting the stateOrProvinceName = 'supplied' resolved the issue and allows both tests to pass. I'm not sure we have a better way of working around this issue in nova for now. The proposed fix seems safe enough for now. I'll push a branch with the fix with a note about this issue in the openssl template file as well.