thanks! (and sorry for the delay) On March 31, 2023 6:12 pm, Mira Limbeck wrote: > According to rfc2986 the only valid version is 0. No newer rfc changed > that. > See section 4.1: > https://www.rfc-editor.org/rfc/rfc2986#section-4.1 > > Manually verifying the CSR with openssl results in the following error: > ``` > $ openssl req -in bad.csr -text -noout > Certificate Request: > Data: > Version: Unknown (2) > ``` > > Signed-off-by: Mira Limbeck <m.limb...@proxmox.com> > --- > I wasn't able to create a test setup where I could test this yet, will > try again on monday. > > Stoiko tested it on his setup with Let's Encrypt Staging and it worked > fine. Although he didn't extract the CSR to verify it. > > A customer reported the issue in the enterprise support portal and > provided the fix as well. > > src/PVE/Certificate.pm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm > index 4ce7364..f67f6cd 100644 > --- a/src/PVE/Certificate.pm > +++ b/src/PVE/Certificate.pm > @@ -430,7 +430,7 @@ sub generate_csr { > > $cleanup->("Failed to set public key\n") if > !Net::SSLeay::X509_REQ_set_pubkey($req, $pk); > > - $cleanup->("Failed to set CSR version\n") if > !Net::SSLeay::X509_REQ_set_version($req, 2); > + $cleanup->("Failed to set CSR version\n") if > !Net::SSLeay::X509_REQ_set_version($req, 0); > > $cleanup->("Failed to sign CSR\n") if !Net::SSLeay::X509_REQ_sign($req, > $pk, $md); > > -- > 2.30.2 > > > _______________________________________________ > pve-devel mailing list > pve-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > >
_______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
