[pve-devel] [PATCH common] cert: fix invalid CSR version

Mira Limbeck m.limbeck at proxmox.com
Fri Mar 31 18:12:24 CEST 2023

According to rfc2986 the only valid version is 0. No newer rfc changed
See section 4.1:

Manually verifying the CSR with openssl results in the following error:
$ openssl req -in bad.csr -text -noout
Certificate Request:
        Version: Unknown (2)

Signed-off-by: Mira Limbeck <m.limbeck at proxmox.com>
I wasn't able to create a test setup where I could test this yet, will
try again on monday.

Stoiko tested it on his setup with Let's Encrypt Staging and it worked
fine. Although he didn't extract the CSR to verify it.

A customer reported the issue in the enterprise support portal and
provided the fix as well.

 src/PVE/Certificate.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PVE/Certificate.pm b/src/PVE/Certificate.pm
index 4ce7364..f67f6cd 100644
--- a/src/PVE/Certificate.pm
+++ b/src/PVE/Certificate.pm
@@ -430,7 +430,7 @@ sub generate_csr {
     $cleanup->("Failed to set public key\n") if !Net::SSLeay::X509_REQ_set_pubkey($req, $pk);
-    $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 2);
+    $cleanup->("Failed to set CSR version\n") if !Net::SSLeay::X509_REQ_set_version($req, 0);
     $cleanup->("Failed to sign CSR\n") if !Net::SSLeay::X509_REQ_sign($req, $pk, $md);

More information about the pve-devel mailing list