State field in the CSR form in Store

Discussion in 'Troubleshooting' started by galaxy, Aug 5, 2016.

  1. galaxy

    galaxy Mega Poster

    Messages:
    239
    I'm writing my own plug-in, which is almost complete.
    It appears I'm at a stumbling block now where the CSR form supplied with OBAS has a bug.

    in the template:

    /var/opt/hspc-root/template/HSPC/SSL/base_ssl_csr.tmpl

    The state is spelled out correctly on the form, but when you submit it and the CSR is generated, it replaces the full state name with the 2-letter abbreviation, which is incorrect.
    In the CSR, the state must be spelled out, not the abbreviation.

    So the options are given by the function: geo_get_states()
    which is passed to the template item_edit_combo.tmpl uses the javascript to set the value to the 2-letter abbreviation.

    How can we force it to use the full state name?
    This is required by Symantec, otherwise they return an error and won't accept the CSR.

    Then when uploading you're own certificate, it keeps coming back with:

    The fields that are filled incorrectly, are highlighted:

    but there's no fields highlighted, and all required fields are filled in.

    I did notice that after you enter the CSR and leave the field, it fills in/updates the CSR details view below it and that the "State/Locality" field is missing.
     
    Last edited: Aug 5, 2016
  2. Vadim Ivanov

    Vadim Ivanov Kilo Poster

    Messages:
    36
    Dear galaxy,

    OBAS always uses two-letters code for the states of USA and Canada to generate CSR. The full name of the state is used only for displaying in form. For the other countries the state field is used as is.
    To convert the coded state name to the full name of the USA/Canada state you can import the geo_get_state_name() function from HSPC::pluginToolkit::General module. Maybe you have to use Symantec API to generate CSR.
     
  3. galaxy

    galaxy Mega Poster

    Messages:
    239
    OK, so you confirm that it is a bug in OBAS. The CSR must NOT abbreviate the state, and in fact Symantec rejects it now.

    Here's the requirements from GeoTrust: https://www.geotrust.com/resources/csr/apache_raven.htm
    Here's for RapidSSL: https://knowledge.rapidssl.com/supp.../index?page=content&actp=CROSSLINK&id=SO16317
    And Symantec: https://knowledge.symantec.com/support/mpki-support/index?page=content&id=SO7289

    Notice they all say to not abbreviate. I spoke to the vendor and they said that's why Symantec rejected the CSR.
     
  4. galaxy

    galaxy Mega Poster

    Messages:
    239
    Bypassing OBAS creating the CSR, I used Plesk to generate the CSR and enter it.
    Plesk generates a valid CSR, had it checked on Symantec, Certlogik and the ssl store. They all say its good.
    However as I stated above, when I upload the CSR directly, the store gives the error "The fields that are filled incorrect, are highlighted" and no fields are highlighted.
    I noticed in the CSR details there was no state, and adding debug information into the store code I see that the call to 'validate_cert_form' back to OBAS returns a result stating:

    ["ssl_csr_state"]=>\n string(19) "State (in CSR file)"

    So it appears the OBAS validation of the CSR is not correct (perhaps its looking for a two-letter state?)

    Just for kicks, I tried putting an invalid certificate replacing the state "New Jersey" with "NJ", and now OBAS accepts it (but Symantec rejects it).
    It (OBAS) rejects it when the state is spelled out as required.

    So it looks like there's a bug in the store code as well as the OBAS validation code.
     
  5. galaxy

    galaxy Mega Poster

    Messages:
    239
    I've been able to bypass the store check of the CSR, as I know the CSR is valid, however I get rejected down the line:

    [hspc_functions.php::handle_soap_error, line 1439] FaultString => 'ssl_hash' did not pass validation! The following fields are invalid: State (in CSR file)

    So I guess I'm stuck until we have a patch for OBAS. Has anyone been able to get valid SSL certificates through OBAS?
    Having a 2-letter abbreviation in the state field is not considered a valid CSR or certificate, even though some vendors have issued them.
    It appears they're cracking down on the practice and starting to validate the CSR more rigorously.
     
  6. galaxy

    galaxy Mega Poster

    Messages:
    239
    Just curious, is this something I can work around? To bypass these validations and put a certificate through?
    Or will I have to wait on a patch or new release?

    I know how to bypass it from the store side, but if OBAS itself rejects it then it won't create the order.
     
  7. Vadim Ivanov

    Vadim Ivanov Kilo Poster

    Messages:
    36
    I think it is possible to prepare a patch.
    Please contact support team.
     
  8. galaxy

    galaxy Mega Poster

    Messages:
    239
    I can't submit a bug report. It forces me to buy a support incident. Is there an email I can send it to?
    I'm *not* going to purchase an incident (regardless of any credit back), to fix a bug. I'd switch to WHM/cPanel first.
     
  9. dkolvakh

    dkolvakh Odin Team

    Messages:
    309
    Hello.
    As a some kind of exception we prepare a hotfix for this issue. Please find rpms attached below, and choose appropriate platform before installing.

    Also, please provide a feedback.
     

    Attached Files:

  10. galaxy

    galaxy Mega Poster

    Messages:
    239
    I was doing a diff on the store templates and didn't see any changes.
    Has the problem with CSR generation using 2-letter state abbreviations been fixed?

    EDIT: yes, looks good. I see the store side didn't change, i.e. it still sends a 2-letter abbreviation, but the backend swaps it before performing the CSR generation, so the CSR has the full state name in it.

    Thank you so much.
     
    Last edited: Aug 15, 2016
  11. dkolvakh

    dkolvakh Odin Team

    Messages:
    309
    Hello.
    Yes, exactly, middle-tier was changed in plugin. Can you confirm that issue has been fixed and certificates issue works fine?
     
  12. galaxy

    galaxy Mega Poster

    Messages:
    239
    I've tried several vendors and it appears good. Thanks so much.
    There's one nuance on the "contacts" during enrollment. When I remove the 'billing' contact, then it doesn't load the contact forms for admin & technical contacts until I refresh the page.
    But I wonder if that's a Chrome issue. I've found lots of issues when testing with Chrome that aren't there with Firefox or Safari.
     
  13. dkolvakh

    dkolvakh Odin Team

    Messages:
    309
    Hello. Thank you for providing feedback.

    What do you meant while saying "remove contact"?
     
  14. galaxy

    galaxy Mega Poster

    Messages:
    239
    in the SSL plugin get_contact_types() function, I only return admin and technical, no billing. I removed billing.
    Not sure if it has anything to do with it, but when I did make that change I noticed the contact forms not filling in anymore.
    Also, the phone numbers don't get pre-filled in either.
     
  15. dkolvakh

    dkolvakh Odin Team

    Messages:
    309
    Hello.

    Sorry, I cannot help with custom plugin. The only thing I can advise - check JS code for errors, may be this can help.
     
  16. galaxy

    galaxy Mega Poster

    Messages:
    239
    Just in testing, I see that the eNom plugin does it too. So its not just my plugin.
    So its probably a bug in the store code. Not going to worry about it as its beyond my control.
     

Share This Page