Bad Bug: Installing SSL certificate private key from a file DELETES the key file

Submitted by Locutus on Wed, 11/28/2012 - 06:52

Steps to reproduce the bug:

  • Turn on SSL Website for a virtual server
  • Go to "Server Configuration / Manage SSL Certificate", tab "Signing Request"
  • Fill out the details. Click "Generate".
  • Two files, "ssl.newkey" and "ssl.csr" are generated in the vserver's home directory
  • Have the csr signed by a CA
  • Go to tab "New Certificate"
  • Paste the signed cert in the upper box, select "Pasted Text"
  • Enter the ssl.newkey path in the lower box, select "File on server"
  • Click "Install now"

Result:

The ssl.newkey path is entered in the Apache configuration, but the ssl.newkey file is DELETED. Maybe it was supposed to be renamed to "ssl.key", but it is not. The file is gone.

This is a serious bug, since I cannot generate a certificate for the same domain at the CA without a revocation of the existing one (which costs $25 handling), and the existing cert is useless without the private key.

Status: 
Closed (fixed)

Comments

Submitted by JamieCameron on Wed, 11/28/2012 - 14:55

I see the problem here .. you should have just selected "Pasted text" in the "Matching private key" field, as that is already populated with the contents of the ssl.newkey file. This will write the key data to ssl.key and then delete ssl.newkey

Unfortunately by entering the path to ssl.newkey, Virtualmin decided to use that file as the SSL key .. and then delete it!!

The real issue here is that a single page is used for uploading a signed cert in response to a CSR, uploading a re-signed cert from a previous CSR, and for uploading a totally new cert and key. I am working on fixing that page for the next Virtualmin release.

Submitted by Locutus on Wed, 11/28/2012 - 15:00

Well yeah, I didn't really check what the "matching private key" box was populated with... I silently assumed that it was the contents of the previous key file, and that entering a new key file name would work, as in take the contents of that file, copy it to "ssl.key" and activate it. :(

It's not a serious issue for me; I don't necessarily need that certificate. I mostly generated it to gather experience with official certificates; I didn't think though that my first experience would be falling for such an evil bug in my favorite control panel. ;P

Submitted by JamieCameron on Fri, 12/07/2012 - 19:26

A better UI has been implemented for inclusion in the next release.

Submitted by Locutus on Sat, 12/08/2012 - 02:48

Very good! Knowing about this issue, generating some further StartSSL certs was more successful. :)