starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-13 15:13:33 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

dehydrated fails when pre-made csr has multiple domains #234

New Issue
Closed
opened 2025-12-29 01:19:29 +01:00 by adam · 7 comments
adam commented 2025-12-29 01:19:29 +01:00
Owner
Copy Link

Originally created by @vi on GitHub (Jul 4, 2017).

dehydrated --full-chain -s /etc/ssl/vso/key.csr > /etc/ssl/vso/letsencrypt2.crt

# INFO: Using main config file /etc/dehydrated/config
# !! WARNING !! Extra configuration directory /etc/dehydrated/conf.d exists, but no configuration found in it.
 + Requesting challenge for www.vi-server.org...
 + Responding to challenge for www.vi-server.org...
 + Challenge is valid!
 + Requesting certificate...
  + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-cert (Status 403)

Details:
{
  "type": "urn:acme:error:unauthorized",
  "detail": "Error creating new cert :: authorizations for these names not found or expired: vi-server.org",
  "status": 403
}

The same script worked some time before...

Originally created by @vi on GitHub (Jul 4, 2017). `dehydrated --full-chain -s /etc/ssl/vso/key.csr > /etc/ssl/vso/letsencrypt2.crt` ``` # INFO: Using main config file /etc/dehydrated/config # !! WARNING !! Extra configuration directory /etc/dehydrated/conf.d exists, but no configuration found in it. + Requesting challenge for www.vi-server.org... + Responding to challenge for www.vi-server.org... + Challenge is valid! + Requesting certificate... + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-cert (Status 403) Details: { "type": "urn:acme:error:unauthorized", "detail": "Error creating new cert :: authorizations for these names not found or expired: vi-server.org", "status": 403 } ``` The same script worked some time before...
adam closed this issue 2025-12-29 01:19:29 +01:00
adam commented 2025-12-29 01:19:30 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Jul 4, 2017):

For me it seems that you didn't list your CSRs Common Name in the Subject Alternative Name section, which you should do since browsers nowadays don't really care about a certificates Common Name.

Can you please check that and report back?

@lukas2511 commented on GitHub (Jul 4, 2017): For me it seems that you didn't list your CSRs Common Name in the Subject Alternative Name section, which you should do since browsers nowadays don't really care about a certificates Common Name. Can you please check that and report back?
adam commented 2025-12-29 01:19:30 +01:00
Author
Owner
Copy Link

@vi commented on GitHub (Jul 4, 2017):

don't really care about a certificates Common Name

What is it is a simple certificate that only has a Common Name and no tricky extensions?

@vi commented on GitHub (Jul 4, 2017): > don't really care about a certificates Common Name What is it is a simple certificate that only has a Common Name and no tricky extensions?
adam commented 2025-12-29 01:19:31 +01:00
Author
Owner
Copy Link

@vi commented on GitHub (Jul 4, 2017):

Here is the partial text dump of the csr:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=vi-server.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus: ...
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:www.vi-server.org
    Signature Algorithm: sha256WithRSAEncryption
...
@vi commented on GitHub (Jul 4, 2017): Here is the partial text dump of the csr: ``` Certificate Request: Data: Version: 0 (0x0) Subject: CN=vi-server.org Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: ... Exponent: 65537 (0x10001) Attributes: Requested Extensions: X509v3 Subject Alternative Name: DNS:www.vi-server.org Signature Algorithm: sha256WithRSAEncryption ... ```
adam commented 2025-12-29 01:19:32 +01:00
Author
Owner
Copy Link

@vi commented on GitHub (Jul 4, 2017):

I think it should also request challenge for vi-server.org bases on CN=. If browsers accept it and Let's Encrypt look at it, why dehydrated shouldn't?

@vi commented on GitHub (Jul 4, 2017): I think it should also request challenge for `vi-server.org` bases on CN=. If browsers accept it and Let's Encrypt look at it, why dehydrated shouldn't?
adam commented 2025-12-29 01:19:32 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Jul 4, 2017):

Please add vi-server.org as Subject Alternative Name for this to work, this is how it is supposed to work (in dehydrated as well as in the intended usage for this x509v3 extension).

If you want to know more about Common Name being ignored I'd suggest looking for the security changes of Chrome 58 or Firefox 48.

CN will only be parsed by dehydrated when there is no SNI extension in the csr, and is actually only meant to be a fallback, this feature may be removed in the future.

@lukas2511 commented on GitHub (Jul 4, 2017): Please add vi-server.org as Subject Alternative Name for this to work, this is how it is supposed to work (in dehydrated as well as in the intended usage for this x509v3 extension). If you want to know more about Common Name being ignored I'd suggest looking for the security changes of Chrome 58 or Firefox 48. CN will only be parsed by dehydrated when there is no SNI extension in the csr, and is actually only meant to be a fallback, this feature may be removed in the future.
adam commented 2025-12-29 01:19:33 +01:00
Author
Owner
Copy Link

@vi commented on GitHub (Jul 4, 2017):

After adding more names to the "Subject Alternative Name" it works.
Maybe dehydrated should warn about poor CSRs?

@vi commented on GitHub (Jul 4, 2017): After adding more names to the "Subject Alternative Name" it works. Maybe dehydrated should warn about poor CSRs?
adam commented 2025-12-29 01:19:34 +01:00
Author
Owner
Copy Link

@txr13 commented on GitHub (Jul 4, 2017):

Why should dehydrated warn about poor CSRs? The --sign-csr functionality is clearly marked "(advanced usage)"...

@txr13 commented on GitHub (Jul 4, 2017): Why should dehydrated warn about poor CSRs? The `--sign-csr` functionality is clearly marked "`(advanced usage)`"...
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#234
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?