Non-standard CSRs ignored #288

New Issue

adam · 2025-12-29T01:21:15+01:00

adam commented

2025-12-29 01:21:15 +01:00

Originally created by @txr13 on GitHub (Mar 2, 2018).

While processing a pre-generated CSR, dehydrated generated a private key instead of using the CSR. Upon investigation, I found that my CSR started with

-----BEGIN NEW CERTIFICATE REQUEST-----

instead of

-----BEGIN CERTIFICATE REQUEST-----

which caused dehydrated to believe that the hook hadn't generated a CSR.

Upon investigation, I note that RFC 7468 notes this syntax as "non-conforming" (see Appendix A). Support is indeed not required, but it might be helpful to allow either form of CSR, or at least return a warning about the non-standard syntax. Otherwise, people may wind up confused as to why their CSR isn't being used.

Originally created by @txr13 on GitHub (Mar 2, 2018). While processing a pre-generated CSR, `dehydrated` generated a private key instead of using the CSR. Upon investigation, I found that my CSR started with > -----BEGIN NEW CERTIFICATE REQUEST----- instead of > -----BEGIN CERTIFICATE REQUEST----- which caused `dehydrated` to believe that the hook hadn't generated a CSR. Upon investigation, I note that [RFC 7468](https://tools.ietf.org/html/rfc7468) notes this syntax as "non-conforming" (see Appendix A). Support is indeed not *required*, but it might be helpful to allow either form of CSR, or at least return a warning about the non-standard syntax. Otherwise, people may wind up confused as to why their CSR isn't being used.

adam closed this issue

2025-12-29 01:21:15 +01:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#288