starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-11 22:30:44 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

CSR Subject from OPENSSL_CNF ignored #298

New Issue
Closed
opened 2025-12-29 01:21:27 +01:00 by adam · 4 comments
adam commented 2025-12-29 01:21:27 +01:00
Owner
Copy Link

Originally created by @nova-2nd on GitHub (Mar 13, 2018).

Hi Lukas,

First of all, great piece of code. I really, really like it.

In my certificates I like to have a complete Distinguished Name (Subject) containing, company name, state, locality and so on. Nothing really outstanding.
I was pleased to see that there is an OPENSSL_CNF variable in the config to link to a corresponding OpenSSL template.

Unfortunately, in your function creating your CSR (sign_domain(), line: 803) as you call openssl, you use the option -subj, which replaces whatever configured DN, with what you give then. In dehydrator's case, the common name only.

An easy fix to this could be instead of giving the CN to openssl via an argument, simply stick it into the temporary openssl config, you already have (tmp_openssl_cnf).

Let me know if you are interested in code contributions or prefer to fix "simples" like this yourself.

Greets,
Stefan

Originally created by @nova-2nd on GitHub (Mar 13, 2018). Hi Lukas, First of all, great piece of code. I really, really like it. In my certificates I like to have a complete Distinguished Name (Subject) containing, company name, state, locality and so on. Nothing really outstanding. I was pleased to see that there is an OPENSSL_CNF variable in the config to link to a corresponding OpenSSL template. Unfortunately, in your function creating your CSR (sign_domain(), line: 803) as you call openssl, you use the option -subj, which replaces whatever configured DN, with what you give then. In dehydrator's case, the common name only. An easy fix to this could be instead of giving the CN to openssl via an argument, simply stick it into the temporary openssl config, you already have (tmp_openssl_cnf). Let me know if you are interested in code contributions or prefer to fix "simples" like this yourself. Greets, Stefan
adam closed this issue 2025-12-29 01:21:27 +01:00
adam commented 2025-12-29 01:21:27 +01:00
Author
Owner
Copy Link

@jobe1986 commented on GitHub (Mar 13, 2018):

Are you using dehydrated with Let's Encrypt? If so as I started in issue #439, it is worth noting LetsEncrypt strips out any fields from the subject identifier other then a commonName (CN) containing the primary host name of the certificate. So even if your CSR contained them, the certificate issued by LetsEncrypt would not.

Basically the only time allowing additional fields in the subject would be acceptable is if you're using dehydrated with an ACME certificate authority service that allows fields other then commonName (CN) in the subject

@jobe1986 commented on GitHub (Mar 13, 2018): Are you using dehydrated with Let's Encrypt? If so as I started in issue #439, it is worth noting LetsEncrypt strips out any fields from the subject identifier other then a commonName (CN) containing the primary host name of the certificate. So even if your CSR contained them, the certificate issued by LetsEncrypt would not. Basically the only time allowing additional fields in the subject would be acceptable is if you're using dehydrated with an ACME certificate authority service that allows fields other then commonName (CN) in the subject
adam commented 2025-12-29 01:21:28 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Mar 13, 2018):

As @jobe1986 said Let's Encrypt strips those parameters, only CN will be set.

Reason is that only the domain is validated, the CAs don't want to sign any other (unvalidated) information like an organizations name.

@lukas2511 commented on GitHub (Mar 13, 2018): As @jobe1986 said Let's Encrypt strips those parameters, only CN will be set. Reason is that only the domain is validated, the CAs don't want to sign any other (unvalidated) information like an organizations name.
adam commented 2025-12-29 01:21:28 +01:00
Author
Owner
Copy Link

@nova-2nd commented on GitHub (Mar 13, 2018):

Hi jobe1986,
Hi lukas2511,

Sorry for wasting you time, wasn't aware of Lets Encrypt is stripping the DN. WHY???
Whatever, thank you guys.

Greets,
Stefan

@nova-2nd commented on GitHub (Mar 13, 2018): Hi jobe1986, Hi lukas2511, Sorry for wasting you time, wasn't aware of Lets Encrypt is stripping the DN. WHY??? Whatever, thank you guys. Greets, Stefan
adam commented 2025-12-29 01:21:28 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Mar 13, 2018):

@nova-2nd like i said: "Reason is that only the domain is validated, the CAs don't want to sign any other (unvalidated) information like an organizations name."

@lukas2511 commented on GitHub (Mar 13, 2018): @nova-2nd like i said: "Reason is that only the domain is validated, the CAs don't want to sign any other (unvalidated) information like an organizations name."
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#298
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?