starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-12 06:40:35 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

Requesting Challenge fails for CSR mit multiple "subjectAltName"s #57

New Issue
Closed
opened 2025-12-29 00:23:39 +01:00 by adam · 4 comments
adam commented 2025-12-29 00:23:39 +01:00
Owner
Copy Link

Originally created by @stonie08 on GitHub (Feb 9, 2016).

Originally assigned to: @lukas2511 on GitHub.

Using the letsencrypt.sh script with an existing CSR gives me the following error:

 + Requesting challenge for example.com...
 + Requesting challenge for www.example.com,...
  + ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-authz (Status 400)

Details:
{"type":"urn:acme:error:malformed","detail":"Error creating new authz :: Invalid character in DNS name","status":400}

It seems there is problem with splitting the subject alternative names (if there are more than two) from the given CSR because the second line contains a comma ','.

The script is called with (config.sh only sets the wellknown path, the challenge and the e-mail)
./letsencrypt.sh --signcsr MYCSR.csr -x --config config.sh

The openssl config file to reproduce this behavior:

[ req ]
default_bits            = 4096
default_md              = sha256
prompt                  = no
req_extensions          = v3_req
email_in_dn             = no
distinguished_name      = default_name

[ default_name ]
0.organizationName      = unknown
organizationalUnitName  = unknown
emailAddress            = nope
localityName            = unknown
stateOrProvinceName     = WHAT
countryName             = WH
commonName              = example.com

[ v3_req ]
subjectAltName          = @alt_names

[alt_names]
DNS.0 = example.com
DNS.1 = www.example.com
DNS.2 = bla.example.com
DNS.3 = foo.example.com
Originally created by @stonie08 on GitHub (Feb 9, 2016). Originally assigned to: @lukas2511 on GitHub. Using the letsencrypt.sh script with an existing CSR gives me the following error: ``` + Requesting challenge for example.com... + Requesting challenge for www.example.com,... + ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-authz (Status 400) Details: {"type":"urn:acme:error:malformed","detail":"Error creating new authz :: Invalid character in DNS name","status":400} ``` It seems there is problem with splitting the subject alternative names (if there are more than two) from the given CSR because the second line contains a comma ','. The script is called with (config.sh only sets the wellknown path, the challenge and the e-mail) `./letsencrypt.sh --signcsr MYCSR.csr -x --config config.sh` The openssl config file to reproduce this behavior: ``` [ req ] default_bits = 4096 default_md = sha256 prompt = no req_extensions = v3_req email_in_dn = no distinguished_name = default_name [ default_name ] 0.organizationName = unknown organizationalUnitName = unknown emailAddress = nope localityName = unknown stateOrProvinceName = WHAT countryName = WH commonName = example.com [ v3_req ] subjectAltName = @alt_names [alt_names] DNS.0 = example.com DNS.1 = www.example.com DNS.2 = bla.example.com DNS.3 = foo.example.com ```
adam added the bug label 2025-12-29 00:23:39 +01:00
adam closed this issue 2025-12-29 00:23:39 +01:00
adam commented 2025-12-29 00:23:40 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Feb 10, 2016):

I'll have a look at that problem, thanks for reporting.

Just wondering: Are you using the script under BSD/OSX?

@lukas2511 commented on GitHub (Feb 10, 2016): I'll have a look at that problem, thanks for reporting. Just wondering: Are you using the script under BSD/OSX?
adam commented 2025-12-29 00:23:41 +01:00
Author
Owner
Copy Link

@stonie08 commented on GitHub (Feb 10, 2016):

Thank you. I guess the extraction of the alt names is somehow only truncating the first ',' it finds.

No actually not. I'm using it on Ubuntu and Debian. May I ask why you were wondering?

@stonie08 commented on GitHub (Feb 10, 2016): Thank you. I guess the extraction of the alt names is somehow only truncating the first ',' it finds. No actually not. I'm using it on Ubuntu and Debian. May I ask why you were wondering?
adam commented 2025-12-29 00:23:42 +01:00
Author
Owner
Copy Link

@lukas2511 commented on GitHub (Feb 10, 2016):

@stonie08 i didn't write that part of the code, and roughly reading over it i found parts that looked like they might be incompatible with bsd sed, that's why i asked. will probably have to test with both bsd and gnu/linux.

@lukas2511 commented on GitHub (Feb 10, 2016): @stonie08 i didn't write that part of the code, and roughly reading over it i found parts that looked like they might be incompatible with bsd sed, that's why i asked. will probably have to test with both bsd and gnu/linux.
adam commented 2025-12-29 00:23:43 +01:00
Author
Owner
Copy Link

@stonie08 commented on GitHub (Feb 11, 2016):

Thanks for the fast fix, works like a charm now.

@stonie08 commented on GitHub (Feb 11, 2016): Thanks for the fast fix, works like a charm now.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#57
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?