--signcsr works on RHEL 8 but not on RHEL 9 #634

New Issue

adam · 2025-12-29T01:28:04+01:00

adam commented

2025-12-29 01:28:04 +01:00

Originally created by @dopheideb on GitHub (Feb 26, 2025).

When I use the --signcsr option op RHEL 9, my output is:

 + Requesting new certificate order from CA...
  + ERROR: An error occurred while sending post-request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order (Status 400)

Details:
HTTP/2 400 
server: nginx
date: Wed, 26 Feb 2025 10:48:37 GMT
content-type: application/problem+json
content-length: 1565
boulder-requester: 186829524
cache-control: public, max-age=0, no-cache
link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: At9OuwhJGybBbMvuGDkz3qlKSJco5UnKSjYYdV4xaYY4BcDRTo8

{
  "type": "urn:ietf:params:acme:error:rejectedIdentifier",
  "detail": "Invalid identifiers requested :: Cannot issue for \"certificate\": Domain name needs at least one dot (and 4 more problems. Refer to sub-problems for more information.)",
  "status": 400,
  "subproblems": [
    {
      "type": "urn:ietf:params:acme:error:malformed",
      "detail": "Invalid identifiers requested :: Domain name needs at least one dot",
      "status": 400,
      "identifier": {
        "type": "dns",
        "value": "certificate"
      }
    },

I traced it back to function "extract_altnames" where validation is done:

  if ! <<<"${csr}" "${OPENSSL}" req -verify -noout 2>/dev/null; then
    _exiterr "Certificate signing request isn't valid"
  fi

Manually running a verify on RHEL 8 (OpenSSL 1.1.1k FIPS 25 Mar 2021) is fine. No output whatsoever:

[dopheideb@client ~]$ openssl req -verify -noout <~/dehydrated/csr/some.csr 2>/dev/null
[dopheideb@client ~]$

Manually running a verify on RHEL 9 (OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)) does output something:

[dopheideb@client bin]$ openssl req -verify -noout <~/dehydrated/csr/some.csr 2>/dev/null
Certificate request self-signature verify OK
[dopheideb@client bin]$

dehydrated does not anticipate output on stdout, which leads to the weird error message: the words "Certificate", "request", "self-signature", "verify", "OK" are treated as SAN parts, and that is obviously wrong.

The quickfix for me, was to simply redirect all output to /dev/null:

  if ! <<<"${csr}" "${OPENSSL}" req -verify -noout &>/dev/null; then
    _exiterr "Certificate signing request isn't valid"
  fi

Originally created by @dopheideb on GitHub (Feb 26, 2025). When I use the --signcsr option op RHEL 9, my output is: ``` + Requesting new certificate order from CA... + ERROR: An error occurred while sending post-request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order (Status 400) Details: HTTP/2 400 server: nginx date: Wed, 26 Feb 2025 10:48:37 GMT content-type: application/problem+json content-length: 1565 boulder-requester: 186829524 cache-control: public, max-age=0, no-cache link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index" replay-nonce: At9OuwhJGybBbMvuGDkz3qlKSJco5UnKSjYYdV4xaYY4BcDRTo8 { "type": "urn:ietf:params:acme:error:rejectedIdentifier", "detail": "Invalid identifiers requested :: Cannot issue for \"certificate\": Domain name needs at least one dot (and 4 more problems. Refer to sub-problems for more information.)", "status": 400, "subproblems": [ { "type": "urn:ietf:params:acme:error:malformed", "detail": "Invalid identifiers requested :: Domain name needs at least one dot", "status": 400, "identifier": { "type": "dns", "value": "certificate" } }, ``` I traced it back to function "extract_altnames" where validation is done: ``` if ! <<<"${csr}" "${OPENSSL}" req -verify -noout 2>/dev/null; then _exiterr "Certificate signing request isn't valid" fi ``` Manually running a verify on RHEL 8 (OpenSSL 1.1.1k FIPS 25 Mar 2021) is fine. No output whatsoever: ``` [dopheideb@client ~]$ openssl req -verify -noout <~/dehydrated/csr/some.csr 2>/dev/null [dopheideb@client ~]$ ``` Manually running a verify on RHEL 9 (OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)) does output something: ``` [dopheideb@client bin]$ openssl req -verify -noout <~/dehydrated/csr/some.csr 2>/dev/null Certificate request self-signature verify OK [dopheideb@client bin]$ ``` dehydrated does not anticipate output on stdout, which leads to the weird error message: the words "Certificate", "request", "self-signature", "verify", "OK" are treated as SAN parts, and that is obviously wrong. The quickfix for me, was to simply redirect all output to /dev/null: ``` if ! <<<"${csr}" "${OPENSSL}" req -verify -noout &>/dev/null; then _exiterr "Certificate signing request isn't valid" fi ```

adam closed this issue

2025-12-29 01:28:04 +01:00

adam commented

2025-12-29 01:28:04 +01:00

@dopheideb commented on GitHub (Feb 26, 2025):

FWIW, output of dehydrated -v on RHEL 9:

Dehydrated by Lukas Schauer
https://dehydrated.io

Dehydrated version: 0.7.1
GIT-Revision: unknown

OS: Red Hat Enterprise Linux 9.5 (Plow)
Used software:
 bash: 5.1.8(1)-release
 curl: 7.76.1
 awk: GNU Awk 5.1.0, API: 3.0 (GNU MPFR 4.1.0-p9, GNU MP 6.2.0)
 sed: sed (GNU sed) 4.8
 mktemp: mktemp (GNU coreutils) 8.32
 grep: grep (GNU grep) 3.6
 diff: diff (GNU diffutils) 3.7
 openssl: OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)

FWIW, output of dehydrated -v on RHEL 8 (AlmaLinux 8 to be correct):

Dehydrated by Lukas Schauer
https://dehydrated.io

Dehydrated version: 0.7.1
GIT-Revision: unknown

OS: AlmaLinux 8.10 (Cerulean Leopard)
Used software:
 bash: 4.4.20(1)-release
 curl: 7.61.1
 awk: GNU Awk 4.2.1, API: 2.0 (GNU MPFR 3.1.6-p2, GNU MP 6.1.2)
 sed: sed (GNU sed) 4.5
 mktemp: mktemp (GNU coreutils) 8.30
 grep: grep (GNU grep) 3.1
 diff: diff (GNU diffutils) 3.6
 openssl: OpenSSL 1.1.1k  FIPS 25 Mar 2021

@dopheideb commented on GitHub (Feb 26, 2025): FWIW, output of dehydrated -v on RHEL 9: ``` Dehydrated by Lukas Schauer https://dehydrated.io Dehydrated version: 0.7.1 GIT-Revision: unknown OS: Red Hat Enterprise Linux 9.5 (Plow) Used software: bash: 5.1.8(1)-release curl: 7.76.1 awk: GNU Awk 5.1.0, API: 3.0 (GNU MPFR 4.1.0-p9, GNU MP 6.2.0) sed: sed (GNU sed) 4.8 mktemp: mktemp (GNU coreutils) 8.32 grep: grep (GNU grep) 3.6 diff: diff (GNU diffutils) 3.7 openssl: OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024) ``` FWIW, output of dehydrated -v on RHEL 8 (AlmaLinux 8 to be correct): ``` Dehydrated by Lukas Schauer https://dehydrated.io Dehydrated version: 0.7.1 GIT-Revision: unknown OS: AlmaLinux 8.10 (Cerulean Leopard) Used software: bash: 4.4.20(1)-release curl: 7.61.1 awk: GNU Awk 4.2.1, API: 2.0 (GNU MPFR 3.1.6-p2, GNU MP 6.1.2) sed: sed (GNU sed) 4.5 mktemp: mktemp (GNU coreutils) 8.30 grep: grep (GNU grep) 3.1 diff: diff (GNU diffutils) 3.6 openssl: OpenSSL 1.1.1k FIPS 25 Mar 2021 ```

adam commented

2025-12-29 01:28:04 +01:00

@fusenuk commented on GitHub (Apr 2, 2025):

FYI this has been flagged before, and there are pull requests that fix it e.g.

https://github.com/dehydrated-io/dehydrated/pull/940

@fusenuk commented on GitHub (Apr 2, 2025): FYI this has been flagged before, and there are pull requests that fix it e.g. https://github.com/dehydrated-io/dehydrated/pull/940

adam commented

2025-12-29 01:28:05 +01:00

@lukas2511 commented on GitHub (Apr 14, 2025):

The mentioned PR has been merged now. Closing this issue as the underlying issue has probably been fixed with that. Sorry this took so long.

@lukas2511 commented on GitHub (Apr 14, 2025): The mentioned PR has been merged now. Closing this issue as the underlying issue has probably been fixed with that. Sorry this took so long.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/dehydrated#634