Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to issue certificates using the same wildcard domain in both SAN and CN #5264

Open
ldlb9527 opened this issue Aug 23, 2024 · 1 comment
Open

Unable to issue certificates using the same wildcard domain in both SAN and CN #5264

ldlb9527 opened this issue Aug 23, 2024 · 1 comment

Comments

@ldlb9527
Copy link

ldlb9527 commented Aug 23, 2024
edited
Loading

The reproduction process is as follows:

  1. Use the following command to issue a certificate
    acme.sh --sign-csr --csr ./domaint.csr --key-file ./private.key --dns dns_dp --home ./ --debug 2
  1. When the CN of CSR is c.ldlb.site and the SAN is a.ldlb.site,b.ldlb.site,c.ldlb.site
v3.0.8
[Fri Aug 23 14:28:23     2024] Running cmd: signcsr
[Fri Aug 23 14:28:23     2024] _csrsubj='c.ldlb.site'
[Fri Aug 23 14:28:23     2024] _csrsubj='c.ldlb.site'
[Fri Aug 23 14:28:23     2024] _dnsAltnames='DNS:a.ldlb.site,DNS:b.ldlb.site,DNS:c.ldlb.site'
[Fri Aug 23 14:28:24     2024] AltNames contains subject
[Fri Aug 23 14:28:24     2024] _excapedAlgnames='DNS:a.ldlb.site,DNS:b.ldlb.site,DNS:c.ldlb.site'
[Fri Aug 23 14:28:24     2024] _escapedSubject='c.ldlb.site'
[Fri Aug 23 14:28:24     2024] _dnsAltnames='DNS:a.ldlb.site,DNS:b.ldlb.site'
[Fri Aug 23 14:28:24     2024] _csrdomainlist='a.ldlb.site,b.ldlb.site'

This can issue certificates normally.

  1. When the CN of CSR is *.c.ldlb.site and the SAN is *.a.ldlb.site,*.b.ldlb.site,*.c.ldlb.site
v3.0.8
v3.0.8
[Fri Aug 23 13:53:53     2024] Running cmd: signcsr
[Fri Aug 23 13:53:53     2024] _csrsubj='*.c.ldlb.site'
[Fri Aug 23 13:53:53     2024] _csrsubj='*.c.ldlb.site'
[Fri Aug 23 13:53:54     2024] _dnsAltnames='DNS:*.a.ldlb.site,DNS:*.b.ldlb.site,DNS:*.c.ldlb.site'
[Fri Aug 23 13:53:54     2024] AltNames doesn't contain subject
[Fri Aug 23 13:53:54     2024] _csrdomainlist='*.a.ldlb.site,*.b.ldlb.site,*.c.ldlb.site'

AltNames doesn't contain subject prevents certificate issuance

This will result in the identifiers of the requestnewOrderbeing:

{"identifiers": [{"type":"dns","value":"*.c.ldlb.site"},{"type":"dns","value":"*.a.ldlb.site"},{"type":"dns","value":"*.b.ldlb.site"},{"type":"dns","value":"*.c.ldlb.site"}]}

CA will return an error as follows:

{"type":"urn:ietf:params:acme:error:rejectedIdentifier","status":400,"detail":"One or more identifiers are duplicated"}
  1. The reason for the above problem is that calling '_contains' in the function' _readSubjectAltNamesFromCSR 'does not recognize the wildcard domain name
_readSubjectAltNamesFromCSR() {
  _csrfile="$1"
  if [ -z "$_csrfile" ]; then
    _usage "_readSubjectAltNamesFromCSR mycsr.csr"
    return 1
  fi

  _csrsubj="$(_readSubjectFromCSR "$_csrfile")"
  _debug _csrsubj "$_csrsubj"

  _dnsAltnames="$(${ACME_OPENSSL_BIN:-openssl} req -noout -text -in "$_csrfile" | grep "^ *DNS:.*" | tr -d ' \n')"
  _debug _dnsAltnames "$_dnsAltnames"

  if _contains "$_dnsAltnames," "DNS:$_csrsubj,"; then
    _debug "AltNames contains subject"
    _excapedAlgnames="$(echo "$_dnsAltnames" | tr '*' '#')"
    _debug _excapedAlgnames "$_excapedAlgnames"
    _escapedSubject="$(echo "$_csrsubj" | tr '*' '#')"
    _debug _escapedSubject "$_escapedSubject"
    _dnsAltnames="$(echo "$_excapedAlgnames," | sed "s/DNS:$_escapedSubject,//g" | tr '#' '*' | sed "s/,\$//g")"
    _debug _dnsAltnames "$_dnsAltnames"
  else
    _debug "AltNames doesn't contain subject"
  fi

  echo "$_dnsAltnames" | sed "s/DNS://g"
}
@github-actions GitHub Actions
Copy link

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

This was referenced Aug 23, 2024
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ldlb9527