Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression with OpenSSL 1.1.0 #167

fazalmajid opened this issue Mar 10, 2017 · 5 comments

Regression with OpenSSL 1.1.0 #167

fazalmajid opened this issue Mar 10, 2017 · 5 comments


Copy link

fazalmajid commented Mar 10, 2017

Issuing new Let's Encrypt certificates (or renewing ones past the reauthorization window) fails when running OpenSSL 1.1.0. I get the error:

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Signing certificate...
Traceback (most recent call last):
  File "", line 198, in <module>
  File "", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER,
  File "", line 161, in get_crt
    raise ValueError("Error signing certificate: {0} {1}".format(code, result))
ValueError: Error signing certificate: 403 {
  "type": "urn:acme:error:unauthorized",
  "detail": "Error creating new cert :: Authorizations for these names not found or expired:",
  "status": 403

The problem is in line 72 where extracts the CN from the certificate using the regex:

    common_name ="Subject:.*? CN=([^\s,;/]+)", out.decode('utf8'))

Unfortunately OpenSSL changed the format of openssl req -text -noout in 1.1.0 to add extraneous spaces around the = in CN=:

ungol ~/web/acme-tiny>/usr/bin/openssl version
OpenSSL 1.0.1t  3 May 2016
ungol ~/web/acme-tiny>/usr/bin/openssl req -in temboz.csr -noout -text|grep Subject:
        Subject: C=US, ST=California, L=San Francisco, O=Fazal Majid,

ungol ~/web/acme-tiny>/usr/local/bin/openssl version                            OpenSSL 1.1.0e  16 Feb 2017
ungol ~/web/acme-tiny>/usr/local/ssl/bin/openssl req -in temboz.csr -noout -text | grep Subject:
        Subject: C = US, ST = California, L = San Francisco, O = Fazal Majid, CN =, emailAddress =

The fix is to change line 72 to:

    common_name ="Subject:.*? CN ?= ?([^\s,;/]+)", out.decode('utf8'))
Copy link

Should be fixed with #169.

Copy link

diafygi commented Jun 6, 2017

Merged #169

@diafygi diafygi closed this as completed Jun 6, 2017
Copy link

Mecanik commented Aug 4, 2017

Thanks for this...

Copy link

Mecanik commented Aug 4, 2017

The actual code would be:

common_name ="Subject:.*? CN ?= ?([^\s,;/]+)", out.decode('utf8'))

Copy link

Wasca commented Sep 20, 2017

Can confirm this fix worked for me when I manually updated the file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

5 participants