Closed
Description
Issuing new Let's Encrypt certificates (or renewing ones past the reauthorization window) fails when running OpenSSL 1.1.0. I get the error:
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Signing certificate...
Traceback (most recent call last):
File "acme_tiny.py", line 198, in <module>
main(sys.argv[1:])
File "acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "acme_tiny.py", line 161, in get_crt
raise ValueError("Error signing certificate: {0} {1}".format(code, result))
ValueError: Error signing certificate: 403 {
"type": "urn:acme:error:unauthorized",
"detail": "Error creating new cert :: Authorizations for these names not found or expired: temboz.com",
"status": 403
}
The problem is in line 72 where acme_tiny.py extracts the CN from the certificate using the regex:
common_name = re.search(r"Subject:.*? CN=([^\s,;/]+)", out.decode('utf8'))
Unfortunately OpenSSL changed the format of openssl req -text -noout
in 1.1.0 to add extraneous spaces around the =
in CN=
:
ungol ~/web/acme-tiny>/usr/bin/openssl version
OpenSSL 1.0.1t 3 May 2016
ungol ~/web/acme-tiny>/usr/bin/openssl req -in temboz.csr -noout -text|grep Subject:
Subject: C=US, ST=California, L=San Francisco, O=Fazal Majid, CN=temboz.com/emailAddress=ssladministrator@majid.org
ungol ~/web/acme-tiny>/usr/local/bin/openssl version OpenSSL 1.1.0e 16 Feb 2017
ungol ~/web/acme-tiny>/usr/local/ssl/bin/openssl req -in temboz.csr -noout -text | grep Subject:
Subject: C = US, ST = California, L = San Francisco, O = Fazal Majid, CN = temboz.com, emailAddress = ssladministrator@majid.org
The fix is to change line 72 to:
common_name = re.search(r"Subject:.*? CN ?= ?([^\s,;/]+)", out.decode('utf8'))
Metadata
Metadata
Assignees
Labels
No labels