Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression with OpenSSL 1.1.0 #167

Closed
fazalmajid opened this issue Mar 10, 2017 · 5 comments
Closed

Regression with OpenSSL 1.1.0 #167

fazalmajid opened this issue Mar 10, 2017 · 5 comments

Comments

@fazalmajid
Copy link

@fazalmajid fazalmajid commented Mar 10, 2017

Issuing new Let's Encrypt certificates (or renewing ones past the reauthorization window) fails when running OpenSSL 1.1.0. I get the error:

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Signing certificate...
Traceback (most recent call last):
  File "acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "acme_tiny.py", line 161, in get_crt
    raise ValueError("Error signing certificate: {0} {1}".format(code, result))
ValueError: Error signing certificate: 403 {
  "type": "urn:acme:error:unauthorized",
  "detail": "Error creating new cert :: Authorizations for these names not found or expired: temboz.com",
  "status": 403
}

The problem is in line 72 where acme_tiny.py extracts the CN from the certificate using the regex:

    common_name = re.search(r"Subject:.*? CN=([^\s,;/]+)", out.decode('utf8'))

Unfortunately OpenSSL changed the format of openssl req -text -noout in 1.1.0 to add extraneous spaces around the = in CN=:

ungol ~/web/acme-tiny>/usr/bin/openssl version
OpenSSL 1.0.1t  3 May 2016
ungol ~/web/acme-tiny>/usr/bin/openssl req -in temboz.csr -noout -text|grep Subject:
        Subject: C=US, ST=California, L=San Francisco, O=Fazal Majid, CN=temboz.com/emailAddress=ssladministrator@majid.org

ungol ~/web/acme-tiny>/usr/local/bin/openssl version                            OpenSSL 1.1.0e  16 Feb 2017
ungol ~/web/acme-tiny>/usr/local/ssl/bin/openssl req -in temboz.csr -noout -text | grep Subject:
        Subject: C = US, ST = California, L = San Francisco, O = Fazal Majid, CN = temboz.com, emailAddress = ssladministrator@majid.org

The fix is to change line 72 to:

    common_name = re.search(r"Subject:.*? CN ?= ?([^\s,;/]+)", out.decode('utf8'))
@adrianheine
Copy link

@adrianheine adrianheine commented Apr 4, 2017

Should be fixed with #169.

@diafygi
Copy link
Owner

@diafygi diafygi commented Jun 6, 2017

Merged #169

@diafygi diafygi closed this Jun 6, 2017
@Mecanik
Copy link

@Mecanik Mecanik commented Aug 4, 2017

Thanks for this...

@Mecanik
Copy link

@Mecanik Mecanik commented Aug 4, 2017

The actual code would be:

common_name = re.search(r"Subject:.*? CN ?= ?([^\s,;/]+)", out.decode('utf8'))

@Wasca
Copy link

@Wasca Wasca commented Sep 20, 2017

Can confirm this fix worked for me when I manually updated the file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants