New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression with OpenSSL 1.1.0 #167

Closed
fazalmajid opened this Issue Mar 10, 2017 · 5 comments

Comments

Projects
None yet
5 participants
@fazalmajid

fazalmajid commented Mar 10, 2017

Issuing new Let's Encrypt certificates (or renewing ones past the reauthorization window) fails when running OpenSSL 1.1.0. I get the error:

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Signing certificate...
Traceback (most recent call last):
  File "acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "acme_tiny.py", line 161, in get_crt
    raise ValueError("Error signing certificate: {0} {1}".format(code, result))
ValueError: Error signing certificate: 403 {
  "type": "urn:acme:error:unauthorized",
  "detail": "Error creating new cert :: Authorizations for these names not found or expired: temboz.com",
  "status": 403
}

The problem is in line 72 where acme_tiny.py extracts the CN from the certificate using the regex:

    common_name = re.search(r"Subject:.*? CN=([^\s,;/]+)", out.decode('utf8'))

Unfortunately OpenSSL changed the format of openssl req -text -noout in 1.1.0 to add extraneous spaces around the = in CN=:

ungol ~/web/acme-tiny>/usr/bin/openssl version
OpenSSL 1.0.1t  3 May 2016
ungol ~/web/acme-tiny>/usr/bin/openssl req -in temboz.csr -noout -text|grep Subject:
        Subject: C=US, ST=California, L=San Francisco, O=Fazal Majid, CN=temboz.com/emailAddress=ssladministrator@majid.org

ungol ~/web/acme-tiny>/usr/local/bin/openssl version                            OpenSSL 1.1.0e  16 Feb 2017
ungol ~/web/acme-tiny>/usr/local/ssl/bin/openssl req -in temboz.csr -noout -text | grep Subject:
        Subject: C = US, ST = California, L = San Francisco, O = Fazal Majid, CN = temboz.com, emailAddress = ssladministrator@majid.org

The fix is to change line 72 to:

    common_name = re.search(r"Subject:.*? CN ?= ?([^\s,;/]+)", out.decode('utf8'))
@adrianheine

This comment has been minimized.

adrianheine commented Apr 4, 2017

Should be fixed with #169.

@diafygi

This comment has been minimized.

Owner

diafygi commented Jun 6, 2017

Merged #169

@diafygi diafygi closed this Jun 6, 2017

@Mecanik

This comment has been minimized.

Mecanik commented Aug 4, 2017

Thanks for this...

@Mecanik

This comment has been minimized.

Mecanik commented Aug 4, 2017

The actual code would be:

common_name = re.search(r"Subject:.*? CN ?= ?([^\s,;/]+)", out.decode('utf8'))

@Wasca

This comment has been minimized.

Wasca commented Sep 20, 2017

Can confirm this fix worked for me when I manually updated the file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment