Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issuing new Let's Encrypt certificates (or renewing ones past the reauthorization window) fails when running OpenSSL 1.1.0. I get the error:
Parsing account key... Parsing CSR... Registering account... Already registered! Signing certificate... Traceback (most recent call last): File "acme_tiny.py", line 198, in <module> main(sys.argv[1:]) File "acme_tiny.py", line 194, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca) File "acme_tiny.py", line 161, in get_crt raise ValueError("Error signing certificate: {0} {1}".format(code, result)) ValueError: Error signing certificate: 403 { "type": "urn:acme:error:unauthorized", "detail": "Error creating new cert :: Authorizations for these names not found or expired: temboz.com", "status": 403 }
The problem is in line 72 where acme_tiny.py extracts the CN from the certificate using the regex:
common_name = re.search(r"Subject:.*? CN=([^\s,;/]+)", out.decode('utf8'))
Unfortunately OpenSSL changed the format of openssl req -text -noout in 1.1.0 to add extraneous spaces around the = in CN=:
openssl req -text -noout
=
CN=
ungol ~/web/acme-tiny>/usr/bin/openssl version OpenSSL 1.0.1t 3 May 2016 ungol ~/web/acme-tiny>/usr/bin/openssl req -in temboz.csr -noout -text|grep Subject: Subject: C=US, ST=California, L=San Francisco, O=Fazal Majid, CN=temboz.com/emailAddress=ssladministrator@majid.org ungol ~/web/acme-tiny>/usr/local/bin/openssl version OpenSSL 1.1.0e 16 Feb 2017 ungol ~/web/acme-tiny>/usr/local/ssl/bin/openssl req -in temboz.csr -noout -text | grep Subject: Subject: C = US, ST = California, L = San Francisco, O = Fazal Majid, CN = temboz.com, emailAddress = ssladministrator@majid.org
The fix is to change line 72 to:
common_name = re.search(r"Subject:.*? CN ?= ?([^\s,;/]+)", out.decode('utf8'))
The text was updated successfully, but these errors were encountered:
Should be fixed with #169.
Merged #169
Thanks for this...
The actual code would be:
Can confirm this fix worked for me when I manually updated the file.
Successfully merging a pull request may close this issue.
Issuing new Let's Encrypt certificates (or renewing ones past the reauthorization window) fails when running OpenSSL 1.1.0. I get the error:
The problem is in line 72 where acme_tiny.py extracts the CN from the certificate using the regex:
Unfortunately OpenSSL changed the format of
openssl req -text -noout
in 1.1.0 to add extraneous spaces around the=
inCN=
:The fix is to change line 72 to:
The text was updated successfully, but these errors were encountered: