Skip to content

Regression with OpenSSL 1.1.0 #167

Closed
@fazalmajid

Description

@fazalmajid

Issuing new Let's Encrypt certificates (or renewing ones past the reauthorization window) fails when running OpenSSL 1.1.0. I get the error:

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Signing certificate...
Traceback (most recent call last):
  File "acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "acme_tiny.py", line 161, in get_crt
    raise ValueError("Error signing certificate: {0} {1}".format(code, result))
ValueError: Error signing certificate: 403 {
  "type": "urn:acme:error:unauthorized",
  "detail": "Error creating new cert :: Authorizations for these names not found or expired: temboz.com",
  "status": 403
}

The problem is in line 72 where acme_tiny.py extracts the CN from the certificate using the regex:

    common_name = re.search(r"Subject:.*? CN=([^\s,;/]+)", out.decode('utf8'))

Unfortunately OpenSSL changed the format of openssl req -text -noout in 1.1.0 to add extraneous spaces around the = in CN=:

ungol ~/web/acme-tiny>/usr/bin/openssl version
OpenSSL 1.0.1t  3 May 2016
ungol ~/web/acme-tiny>/usr/bin/openssl req -in temboz.csr -noout -text|grep Subject:
        Subject: C=US, ST=California, L=San Francisco, O=Fazal Majid, CN=temboz.com/emailAddress=ssladministrator@majid.org

ungol ~/web/acme-tiny>/usr/local/bin/openssl version                            OpenSSL 1.1.0e  16 Feb 2017
ungol ~/web/acme-tiny>/usr/local/ssl/bin/openssl req -in temboz.csr -noout -text | grep Subject:
        Subject: C = US, ST = California, L = San Francisco, O = Fazal Majid, CN = temboz.com, emailAddress = ssladministrator@majid.org

The fix is to change line 72 to:

    common_name = re.search(r"Subject:.*? CN ?= ?([^\s,;/]+)", out.decode('utf8'))

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions