Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression with OpenSSL 1.1.0 #167

fazalmajid opened this issue Mar 10, 2017 · 5 comments

Regression with OpenSSL 1.1.0 #167

fazalmajid opened this issue Mar 10, 2017 · 5 comments


Copy link

@fazalmajid fazalmajid commented Mar 10, 2017

Issuing new Let's Encrypt certificates (or renewing ones past the reauthorization window) fails when running OpenSSL 1.1.0. I get the error:

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Signing certificate...
Traceback (most recent call last):
  File "", line 198, in <module>
  File "", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER,
  File "", line 161, in get_crt
    raise ValueError("Error signing certificate: {0} {1}".format(code, result))
ValueError: Error signing certificate: 403 {
  "type": "urn:acme:error:unauthorized",
  "detail": "Error creating new cert :: Authorizations for these names not found or expired:",
  "status": 403

The problem is in line 72 where extracts the CN from the certificate using the regex:

    common_name ="Subject:.*? CN=([^\s,;/]+)", out.decode('utf8'))

Unfortunately OpenSSL changed the format of openssl req -text -noout in 1.1.0 to add extraneous spaces around the = in CN=:

ungol ~/web/acme-tiny>/usr/bin/openssl version
OpenSSL 1.0.1t  3 May 2016
ungol ~/web/acme-tiny>/usr/bin/openssl req -in temboz.csr -noout -text|grep Subject:
        Subject: C=US, ST=California, L=San Francisco, O=Fazal Majid,

ungol ~/web/acme-tiny>/usr/local/bin/openssl version                            OpenSSL 1.1.0e  16 Feb 2017
ungol ~/web/acme-tiny>/usr/local/ssl/bin/openssl req -in temboz.csr -noout -text | grep Subject:
        Subject: C = US, ST = California, L = San Francisco, O = Fazal Majid, CN =, emailAddress =

The fix is to change line 72 to:

    common_name ="Subject:.*? CN ?= ?([^\s,;/]+)", out.decode('utf8'))
Copy link

@adrianheine adrianheine commented Apr 4, 2017

Should be fixed with #169.

Copy link

@diafygi diafygi commented Jun 6, 2017

Merged #169

@diafygi diafygi closed this Jun 6, 2017
Copy link

@Mecanik Mecanik commented Aug 4, 2017

Thanks for this...

Copy link

@Mecanik Mecanik commented Aug 4, 2017

The actual code would be:

common_name ="Subject:.*? CN ?= ?([^\s,;/]+)", out.decode('utf8'))

Copy link

@Wasca Wasca commented Sep 20, 2017

Can confirm this fix worked for me when I manually updated the file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants