tls-alpn-01 challenge is failing due to wrong certificate version

[nizar-m]

tls-alpn-01 challenge is currently failing with fhe following error.

challenge invalid: tls-alpn-01: invalid: Incorrect validation certificate for tls-alpn-01 challenge. 
Requested <domain> from <letsencrypt_ip>:443. Received 1 certificate(s), first certificate had names ""

The error location seems to be this in boulder:

The error is basically that it could not get any of the DNS Subject Alternetive Names. Boulder expects exactly one DNS SAN with the same name as the domain name.

When you look at the golang crypto/x509 code, the dns names will be parsed only if the version is 3.

We are not setting any version in tls-alpn-01.lua. Which means the version is 1. Setting the version as 3 might fix this issue

When you use openssl, you can clearly see the DNS SANs.

$ echo | openssl s_client -alpn acme-tls/1 -connect <domain>:443 2>/dev/null | openssl x509 -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: 
        Validity
            Not Before: Sep  3 06:00:21 2021 GMT
            Not After : Sep  3 06:00:21 2021 GMT
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c5:83:b4:53:03:0d:1d:d8:70:75:fa:1c:c2:8b:
                    77:23:40:a5:3d:3b:e9:32:45:96:7e:88:19:3c:99:
                    77:d1:1f:af:52:58:27:c5:f6:d3:d9:b8:b9:3a:7d:
                    2e:13:3d:a4:2b:62:28:1c:b0:89:9c:b7:db:8c:5f:
                    64:3a:9e:58:06:ae:b6:a0:63:86:d8:72:f1:e2:e6:
                    a0:41:54:28:b0:cf:a4:f9:e5:48:e1:d3:51:e8:f0:
                    23:8f:58:7a:8d:77:33:80:bd:00:40:d8:4d:a1:a3:
                    81:43:45:a1:e4:36:3e:58:b5:ab:cb:3a:38:3c:81:
                    b4:bc:38:27:9b:b3:67:37:37:1d:aa:26:d6:63:14:
                    ad:45:ed:d9:f4:dd:9b:c8:db:a6:1e:ab:64:72:13:
                    5a:88:c9:e7:e2:0d:b8:a3:4f:58:c0:b2:b8:ed:45:
                    30:4c:e0:e4:e0:a1:50:1e:d0:f8:6f:8a:95:94:c5:
                    b5:a9:45:ac:e9:fa:61:3e:67:5d:19:e0:4f:fc:6b:
                    66:7d:96:87:7a:f3:a1:65:7f:5c:67:ac:d1:f3:66:
                    91:1d:2b:a2:49:ca:74:34:0e:ea:53:45:98:57:28:
                    49:3b:71:8d:ca:8a:00:85:cc:ba:54:c5:ab:30:75:
                    42:c8:75:fa:cc:6a:5d:c7:b9:84:2e:7c:a7:b2:b7:
                    29:9b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:<domain>
            ..................: critical
                ...........................
    Signature Algorithm: sha256WithRSAEncryption
         59:5d:60:59:3c:31:a9:c5:db:84:e4:92:57:bd:d0:e8:42:53:
         9f:8d:75:cd:d4:ec:89:e9:66:95:35:a1:3a:5d:8d:b7:9c:2f:
         8e:86:f5:bc:0e:7a:bf:80:40:58:85:e3:30:d7:f8:f8:72:09:
         b0:48:8d:61:8a:47:db:43:8e:bd:9d:8b:58:c5:b2:82:b2:5e:
         24:9b:b7:dd:1d:a5:a8:93:8f:19:19:22:54:a6:e1:2d:4a:43:
         3c:13:0b:b4:e1:26:a6:59:10:d7:23:1e:05:76:a3:21:cb:33:
         dd:b0:a8:7a:e4:f1:d4:58:61:33:ac:22:79:62:99:94:35:11:
         93:ec:f6:24:06:68:25:73:75:a4:b4:46:04:97:81:26:76:ad:
         33:10:78:d3:e3:d9:88:aa:6a:24:7e:d4:bb:89:e1:b9:56:07:
         2e:20:f7:78:40:fc:0b:9d:7c:0c:88:85:0a:4c:d3:21:f4:1e:
         5e:37:4b:b4:16:a7:ad:1f:9e:83:ba:2d:38:cb:57:13:60:0b:
         a6:40:64:67:04:bb:69:df:10:ae:86:54:5b:37:3b:4c:6e:9c:
         ec:68:22:11:62:a6:31:1e:31:e9:93:78:47:51:9e:df:a2:fb:
         d9:98:a5:d1:9e:a9:a6:e2:19:40:8c:2f:a6:cb:be:ff:7c:91:
         d7:db:31:3a