New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot use --signcsr : "Invalid character in DNS name" #598

Closed
bortzmeyer opened this Issue Sep 25, 2018 · 11 comments

Comments

Projects
None yet
5 participants
@bortzmeyer

bortzmeyer commented Sep 25, 2018

I can use dehydrated --cron --domain www.bortzmeyer.org for my domain and it works. Now, I want to use my own CSR and I try --signcsr:

% sudo dehydrated --signcsr ./blog.csr --domain www.bortzmeyer.org
# INFO: Using main config file /etc/dehydrated/config                        
# !! WARNING !! Extra configuration directory /etc/dehydrated/conf.d exists, but no configuration found in it.
 + Requesting challenge for Subject:...
  + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-authz (Status 400)

Details:
{
  "type": "urn:acme:error:malformed",
  "detail": "Error creating new authz :: Invalid character in DNS name",
  "status": 400
}

rm: cannot remove '/etc/dehydrated/domains.txt': No such file or directory

The domain name seems perfectly OK (and it works with --cron). In the CSR:

% openssl req -text -in blog.csr                                                              
Certificate Request:                   
    Data:
        Version: 1 (0x0)
        Subject: CN = www.bortzmeyer.org
...

It seems the same subject as in the CSR generated by dehydrated --cron.

I tried with a ECDSA CSR and a RSA one, same result.

I'm not sure it is a dehydrated bug, of course, it can be a Let's Encrypt one, or a fault on my side but I cannot find it.

@cpu

This comment has been minimized.

cpu commented Sep 25, 2018

👋 @bortzmeyer

Can you share the full CSR? Are the Subject Alternate Names well formed?

I'm not sure it is a dehydrated bug, of course, it can be a Let's Encrypt one, or a fault on my side but I cannot find it.

I can at least rule out that its a bug with Let's Encrypt :-)

In the server side logs I can see that Dehydrated POSTed new-authz with an invalid domain identifier in the authenticated JWS body:

"identifier": {"type": "dns", "value": "Subject:"}

I can't tell where the "Subject:" value came from: a bug with Dehydrated, a problem with the CSR, or both. It should be a domain name instead.

@bortzmeyer

This comment has been minimized.

bortzmeyer commented Sep 25, 2018

Oh, yes, I should have send the full CSR. Here it is:

-----BEGIN CERTIFICATE REQUEST-----
MIHWMH8CAQAwHTEbMBkGA1UEAwwSd3d3LmJvcnR6bWV5ZXIub3JnMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAE+i8wLn3mwWMJ1S8zw+lIyiWvpZ9iNVZ3aiq4omoG
ZpUtF0blitUXKhYLUOmofQwrFqb7YNFZ0qHFXIWQJRMXA6AAMAoGCCqGSM49BAMC
A0cAMEQCIGffhXFGK4TrqkQ5P0lGzwTRJQA8qCMkE9UOWgZ9gdx1AiAgU+ilYgTG
510OonzEqJ0izvfwRwiglGZ8yaZHun1+Zg==
-----END CERTIFICATE REQUEST-----

This is the ECDSA one, but the RSA one triggers the same error.

@bllfr0g

This comment has been minimized.

bllfr0g commented Sep 25, 2018

@cpu

This comment has been minimized.

cpu commented Sep 25, 2018

@bllfr0g That part of the CSR @bortzmeyer shared stands out to me as well, but it does appear based on a quick skim of the Dehydrated source that this case should be handled:

dehydrated/dehydrated

Lines 644 to 648 in fba49ba

else
# No SANs, extract CN
altnames="$( <<<"${reqtext}" grep '^[[:space:]]*Subject:' | _sed -e 's/.* CN ?= ?([^ /,]*).*/\1/' )"
printf "%s" "${altnames}"
fi

I'm afraid we're outside of my depth now. It seems to me to be a Dehydrated bug so I'm going to drop off this thread with the hope a maintainer can take over from here.

Good luck!

@bllfr0g

This comment has been minimized.

bllfr0g commented Sep 25, 2018

@cpu

This comment has been minimized.

cpu commented Sep 25, 2018

I don’t think dehydrated is balking on the CSR, I think LetsEncrypt is. Nothing dehydrated can do to fix that.

@bllfr0g Sorry, I should have made my affiliation clearer. I work for Let's Encrypt and verified from the server-side Let's Encrypt logs that this is not the case.

Dehydrated is processing the CSR and something strange happens that results in an ACME request to the Let's Encrypt ACME server's new-authz endpoint with an invalid identifier value. The CSR isn't sent to Let's Encrypt (in the ACME v1 world) until the new-cert POST and the error is occurring before then so we can say with double confidence it isn't Let's Encrypt rejecting the CSR.

@lukas2511

This comment has been minimized.

Owner

lukas2511 commented Sep 26, 2018

Mh... @bortzmeyer what OS are you running dehydrated on? Can you please post the output of dehydrated -v?

@bortzmeyer

This comment has been minimized.

bortzmeyer commented Sep 26, 2018

Mh... @bortzmeyer what OS are you running dehydrated on? Can you please post the output of dehydrated -v?

% cat /etc/debian_version 
9.5

% dehydrated -v
Unknown parameter detected: -v

Usage: /usr/bin/dehydrated [-h] [command [argument]] [parameter [argument]] [parameter [argument]] ...

Default command: help

Commands:
 --cron (-c)                      Sign/renew non-existant/changed/expiring certificates.
 --signcsr (-s) path/to/csr.pem   Sign a given CSR, output CRT on stdout (advanced usage)
 --revoke (-r) path/to/cert.pem   Revoke specified certificate
 --cleanup (-gc)                  Move unused certificate files to archive directory
 --help (-h)                      Show help text
 --env (-e)                       Output configuration variables for use in other scripts

Parameters:
 --full-chain (-fc)               Print full chain when using --signcsr
 --ipv4 (-4)                      Resolve names to IPv4 addresses only
 --ipv6 (-6)                      Resolve names to IPv6 addresses only
 --domain (-d) domain.tld         Use specified domain name(s) instead of domains.txt entry (one certificate!)
 --keep-going (-g)                Keep going after encountering an error while creating/renewing multiple certificates in cron mode
 --force (-x)                     Force renew of certificate even if it is longer valid than value in RENEW_DAYS
 --no-lock (-n)                   Don't use lockfile (potentially dangerous!)
 --ocsp                           Sets option in CSR indicating OCSP stapling to be mandatory
 --privkey (-p) path/to/key.pem   Use specified private key instead of account key (useful for revocation)
 --config (-f) path/to/config     Use specified config file
 --hook (-k) path/to/hook.sh      Use specified script for hooks
 --out (-o) certs/directory       Output certificates into the specified directory
 --challenge (-t) http-01|dns-01  Which challenge should be used? Currently http-01 and dns-01 are supported
 --algo (-a) rsa|prime256v1|secp384r1 Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
@bortzmeyer

This comment has been minimized.

bortzmeyer commented Sep 26, 2018

OK, I regenerated the CSR with:

openssl req -new -key blog.pem  -nodes -days 1000 -subj '/CN=www.bortzmeyer.org' -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:www.bortzmeyer.org")) -out blog.csr

Now, there is a SAN:

        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:www.bortzmeyer.org

And this time, dehydrated makes a correct request and Let's Encrypt signs the certificate. Hooray.

Suggestion: dehydrated should produce a proper error message such as "Missing Subject Alternative Name in the CSR" (or generate the domain name from the CN if there is no SAN).

@txr13

This comment has been minimized.

txr13 commented Sep 26, 2018

@bortzmeyer You’re using a really, really old version of dehydrated, if it doesn’t even support the “version” command. You really should consider using the current version instead, which has obviously fixed many bugs (and added some new features).

Edit: Yeah, Debian Stretch has dehydrated 0.3.1 packaged, while dehydrated is currently on 0.6.2.

@lukas2511

This comment has been minimized.

Owner

lukas2511 commented Oct 20, 2018

Like @txr13 said this issue was already fixed quite a while ago.
Please update your version of dehydrated, it's just a shell-script so it shouldn't be much of a problem to "install" manually.

@lukas2511 lukas2511 closed this Oct 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment