search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
39.33k stars 4.97k forks source link

Acme generating incorrect multi domain records #3955

Open Dmitry-NC opened 2 years ago

Dmitry-NC commented 2 years ago

Step 1 - create multi domain records vc.app.mydomain.com and *.vc.app.mydomain.com - OK

Step 2 - create multi domain records app.mydomain.com and *.app.mydomain.com - ERROR

/opt/acmeuser/.acme.sh/acme.sh --issue --log --log-level 2 --challenge-alias mydomain.other.com --dns dns_mydomain --dnssleep 20 --server letsencrypt -d app.mydomain.com -d "*.app.mydomain.com" --force --keylength 4096

[Fri Feb 25 09:16:50 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory [Fri Feb 25 09:16:50 2022] Multi domain='DNS:app.mydomain.com,DNS:vc.app.mydomain.com' <- ??? VC.app.mydomain.com [Fri Feb 25 09:16:50 2022] Getting domain auth token for each domain [Fri Feb 25 09:16:54 2022] Getting webroot for domain='app.mydomain.com' [Fri Feb 25 09:16:54 2022] Getting webroot for domain='.app.mydomain.com' [Fri Feb 25 09:16:54 2022] app.mydomain.com is already verified, skip dns-01. [Fri Feb 25 09:16:54 2022] .app.mydomain.com is already verified, skip dns-01. [Fri Feb 25 09:16:54 2022] Verify finished, start to sign. [Fri Feb 25 09:16:54 2022] Lets finalize the order. [Fri Feb 25 09:16:54 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/129326914/66746157320' [Fri Feb 25 09:16:55 2022] Sign failed, finalize code is not 200. [Fri Feb 25 09:16:55 2022] { "type": "urn:ietf:params:acme:error:unauthorized", "detail": "Error finalizing order :: CSR is missing Order domain \"*.app.mydomain.com\"", "status": 403 } [Fri Feb 25 09:16:55 2022] Please check log file for more details: /opt/acmeuser/.acme.sh/acme.sh.log

cat /opt/acmeuser/.acme.sh/app.mydomain.com/app.mydomain.com.csr.conf [ req_distinguished_name ] [ req ] distinguished_name = req_distinguished_name req_extensions = v3_req [ v3_req ]

subjectAltName=DNS:app.mydomain.com,DNS:vc.app.mydomain.com <- ??? VC.app.mydomain.com

Why does vc.app.mydomain.com automatically create instead of *.app.mydomain.com ?

*Everywhere the real domain is replaced by mydomain.com

AvverbioPronome commented 2 years ago

I would try using single quotes, in case it's your shell expanding the asterisk.