search

dehydrated-io / dehydrated

letsencrypt/acme client implemented as a shell-script – just add water
https://dehydrated.io
MIT License
5.96k stars 716 forks source link

Dehydrated gets confused by openssl req -verify output. #924

Closed wteiken closed 9 months ago

wteiken commented 9 months ago

With the latest openssl update (at least from macports) openssl req -verify outputs the verification result to stdout (as opposed to stderr in the past). This gets merged into the altnames.

Created PR #923 as a fix.

wteiken commented 9 months ago

Output on the console:

Warning: Will read cert request from stdin since no -in option is given
 + Requesting new certificate order from CA...
  + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 400)

Details:
HTTP/2 400 
server: nginx
date: Sun, 03 Dec 2023 19:40:39 GMT
content-type: application/problem+json
content-length: 1535
boulder-requester: 119415
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: [...]

{
  "type": "urn:ietf:params:acme:error:rejectedIdentifier",
  "detail": "Error creating new order :: Cannot issue for \"certificate\": Domain name needs at least one dot (and 4 more problems. Refer to sub-problems for more information.)",
  "status": 400,
  "subproblems": [
    {
      "type": "urn:ietf:params:acme:error:malformed",
      "detail": "Error creating new order :: Domain name needs at least one dot",
      "status": 400,
      "identifier": {
        "type": "dns",
        "value": "certificate"
      }
    },
wteiken commented 9 months ago

From a trace with bash -x:

+ local challenge_identifiers=
+ for altname in ${altnames}
+ [[ Certificate =~ ^ip: ]]
++ printf '{"type": "dns", "value": "%s"}, ' Certificate
+ challenge_identifiers+='{"type": "dns", "value": "Certificate"}, '
+ for altname in ${altnames}
+ [[ request =~ ^ip: ]]
++ printf '{"type": "dns", "value": "%s"}, ' request
+ challenge_identifiers+='{"type": "dns", "value": "request"}, '
+ for altname in ${altnames}
+ [[ self-signature =~ ^ip: ]]
++ printf '{"type": "dns", "value": "%s"}, ' self-signature
+ challenge_identifiers+='{"type": "dns", "value": "self-signature"}, '
+ for altname in ${altnames}
+ [[ verify =~ ^ip: ]]
++ printf '{"type": "dns", "value": "%s"}, ' verify
+ challenge_identifiers+='{"type": "dns", "value": "verify"}, '
+ for altname in ${altnames}
+ [[ OK =~ ^ip: ]]
++ printf '{"type": "dns", "value": "%s"}, ' OK
+ challenge_identifiers+='{"type": "dns", "value": "OK"}, '
+ for altname in ${altnames}
+ [[ nostromo.teiken.net =~ ^ip: ]]
++ printf '{"type": "dns", "value": "%s"}, ' my.host.name
+ challenge_identifiers+='{"type": "dns", "value": "my.host.name"}, '
lukas2511 commented 9 months ago

Thanks, I've merged your PR. I'm going to read up on openssl changelogs in the coming days to see if there might be any other hidden surprises about output changes (again)...