search

fbett / le-acme2-php

LetsEncrypt client library for ACME v2 written in PHP.
MIT License
30 stars 15 forks source link

Error loading request_extensions_section section v3_req with OCSP stapling enabled and Internationalized Domain name #13

Closed rlankhorst closed 3 years ago

rlankhorst commented 3 years ago

Hi,

With an internationalised domain name and OCSP stapling enabled, I get the following error: 

PHP Warning:  openssl_csr_new() [<a href='http://php.net/manual/en/function.openssl-csr-new'>function.openssl-csr-new</a>]:
Error loading request_extensions_section section v3_req of /var/www/****/csr_config in ***le_acme2/src/LE_ACME2/Utilities//Certificate.php on line 58

I checked the content of the csr_config, which didn't show anything strange: 

          HOME = .
            RANDFILE = ***.rnd
            [ req ]
            default_bits = 4096
            default_keyfile = privkey.pem
            distinguished_name = req_distinguished_name
            req_extensions = v3_req
            [ req_distinguished_name ]
            countryName = Country Name (2 letter code)
            [ v3_req ]
            basicConstraints = CA:FALSE
            subjectAltName = DNS:xn--***,DNS:www.xn--***
            keyUsage = nonRepudiation, digitalSignature, keyEncipherment
            tlsfeature=status_request

Disabling OCSP stapling resolved the issue. I didn't have any issues with this with any of the "standard" domain names I tested.

Any ideas on this?

fbett commented 3 years ago

Hi @rlankhorst,

thanks for your feedback.

A test was added (Commit ca676021e59aacbae1ec729e9ae698202ebf9860) using the encoded name for subject "test-üäö.de", but the described problem could not be reproduced. Personally i never saw this error and i'm using the library also for IDN encoded domains.

As there are only openssl wrapper functions used, i will close this issue. Feel free to reopen this issue, if there are any library depended problems.

rlankhorst commented 3 years ago

Hi @fbett, I did some more tests, and can confirm that it's not related to the IDN domains: I encountered the issue on a "standard" domain yesterday. I have no idea yet what the issue is yet. For that user I just disabled OCSP stapling, which resolved the issue. Do you have a suggestion how I can debug this if I encounter this again? Apart from the log message above, and the PHP error below, I don't have any input I'm afraid. Perhaps it is a server configuration issue?

As there seems to be some issue here, I have to disable OCSP for the time being, but if you have a suggestion where to look when it happens again, I can dig a bit deeper next time. 

/csr_config in /home/*****/public_html/wp-content/plugins/****/lets-encrypt/vendor/fbett/le_acme2/src/LE_ACME2/Utilities/Certificate.php on line 81
[31-May-2021 07:32:38 UTC] PHP Warning:  openssl_csr_export() expects parameter 1 to be resource, boolean given in /home/*****/public_html/wp-content/plugins/****/lets-encrypt/vendor/fbett/le_acme2/src/LE_ACME2/Utilities/Certificate.php on line 83
[31-May-2021 07:32:38 UTC] PHP Notice:  Undefined offset: 1 in /home/*****/public_html/wp-content/plugins/****/lets-encrypt/vendor/fbett/le_acme2/src/LE_ACME2/Response/AbstractResponse.php on line 42
[31-May-2021 07:32:38 UTC] Error parsing certificate request: asn1: syntax error: sequence truncated
[31-May-2021 07:32:38 UTC] LE_ACME2\Exception\InvalidResponse Object
(
    [_rawResponse:LE_ACME2\Exception\InvalidResponse:private] => LE_ACME2\Connector\RawResponse Object
        (
            [request] => POST https://acme-v02.api.letsencrypt.org/acme/finalize/****
            [header] => Array
                (
                    [0] => HTTP/1.1 100 Continue
                    [1] => 
                    [2] => HTTP/1.1 400 Bad Request
                    [3] => Server: nginx
                    [4] => Date: Mon, 31 May 2021 07:32:38 GMT
                    [5] => Content-Type: application/problem+json
                    [6] => Content-Length: 158
                    [7] => Connection: keep-alive
                    [8] => Boulder-Requester: 125422202
                    [9] => Cache-Control: public, max-age=0, no-cache
                    [10] => Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
                    [11] => Replay-Nonce: *****
                    [12] => 
                    [13] => 
                )

            [body] => Array
                (
                    [type] => urn:ietf:params:acme:error:malformed
                    [detail] => Error parsing certificate request: asn1: syntax error: sequence truncated
                    [status] => 400
                )

        )

    [_responseStatus:LE_ACME2\Exception\InvalidResponse:private] => 
    [message:protected] => Invalid response received: urn:ietf:params:acme:error:malformed - Error parsing certificate request: asn1: syntax error: sequence truncated
    [string:Exception:private] => 
    [code:protected] => 0
    [file:protected] => /home/*****/public_html/wp-content/plugins/****/lets-encrypt/vendor/fbett/le_acme2/src/LE_ACME2/Response/AbstractResponse.php
    [line:protected] => 40
    [trace:Exception:private] => Array
        (
            [0] => Array
                (
                    [file] => /home/*****/public_html/wp-content/plugins/****/lets-encrypt/vendor/fbett/le_acme2/src/LE_ACME2/Request/Order/Finalize.php
                    [line] => 58
                    [function] => __construct
                    [class] => LE_ACME2\Response\AbstractResponse
                    [type] => ->
                    [args] => Array
                        (
                            [0] => LE_ACME2\Connector\RawResponse Object
                                (
                                    [request] => POST https://acme-v02.api.letsencrypt.org/acme/finalize/125422202/10072696421
                                    [header] => Array
                                        (
                                            [0] => HTTP/1.1 100 Continue
                                            [1] => 
                                            [2] => HTTP/1.1 400 Bad Request
                                            [3] => Server: nginx
                                            [4] => Date: Mon, 31 May 2021 07:32:38 GMT
                                            [5] => Content-Type: application/problem+json
                                            [6] => Content-Length: 158
                                            [7] => Connection: keep-alive
                                            [8] => Boulder-Requester: 125422202
                                            [9] => Cache-Control: public, max-age=0, no-cache
                                            [10] => Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
                                            [11] => Replay-Nonce: *****
                                            [12] => 
                                            [13] => 
                                        )

                                    [body] => Array
                                        (
                                            [type] => urn:ietf:params:acme:error:malformed
                                            [detail] => Error parsing certificate request: asn1: syntax error: sequence truncated
                                            [status] => 400
                                        )

                                )

                        )

                )

            [1] => Array
                (
                    [file] => /home/*****/public_html/wp-content/plugins/****/lets-encrypt/vendor/fbett/le_acme2/src/LE_ACME2/Order.php
                    [line] => 234
                    [function] => getResponse
                    [class] => LE_ACME2\Request\Order\Finalize
                    [type] => ->
                    [args] => Array
                        (
                        )

                )

            [2] => Array
                (
                    [file] => /home/*****/public_html/wp-content/plugins/****/lets-encrypt/class-letsencrypt-handler.php
                    [line] => 706
                    [function] => finalize
                    [class] => LE_ACME2\Order
                    [type] => ->
                    [args] => Array
                        (
                        )

                )

        )

    [previous:Exception:private] => 
)
fbett commented 3 years ago

Do these problems occur on different server? It could be possible, that old versions of openssl will not support ocsp must staple.

Your problem is, that openssl_csr_new in Certificate.php returns a general error (false) instead of the CSR.

The latest commit contains some additional error handling for the openssl functions including a new catchable exception (OpenSSLException).

rlankhorst commented 3 years ago

Great!

Yes, for a beta I'm installing it on a number of different servers, which very well could contain older versions of OpenSSL.

I'll update and check if I encounter the issue again.

rlankhorst commented 3 years ago

Hi @fbett, your input helped me fix this. I've now changed the code so it tries first with OCSP stapling, if an error is returned it disabled OCSP, and retries. This works flawless sofar. Some servers appear to have outdated software, probably openSSL, as you suggested.

fbett commented 3 years ago

Great solution - thanks for your feedback!