CSR Validation failed due to invalid CN.

[Seyfle]

Hello,

When I try using a custom csr to generate a certificate I got this error. I have looking in the code to see what's my error and I saw that in my CSR all the subject data have a space. Exemple : I have CN = mydomain.local.

Can this be fixed or am i doing something wrong ?

Thanks for your response.

[glatzert]

Is the error originiating from the ACME module or from the ACDS server? Is the error specific? Or is it something like "an error occured". Also the 1.8 version (build for .NET 8) is a little bit more verbose regarding errors.

[Seyfle]

It's from the acme module, what do you mean by spcecific error ? Did the 1.0.3 version support .NET 8 ?

[glatzert]

Ahhhh the title is the error you get? Sorry I did not catch that.

.NET8 is the "now supported" runtime for versions from 1.8-beta (https://github.com/glatzert/ACME-Server-ADCS/releases/tag/V1.8.0) I'm just missing the time to test it thoroughly ...

[Seyfle]

Did I really need to update to 1.8, if you don't have test it for the moment ?

Is there no other options ?

[glatzert]

No sorry - I thought, I had a "better" message in that case, but I don't. The message occurs if the CN is empty and should not be, or cannot be parsed - so I think, if there's spaces in your CN, it might be errornous to some other reason?

[Seyfle]

I have looked in the certificate that are genereted by the ADCS and they all contains a space so I don't know and I don't think i can generate a csr without space.

[glatzert]

Besides the title, does the error message contain the "original" error? There should at least be the stack trace, and perhaps that contains a hint to the base problem.

[Seyfle]

{"t":"2024-01-24T16:05:53.2255047Z","m":"Attempting validation of CSR MIIDFTCCAf0CAQAwgZcxGzAZBgNVBAMMEmx4MDk4MC5zYXByci5sb2NhbDEeMBwGCSqGSIb3DQEJARYPY2EudW5peEBhcHJyLmZyMQ0wCwYDVQQKDARBUFJSMRgwFgYDVQQLDA9URVNUIC0gUG9sZSBEU1MxDjAMBgNVBAcMBURpam9uMRIwEAYDVQQIDAlCb3VyZ29nbmUxCzAJBgNVBAYTAkZSMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAj0B3J8oU5GrLv-i9ZfgDWS66Wnc8ZM_HoRmv-wpFREV5kZtM-O5v0IRTG2NsGRnNvjHOgYBV2OhnaQQCLzHnZC9dwPT4-u04vUhVn0uy_xhXJp4rHUSL4kxbdzecbwre4z324GJBvu3QOHuC4lKJnxmKE_aBRHXfscteKibPyMxe5sLAMPv__4PqVD80J18ja9qQDciCXTHAtGPwJNhqgjnupKZpsVbfL5Kc0tu6jUNTyNV5YPT_txIrL9ZWjKWGFqiA8NGjR6NUmNbi9zBn2lgf7NbvKnQC0oqRjC4IAj9wdRqJs8_chC64dSbo4_S65rBBHJmbuipKFL1Lg6IQIDAQABoDgwNgYJKoZIhvcNAQkOMSkwJzAlBgNVHREEHjAcggZseDA5ODCCEmx4MDk4MC5zYXByci5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEAVN2-G-j6O_vQCnv2TTlZJU8Wk4t90AliTeygoPAf4ocpnmQbsswmNhbQGgYqWH4IT8zEoqcG2OOH5jVDyhAkZ17pcIxuuBMsBZy8HnQCRLU1yk62YSUYKwslfmMNhH8GQU_PqsVrcfPWMmdxyrmEwzApwnvTmPFXIOeDf3hKGjj1AEyHMSm8WP3RmNOPo6TVQ_G2zpBag5vflHQFJAa26lG61GA2_cZuvGSy-zlQbJrGQNZqhqDgFUyMK7dX1KpQCMFj5Tcm5iBeinWIVZEwMNN1ByDfrnhrexruqljBxgGkiiIu-4MkJnOfL6yrkJ6zNw6yLvvCfpwjYts-M9tbPw","i":"1c5cff3e","l":"Debug","SourceContext":"TGIT.ACME.Protocol.IssuanceServices.ADCS.CsrValidator","ActionId":"6768bac9-48a9-47d4-8e2a-861569473d3f","ActionName":"TGIT.ACME.Server.Controllers.OrderController.FinalizeOrder (TGIT.ACME.Server.Core)","RequestId":"4000014f-0001-fd00-b63f-84710c7967bb","RequestPath":"/order/Pt0YOaRC-UuQEJQgrYdxSg/finalize"} {"t":"2024-01-24T16:05:53.2261416Z","m":"CSR Validation failed due to invalid CN.","i":"0aaf7638","l":"Debug","SourceContext":"TGIT.ACME.Protocol.IssuanceServices.ADCS.CsrValidator","ActionId":"6768bac9-48a9-47d4-8e2a-861569473d3f","ActionName":"TGIT.ACME.Server.Controllers.OrderController.FinalizeOrder (TGIT.ACME.Server.Core)","RequestId":"4000014f-0001-fd00-b63f-84710c7967bb","RequestPath":"/order/Pt0YOaRC-UuQEJQgrYdxSg/finalize"}

I have this, not sure it could help..

[glatzert]

If I try to decode the CSR with OpenSSL, it says it's incomplete - can you confirm your CSR is valid? If you don't want it online, you can send it via mail, I'd like to see it.

[Seyfle]

I'l send you my csr before requesting the certificate by mail. It's the email in your bio ?

[glatzert]

Yes, that'll do...

[glatzert]

For documentation: There's an error in checking CNs, that will make it fail when theres more than CN=example.com, specifically adding other data into the Subject, like S=State, C=Country, will make it consistently fail the validation regardless, if AllowSuffixinCN is set or not. The ACME protocol specs are vague about, what might go into the CN and what not, besides mentioning that DNS names need to be either in CN (which would be useless with modern browsers) or the SAN. I'll look into the relevant RFCs and implement a solution to fix that problem.

[glatzert]

CSR validation now only checks CNs and SANs as it's required by RFC 8555. I created V1.9.0 for that as a new prerelease that has proper tests for the validation logic as well, so it sould not happen again. Sorry for any inconvenience.

[glatzert]

And thanks to you the product has now some proper tests for that whole code block 👍