ldez / traefik-certs-dumper

Dump ACME data from Traefik to certificates
Other
470 stars 31 forks source link

SANS in acme.json vs SANS in dumped certificate #195

Open francescor opened 7 months ago

francescor commented 7 months ago

I've just executed

docker run  -v $(pwd):/data ldez/traefik-certs-dumper:latest file --version v2  --source /data/acme-http.json  --dest /data/dump/acme-http

(traefik 2.10.7)

then if I inspect one of the dumped cert

openssl x509 -text -noout -in ./dump/acme-http/certs/servizi.example.com.crt

I see, as expected, my long list of SANS, but:

  1. the Subject: CN does is not servizi.example.com used in the filename: well, no problem with that, but I'm just curious it is not a bug (or, worse for me, some issues with my acme-http.json ... we are having issue with it)

  2. I was expecting that in the file acme-http.json the domain.main would be what I would find in Subject: CN once the certificate is dumped , and also the domain in domain.sans would be exactly the SANS in the certificat X509v3 Subject Alternative Name: and this is not true.

In details if in acme-http.json I have

        "domain": {
          "main": "servizi.example.com",
          "sans": [
            "servizi.example1.com",
            "servizi.example2.com",
            "servizi.example3.com",
            "servizi.example4.com"
          ]
        },

then in the output of openssl x509 -text -noout -in ./dump/acme-http/certs/servizi.example.com.crt I have

        Subject: CN = servizi.example99.com

X509v3 Subject Alternative Name: 
                DNS:servizi.example2.com, DNS:servizi.example3.com, DNS:servizi.example88.com

it is just me?

(many thanks for your notes in the internet about the issue with Traefik upgrade 2.8=> 2.9/10 and the LEGO_DISABLE_CNAME_SUPPORT=true .... we struggled a week till we've hit your feeds!)

ldez commented 7 months ago

Hello,

Common Name has been deprecated since 2000.

The order of domains can be changed during the certificate generation by Traefik, lego, or the ACME server.

The domain inside the certificates may be different from the list because it depends on your traefik configuration: traefik-certs-dumper doesn't "generate" certificates from main and sans, it just extracts them from the acme.json file.

francescor commented 7 months ago

thanks when I check a certificate with Firefox I see that "Common Name" and the "Sabject Alt Names": those are, I suppose, the Subject: CN and X509v3 Subject Alternative Name: I get from the output of openssl x509 -text -noout -in mycert.pem

image

I would expect a 1:1 relationship between these 2 fields and the main and sans in the Traefik acme-http.json file.

Since you just extract the certificate (yes, I've got that) that is probably not true?

ldez commented 7 months ago

There is no identity between main/sans and Subject/Subject Alt Names because, in the internal of Traefik, lego, and the ACME server, there is only a list of domains without real order.

There is no identity between main/sans in the Traefik configuration and the acme.json file because the domains are re-ordered during the certificate generation process.