search

letsencrypt / boulder

An ACME-based certificate authority, written in Go.
Mozilla Public License 2.0
5.22k stars 608 forks source link

ACMEv2: CSR with single CN (no SANs) rejected #3367

Closed diafygi closed 6 years ago

diafygi commented 6 years ago

Given the below CSR[1][2], ACMEv2 /finalize-order rejects for the reason "Order includes different number of names than CSR specifies"[3]. However, this same CSR is not rejected on ACMEv1[4].

[1]:

$ openssl req -new -sha256 -key domain.key -subj "/CN=letsencrypt.daylightpirates.org" > domain.csr

[2]:

$ openssl req -text -in domain.csr 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=letsencrypt.daylightpirates.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a5:0f:08:0f:f5:de:f8:52:aa:ff:18:cb:36:ea:
                    b6:ee:45:72:83:41:c7:7b:ef:e9:46:cb:2f:2d:2f:
                    17:d2:71:c0:34:92:f6:e4:36:17:d2:25:b8:35:5a:
                    1a:ef:93:30:9e:06:38:b2:76:86:bc:d9:e6:6a:45:
                    ef:6f:2f:c6:f0:d8:78:6d:08:c2:61:8a:f4:3e:bc:
                    78:f1:1f:5a:4e:18:d8:bb:50:e2:72:2a:df:7c:31:
                    d4:eb:08:3a:9d:31:2d:25:22:c8:2a:b3:55:09:7b:
                    dc:52:f6:b3:ad:46:43:3f:aa:93:3e:59:f6:e5:d3:
                    81:d6:28:7d:51:78:cf:ce:d8:c0:e8:d3:0d:a2:8b:
                    4b:1c:c0:c8:a4:62:3d:68:90:39:2c:2e:2f:36:0d:
                    40:a0:df:e4:6c:23:75:e0:f0:cc:d8:33:9f:b8:a7:
                    d6:fa:88:f5:e6:68:a3:0b:73:71:2e:f7:3e:0a:4f:
                    05:1e:99:e2:21:6a:4f:55:36:47:ae:39:c1:25:00:
                    8c:45:8b:93:5a:27:7d:d9:f6:2b:3c:49:38:21:78:
                    0d:bc:59:eb:c7:5d:7a:0c:1b:05:e5:4d:18:6b:8a:
                    4e:58:2d:dc:8c:52:a7:d5:9d:96:0c:59:af:95:61:
                    12:85:71:a6:0f:fd:3e:bb:8c:ab:57:38:db:b9:f4:
                    4d:2d:41:4d:88:58:30:48:e8:a1:e0:b5:bd:3b:e1:
                    67:4b:3e:0b:77:c6:32:82:38:22:3c:e6:4b:d9:37:
                    91:25:5d:b2:b4:12:2c:84:d2:59:75:56:33:a0:b2:
                    9d:37:40:52:f0:11:5d:32:d1:3b:16:cd:33:27:f6:
                    5d:86:2b:ba:4d:f4:90:1a:36:8e:cd:8d:fd:0e:04:
                    f4:fa:16:ec:97:40:de:b6:11:7c:57:ec:23:34:f4:
                    13:e0:4b:3e:00:17:d1:4b:89:72:0c:84:4f:d5:ad:
                    87:f1:97:3e:6c:10:51:fb:ec:c7:dd:88:64:ea:8f:
                    98:9f:12:b6:8b:00:ef:e3:f9:e8:50:f3:63:fb:f4:
                    a8:94:17:eb:d4:64:9e:e6:a0:c6:d7:81:46:23:3a:
                    a6:b5:96:c2:ac:9a:8b:a7:a0:84:80:ba:bb:e3:3b:
                    f7:1a:a5:9a:37:3c:96:36:c6:2f:47:f9:0b:7c:86:
                    b6:7f:c7:8e:fb:06:5a:f3:ab:25:a1:7d:85:1e:43:
                    7b:c2:5d:88:40:4e:29:9c:fe:15:54:0e:d7:12:1d:
                    4c:59:2a:60:e8:9f:59:10:36:c8:2d:70:59:7f:60:
                    30:15:22:5e:ab:3d:37:ec:08:36:1b:6c:3a:34:96:
                    36:d3:d9:18:2e:9c:4a:11:a5:93:7e:5d:aa:e5:a2:
                    40:68:13
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         85:d4:dc:76:d9:c4:2a:73:c3:f6:7a:b7:aa:50:08:cb:fe:ec:
         88:36:27:df:bd:e9:f0:89:33:7d:d3:c2:ea:cf:69:f8:a5:1f:
         5a:32:53:f0:20:54:0c:51:34:46:b5:5f:e0:24:03:22:db:81:
         df:7a:ea:29:25:bd:7a:27:62:b3:a1:f4:6c:4f:01:d7:f1:55:
         27:ab:94:9b:8e:c6:36:9c:65:66:71:db:f9:20:3f:fc:06:ac:
         4e:7c:34:5b:8a:b8:5c:94:63:11:1d:31:95:40:32:1e:a3:db:
         6b:ff:3a:b2:71:f7:95:85:6a:37:5c:58:f7:c5:c0:1f:7e:71:
         67:21:a4:06:5c:f1:7b:7c:01:fc:53:2e:dc:fa:2e:37:de:47:
         eb:20:a6:6f:86:ea:85:b2:66:34:a2:6e:69:ed:bc:52:48:7e:
         19:27:1f:56:d7:8f:d8:8e:51:84:f1:c9:f8:fb:cf:f8:4f:1e:
         a2:a3:f1:4c:cd:3b:b7:36:cb:ff:92:75:e5:3a:9b:99:f0:7d:
         6c:45:92:7b:b0:d4:4a:fe:50:1c:64:cb:d3:7f:46:5c:6f:b5:
         b8:13:14:5b:53:de:a4:db:7e:df:8e:67:c0:0e:ef:b1:af:79:
         68:50:d6:91:e7:4e:e2:0b:9f:44:1e:2b:54:56:c7:95:f4:13:
         a3:46:de:9d:19:ae:82:ef:ca:f5:a2:59:38:49:af:60:09:3b:
         c6:67:4d:09:87:45:fc:30:9b:eb:b4:f8:de:e3:61:be:ab:ed:
         db:7a:45:a4:0f:65:6f:b2:29:d8:36:4b:a9:5b:f6:01:b0:e2:
         42:bb:59:c2:4b:25:72:fb:c8:bf:17:86:40:18:cd:a2:ff:db:
         e6:dc:31:24:7a:c6:2c:5d:cf:91:e3:9f:e0:b8:64:dc:96:59:
         9e:c6:f3:3d:fc:02:d2:f7:8c:17:a0:84:d4:27:22:b5:47:fd:
         d4:57:b2:e0:0f:9c:06:66:6a:f8:06:bf:ba:9d:32:86:10:26:
         81:4f:e1:8b:aa:b1:53:ad:1d:a2:18:25:57:f2:d1:f7:2e:0f:
         3d:e3:9b:42:08:4e:59:a9:08:52:78:00:c7:82:e2:b0:61:99:
         3e:5e:23:7c:42:3b:4c:f9:c2:87:a2:e2:09:90:61:07:ea:bf:
         23:e6:81:a0:7d:93:77:e4:c7:25:9f:06:9d:ba:e7:3e:25:8f:
         d6:58:14:9b:7e:a0:ab:cd:eb:b8:65:64:71:cc:cc:12:e1:78:
         3d:f9:2e:7c:3e:df:97:a1:8d:2d:be:cc:48:c3:56:ca:83:46:
         52:c0:85:0e:cc:df:2d:30:88:b6:32:90:27:9d:31:d8:87:d5:
         27:30:cb:f2:3e:5b:64:69
-----BEGIN CERTIFICATE REQUEST-----
MIIEbzCCAlcCAQAwKjEoMCYGA1UEAwwfbGV0c2VuY3J5cHQuZGF5bGlnaHRwaXJh
dGVzLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKUPCA/13vhS
qv8Yyzbqtu5FcoNBx3vv6UbLLy0vF9JxwDSS9uQ2F9IluDVaGu+TMJ4GOLJ2hrzZ
5mpF728vxvDYeG0IwmGK9D68ePEfWk4Y2LtQ4nIq33wx1OsIOp0xLSUiyCqzVQl7
3FL2s61GQz+qkz5Z9uXTgdYofVF4z87YwOjTDaKLSxzAyKRiPWiQOSwuLzYNQKDf
5GwjdeDwzNgzn7in1vqI9eZoowtzcS73PgpPBR6Z4iFqT1U2R645wSUAjEWLk1on
fdn2KzxJOCF4DbxZ68ddegwbBeVNGGuKTlgt3IxSp9WdlgxZr5VhEoVxpg/9PruM
q1c427n0TS1BTYhYMEjooeC1vTvhZ0s+C3fGMoI4IjzmS9k3kSVdsrQSLITSWXVW
M6CynTdAUvARXTLROxbNMyf2XYYruk30kBo2js2N/Q4E9PoW7JdA3rYRfFfsIzT0
E+BLPgAX0UuJcgyET9Wth/GXPmwQUfvsx92IZOqPmJ8StosA7+P56FDzY/v0qJQX
69RknuagxteBRiM6prWWwqyai6eghIC6u+M79xqlmjc8ljbGL0f5C3yGtn/HjvsG
WvOrJaF9hR5De8JdiEBOKZz+FVQO1xIdTFkqYOifWRA2yC1wWX9gMBUiXqs9N+wI
NhtsOjSWNtPZGC6cShGlk35dquWiQGgTAgMBAAGgADANBgkqhkiG9w0BAQsFAAOC
AgEAhdTcdtnEKnPD9nq3qlAIy/7siDYn373p8IkzfdPC6s9p+KUfWjJT8CBUDFE0
RrVf4CQDItuB33rqKSW9eidis6H0bE8B1/FVJ6uUm47GNpxlZnHb+SA//AasTnw0
W4q4XJRjER0xlUAyHqPba/86snH3lYVqN1xY98XAH35xZyGkBlzxe3wB/FMu3Pou
N95H6yCmb4bqhbJmNKJuae28Ukh+GScfVteP2I5RhPHJ+PvP+E8eoqPxTM07tzbL
/5J15TqbmfB9bEWSe7DUSv5QHGTL039GXG+1uBMUW1PepNt+345nwA7vsa95aFDW
kedO4gufRB4rVFbHlfQTo0benRmugu/K9aJZOEmvYAk7xmdNCYdF/DCb67T43uNh
vqvt23pFpA9lb7Ip2DZLqVv2AbDiQrtZwkslcvvIvxeGQBjNov/b5twxJHrGLF3P
keOf4Lhk3JZZnsbzPfwC0veMF6CE1CcitUf91Fey4A+cBmZq+Aa/up0yhhAmgU/h
i6qxU60dohglV/LR9y4PPeObQghOWakIUngAx4LisGGZPl4jfEI7TPnCh6LiCZBh
B+q/I+aBoH2Td+THJZ8GnbrnPiWP1lgUm36gq83ruGVkcczMEuF4PfkufD7fl6GN
Lb7MSMNWyoNGUsCFDszfLTCItjKQJ50x2IfVJzDL8j5bZGk=
-----END CERTIFICATE REQUEST-----

[3]:

$ python acme_scratch.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/acme/challenges
Parsing account key...
Parsing CSR...
Found domains: letsencrypt.daylightpirates.org
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying letsencrypt.daylightpirates.org...
letsencrypt.daylightpirates.org verified!
Signing certificate...
Traceback (most recent call last):
  File "acme_scratch.py", line 194, in <module>
    main(sys.argv[1:])
  File "acme_scratch.py", line 190, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check)
  File "acme_scratch.py", line 151, in get_crt
    _send_signed_request(order['finalize'], {"csr": _b64(csr_der)}, "Error finalizing order")
  File "acme_scratch.py", line 56, in _send_signed_request
    return _do_request(url, data=data.encode('utf8'), err_msg=err_msg)
  File "acme_scratch.py", line 41, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error finalizing order:
Url: https://acme-staging-v02.api.letsencrypt.org/acme/order/5383112/2225/finalize-order
Data: {"protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9vcmRlci81MzgzMTEyLzIyMjUvZmluYWxpemUtb3JkZXIiLCAiYWxnIjogIlJTMjU2IiwgIm5vbmNlIjogInlyMV91cnZiVjIyTFNyT0tET3lpaTlpZWtfR3V6MmE1MEFqMWlQTzNYYTQiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC81MzgzMTEyIn0", "payload": "eyJjc3IiOiAiTUlJRWJ6Q0NBbGNDQVFBd0tqRW9NQ1lHQTFVRUF3d2ZiR1YwYzJWdVkzSjVjSFF1WkdGNWJHbG5hSFJ3YVhKaGRHVnpMbTl5WnpDQ0FpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUJBS1VQQ0FfMTN2aFNxdjhZeXpicXR1NUZjb05CeDN2djZVYkxMeTB2RjlKeHdEU1M5dVEyRjlJbHVEVmFHdS1UTUo0R09MSjJocnpaNW1wRjcyOHZ4dkRZZUcwSXdtR0s5RDY4ZVBFZldrNFkyTHRRNG5JcTMzd3gxT3NJT3AweExTVWl5Q3F6VlFsNzNGTDJzNjFHUXotcWt6NVo5dVhUZ2RZb2ZWRjR6ODdZd09qVERhS0xTeHpBeUtSaVBXaVFPU3d1THpZTlFLRGY1R3dqZGVEd3pOZ3puN2luMXZxSTllWm9vd3R6Y1M3M1BncFBCUjZaNGlGcVQxVTJSNjQ1d1NVQWpFV0xrMW9uZmRuMkt6eEpPQ0Y0RGJ4WjY4ZGRlZ3diQmVWTkdHdUtUbGd0M0l4U3A5V2RsZ3hacjVWaEVvVnhwZ185UHJ1TXExYzQyN24wVFMxQlRZaFlNRWpvb2VDMXZUdmhaMHMtQzNmR01vSTRJanptUzlrM2tTVmRzclFTTElUU1dYVldNNkN5blRkQVV2QVJYVExST3hiTk15ZjJYWVlydWszMGtCbzJqczJOX1E0RTlQb1c3SmRBM3JZUmZGZnNJelQwRS1CTFBnQVgwVXVKY2d5RVQ5V3RoX0dYUG13UVVmdnN4OTJJWk9xUG1KOFN0b3NBNy1QNTZGRHpZX3YwcUpRWDY5UmtudWFneHRlQlJpTTZwcldXd3F5YWk2ZWdoSUM2dS1NNzl4cWxtamM4bGpiR0wwZjVDM3lHdG5fSGp2c0dXdk9ySmFGOWhSNURlOEpkaUVCT0taei1GVlFPMXhJZFRGa3FZT2lmV1JBMnlDMXdXWDlnTUJVaVhxczlOLXdJTmh0c09qU1dOdFBaR0M2Y1NoR2xrMzVkcXVXaVFHZ1RBZ01CQUFHZ0FEQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUFoZFRjZHRuRUtuUEQ5bnEzcWxBSXlfN3NpRFluMzczcDhJa3pmZFBDNnM5cC1LVWZXakpUOENCVURGRTBSclZmNENRREl0dUIzM3JxS1NXOWVpZGlzNkgwYkU4QjFfRlZKNnVVbTQ3R05weGxabkhiLVNBX19BYXNUbncwVzRxNFhKUmpFUjB4bFVBeUhxUGJhXzg2c25IM2xZVnFOMXhZOThYQUgzNXhaeUdrQmx6eGUzd0JfRk11M1BvdU45NUg2eUNtYjRicWhiSm1OS0p1YWUyOFVraC1HU2NmVnRlUDJJNVJoUEhKLVB2UC1FOGVvcVB4VE0wN3R6YkxfNUoxNVRxYm1mQjliRVdTZTdEVVN2NVFIR1RMMDM5R1hHLTF1Qk1VVzFQZXBOdC0zNDVud0E3dnNhOTVhRkRXa2VkTzRndWZSQjRyVkZiSGxmUVRvMGJlblJtdWd1X0s5YUpaT0VtdllBazd4bWROQ1lkRl9EQ2I2N1Q0M3VOaHZxdnQyM3BGcEE5bGI3SXAyRFpMcVZ2MkFiRGlRcnRad2tzbGN2dkl2eGVHUUJqTm92X2I1dHd4SkhyR0xGM1BrZU9mNExoazNKWlpuc2J6UGZ3QzB2ZU1GNkNFMUNjaXRVZjkxRmV5NEEtY0JtWnEtQWFfdXAweWhoQW1nVV9oaTZxeFU2MGRvaGdsVl9MUjl5NFBQZU9iUWdoT1dha0lVbmdBeDRMaXNHR1pQbDRqZkVJN1RQbkNoNkxpQ1pCaEItcV9JLWFCb0gyVGQtVEhKWjhHbmJyblBpV1AxbGdVbTM2Z3E4M3J1R1ZrY2N6TUV1RjRQZmt1ZkQ3Zmw2R05MYjdNU01OV3lvTkdVc0NGRHN6ZkxUQ0l0aktRSjUweDJJZlZKekRMOGo1YlpHayJ9", "signature": "fg44YThaT0TZupRJNkrB_zsbWSrf1-3zY1ZydRbixhk70dDy5tWoYs8yV_00o3rpAbzT4X9m7MK05uAlA9_yU-nW6aN3-EVzbFEvTsR260cuuvkVhATTHyh2OVCckJ-DJP-iE_rXdfseZ7S40czpE78WFy4s6podVTvXXKn1IfvQU3eTKptYlaaTp5ANzrMaSk8N_HBxx1tEk2jSIYxxeykN-kdJOqzSd7OLgIy5GanXX9SXyKDcYkyuwxuCEIGjgDScXODAosouRiwDsydMbd5UtyrxorOcPfsBUkkN8BaZGJx5BR63VLEIPUBdtEweYN6OweQ_00SrhHbWJXYx5LJ0uUwlPBcsxRmIlnf2s7NHhBoCOyk6dwQMJOXsa8cous-IdPx4iM0SD9AmeuHKxBrMEIPajq4X7A8mwhhjAKBCRhMrk68YjzJwyt5ZjSkVLUYuj09_iNXe-fntwJi7rJ3LD7hdIs7q2ZSRB1zhK8e8itt8t49J32bxmJgYGchwJDalZ5ERZ6j_nQCVKEPQOiRiLNkCMg47dVFROr-uaojWoNEGGgSCWmJGHbz_ODGSLm_uMxLLK9kYMTJk6dU2S1kWl9B1x1VWC4ljGIK-fi9fitl7UZBbPV3hBSwM8_lybEhEnn4zFJcOj-xnC_TgNgCe1fMeFIvTCgLHO7EtQcE"}
Response Code: 403
Response: {
  "type": "urn:ietf:params:acme:error:unauthorized",
  "detail": "Error finalizing order :: Order includes different number of names than CSR specifies",
  "status": 403
}

[4]:

$ python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/acme/challenges
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying letsencrypt.daylightpirates.org...
letsencrypt.daylightpirates.org verified!
Signing certificate...
Certificate signed!
-----BEGIN CERTIFICATE-----
MIIGAjCCBOqgAwIBAgITAPoqetoOlrbWEhYARxc8tRcyMDANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xODAxMTUw
MDA2NDdaFw0xODA0MTUwMDA2NDdaMCoxKDAmBgNVBAMTH2xldHNlbmNyeXB0LmRh
eWxpZ2h0cGlyYXRlcy5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQClDwgP9d74Uqr/GMs26rbuRXKDQcd77+lGyy8tLxfSccA0kvbkNhfSJbg1Whrv
kzCeBjiydoa82eZqRe9vL8bw2HhtCMJhivQ+vHjxH1pOGNi7UOJyKt98MdTrCDqd
MS0lIsgqs1UJe9xS9rOtRkM/qpM+Wfbl04HWKH1ReM/O2MDo0w2ii0scwMikYj1o
kDksLi82DUCg3+RsI3Xg8MzYM5+4p9b6iPXmaKMLc3Eu9z4KTwUemeIhak9VNkeu
OcElAIxFi5NaJ33Z9is8STgheA28WevHXXoMGwXlTRhrik5YLdyMUqfVnZYMWa+V
YRKFcaYP/T67jKtXONu59E0tQU2IWDBI6KHgtb074WdLPgt3xjKCOCI85kvZN5El
XbK0EiyE0ll1VjOgsp03QFLwEV0y0TsWzTMn9l2GK7pN9JAaNo7Njf0OBPT6FuyX
QN62EXxX7CM09BPgSz4AF9FLiXIMhE/VrYfxlz5sEFH77MfdiGTqj5ifEraLAO/j
+ehQ82P79KiUF+vUZJ7moMbXgUYjOqa1lsKsmounoISAurvjO/capZo3PJY2xi9H
+Qt8hrZ/x477BlrzqyWhfYUeQ3vCXYhATimc/hVUDtcSHUxZKmDon1kQNsgtcFl/
YDAVIl6rPTfsCDYbbDo0ljbT2RgunEoRpZN+XarlokBoEwIDAQABo4ICJzCCAiMw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAM
BgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT8sPpvsTCGO0vCQvHcWrt1IiacqDAfBgNV
HSMEGDAWgBTAzANGuVggzFxycPPhLssgpvVoOjB3BggrBgEFBQcBAQRrMGkwMgYI
KwYBBQUHMAGGJmh0dHA6Ly9vY3NwLnN0Zy1pbnQteDEubGV0c2VuY3J5cHQub3Jn
MDMGCCsGAQUFBzAChidodHRwOi8vY2VydC5zdGctaW50LXgxLmxldHNlbmNyeXB0
Lm9yZy8wKgYDVR0RBCMwIYIfbGV0c2VuY3J5cHQuZGF5bGlnaHRwaXJhdGVzLm9y
ZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC
AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g
YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0
aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5
cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQAOQEeLmg1ebYM+
lCSpZWxXNDr2GXo4G3vv/e0PiC6v8z9Fn6+tj9+EnijC29980uRHO0N+Hx45emvw
wOVe1+510h23huSD5dKJax90Rdx/O1luOijiYN8moPMClmNvcKXOgyblt0JB76au
NZ5+ZkFvD+UNUY9TL7jTLz41N0YuX26SAcBjC1aC13clZwMcDB9+LQ8E+YczCsV4
NKotazN4r/pEeHIovEd0dp+ayieBkiCjrFwQ84h5UT1afXxCk51F3fF01863KO5F
jwwH+6jGGLNx6QY49xTQmnHuAwUL1YRNjrgVziv4UNifhT5SqATUekt5z2CVhFw3
2FRG0+Ez
-----END CERTIFICATE-----
diafygi commented 6 years ago

NOTE: when the single domain is included in the SubjectAltName, ACMEv2 works fine:

$ openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:letsencrypt.daylightpirates.org")) > domain.csr
$ python acme_scratch.py --account-key ./account.key --csr ./domain.csr --acme-dir /home/acme/challenges
Parsing account key...
Parsing CSR...
Found domains: letsencrypt.daylightpirates.org
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying letsencrypt.daylightpirates.org...
letsencrypt.daylightpirates.org verified!
Signing certificate...
Certificate signed!
-----BEGIN CERTIFICATE-----
MIIGAjCCBOqgAwIBAgITAPoViJQlN4xbmth0CkTx74SUSjANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xODAxMTUw
MDEyNDBaFw0xODA0MTUwMDEyNDBaMCoxKDAmBgNVBAMTH2xldHNlbmNyeXB0LmRh
eWxpZ2h0cGlyYXRlcy5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQClDwgP9d74Uqr/GMs26rbuRXKDQcd77+lGyy8tLxfSccA0kvbkNhfSJbg1Whrv
kzCeBjiydoa82eZqRe9vL8bw2HhtCMJhivQ+vHjxH1pOGNi7UOJyKt98MdTrCDqd
MS0lIsgqs1UJe9xS9rOtRkM/qpM+Wfbl04HWKH1ReM/O2MDo0w2ii0scwMikYj1o
kDksLi82DUCg3+RsI3Xg8MzYM5+4p9b6iPXmaKMLc3Eu9z4KTwUemeIhak9VNkeu
OcElAIxFi5NaJ33Z9is8STgheA28WevHXXoMGwXlTRhrik5YLdyMUqfVnZYMWa+V
YRKFcaYP/T67jKtXONu59E0tQU2IWDBI6KHgtb074WdLPgt3xjKCOCI85kvZN5El
XbK0EiyE0ll1VjOgsp03QFLwEV0y0TsWzTMn9l2GK7pN9JAaNo7Njf0OBPT6FuyX
QN62EXxX7CM09BPgSz4AF9FLiXIMhE/VrYfxlz5sEFH77MfdiGTqj5ifEraLAO/j
+ehQ82P79KiUF+vUZJ7moMbXgUYjOqa1lsKsmounoISAurvjO/capZo3PJY2xi9H
+Qt8hrZ/x477BlrzqyWhfYUeQ3vCXYhATimc/hVUDtcSHUxZKmDon1kQNsgtcFl/
YDAVIl6rPTfsCDYbbDo0ljbT2RgunEoRpZN+XarlokBoEwIDAQABo4ICJzCCAiMw
DgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAM
BgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT8sPpvsTCGO0vCQvHcWrt1IiacqDAfBgNV
HSMEGDAWgBTAzANGuVggzFxycPPhLssgpvVoOjB3BggrBgEFBQcBAQRrMGkwMgYI
KwYBBQUHMAGGJmh0dHA6Ly9vY3NwLnN0Zy1pbnQteDEubGV0c2VuY3J5cHQub3Jn
MDMGCCsGAQUFBzAChidodHRwOi8vY2VydC5zdGctaW50LXgxLmxldHNlbmNyeXB0
Lm9yZy8wKgYDVR0RBCMwIYIfbGV0c2VuY3J5cHQuZGF5bGlnaHRwaXJhdGVzLm9y
ZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcC
AjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24g
YnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0
aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5
cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBGHWMwAVTVNoUy
EVSJyCAlCLolkhMsvWl4/LPHy8a7N6Zwy3Ow/D0dj+Am9GFhDS8zLquQfMAatHXO
fOZI8XYId9ylMWMZW/nGol4M4e5evu09YqI9q70FgZtAEQHJTpHg62aDt3vuA61C
+EQ1JoVYN6/DZMkHzK5+5iRdDi227SOQCYo84jbNGK+uWZ+Ro8KDBBTuzDzMsJb9
PsOqY/x6xED3AAMbhpzizzTIbR5pWc0PMImwb8QRUj0XpMSX31/ikU3HaIN/a3I1
C+P3JNZq0RJotjSg+/11ILgrSQM58ugE3k0zZMXLFfDfLCxIj0mY2Tw52bml/nga
pzLenSCf
-----END CERTIFICATE-----
cpu commented 6 years ago

Hi @diafygi,

The root issue here is that your CSR only has a legacy subject common name, and no DNS type SAN entries. If you finalize the order with a CSR that has a DNS SAN for letsencrypt.daylightpirates.org it should succeed.

I think given what you've shown with the V1 API being more tolerant of this we should probably promote the Subject CN to a SAN in the V2 API (or at least fix the error message to be more descriptive of the root cause!).

I'm going to close this issue in favour of one to do that: https://github.com/letsencrypt/boulder/issues/3368

Thanks for reporting this! I appreciate it.