Disabling wildcard name overlap detection

[HansVanEijsden]

Currently I'm in the phase of migrating several subdomains to one wildcard domain. But all those subdomains had separate certificates with different private keys so they also had different HPKP keys, with a TTL of 6 months. The main domain has the wildcard certificate and I entered that hash into the HPKP key entries of all the subdomains too, so in a little less than 6 months I can make the switch for those subdomains. But... with the latest acmebot update I receive an error while running acmebot -D (everything is already up & running):

Unable to create authorization order
   urn:ietf:params:acme:error:malformed :: The request message was malformed :: Error creating new order :: Domain name "subdomain.example.com" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.

Is there a way (a switch or something) to tell acmebot to ignore those wildcard name overlaps? Because now each command and cron job gives me those errors, and I really need that overlapping. Thanks.

[plinss]

Hi Hans, the restriction (and the error) you're seeing is from Let's Encrypt, not acmebot. The most recent version (2.0.1) should be giving you a similar error before even attempting to issue the certificate.

It's not legal to have an overlapping wildcard and subdomain in the same certificate. e.g. *.example.com and subdomain.example.com so there's nothing I can do about that.

What you can do with acmebot is simply delete the subdomains from the certificate with the wildcard. acmebot will re-use the same private key until you perform a key rollover, even if you change the alt_names or other features of the certificate, so you shouldn't run in to issues with HPKP. Also, please note that you can issue multiple certificates using the same key by using a "private_keys" configuration containing the individual certificates (for instance, all the certificates on my domains share the same keys so I can use HPKP and pin subdomains).

For example:

"private_keys": {
  "certificates" : {
    "example.com": {
      "alt_names": {"example.com": ["@", "*"]}}
    },
    "subdomain.example.com": {
      "alt_names": {"example.com": ["subdomain"]}}
    }
  }
}

Will result in two different certificates both using the same keys, so they'd have the same HPKP pins. No overlapping required within the certificate. If I'm missing something, please re-open.

[HansVanEijsden]

Hi @plinss, thanks for the comprehensive response. By making it possible to share the same private_keys, I think you've done a great job again (I already knew that's possible though).

I'm afraid I didn't explain myself very well, because my issue is just the other way around and the certificates are already issued without problems with version 2.0. I'll try to describe my situation in a hopefully better way.

The situation before March 2018, with acme-tiny: sub1.example.com with private key 1 (HPKP 1 live + HPKP 1b backup, TTL 6 months) sub2.example.com with private key 2 (HPKP 2 live + HPKP 2b backup, TTL 6 months) sub3.example.com with private key 3 (HPKP 3 live + HPKP 3b backup, TTL 6 months) sub4.example.com with private key 4 (HPKP 4 live + HPKP 4b backup, TTL 6 months) example.com & www.example.com with private key 5 (HPKP 5 live + HPKP 5b backup, TTL 6 months)

The situation now with acmebot 2: sub1.example.com with private key 1b (HPKP 1b live + HPKP 5 backup, TTL 2 months) sub2.example.com with private key 2b (HPKP 2b live + HPKP 5 backup, TTL 2 months) sub3.example.com with private key 3b (HPKP 3b live + HPKP 5 backup, TTL 2 months) sub4.example.com with private key 4b (HPKP 4b live + HPKP 5 backup, TTL 2 months) example.com & *.example.com with private key 5 (HPKP 5 live + HPKP 5b backup, TTL 2 months)

What I want in ~ 6 months (after the first HPKP TTL has been expired): removing the separate subX.example.com keys and certificates, and linking them in nginx to the *.example.com certificate with private key 5 (HPKP 5 live + HPKP 5b backup, TTL 2 months), making sure having HPKP 5 in all the browsers' caches by then.

With acmebot 2.0 I didn't receive an error when running acmebot -D, but with acmebot 2.0.1 I receive that error (the certificates are already functional, it's just the auth. check that gives me the error). The subdomains are not in the wildcard certificate, they are separated into their own certificates. Here is my config (relevant part):

"example.com": {
    "alt_names": {
        "example.com": ["@", "*"]
    },
"pin_subdomains": false,
    "services": ["nginx"],
    "tlsa_records": {
        "example.com": ["@", "www"]
    }
    },
"sub1.example.com": {
    "alt_names": {
        "example.com": "sub1"
    },
    "services": ["nginx"],
    "tlsa_records": {
        "example.com": "sub1"
    }
    },
"sub2.example.com": {
    "alt_names": {
        "example.com": "sub2"
    },
    "services": ["nginx"],
    "tlsa_records": {
        "example.com": "sub2"
    }
    },
"sub3.example.com": {
    "alt_names": {
        "example.com": "sub3"
    },
    "services": ["nginx"],
    "tlsa_records": {
        "example.com": "sub3"
    }
    },
"sub4.example.com": {
    "alt_names": {
        "example.com": "sub4"
    },
    "services": ["nginx"],
    "tlsa_records": {
        "example.com": "sub4"
    }
    },

Or am I trying to do some impossible and wrong stuff? 😉

[HansVanEijsden]

Okay @plinss, I just discovered... some changes by Let's Encrypt, exactly on par with the release of acmebot 2.0.1. See here: https://community.letsencrypt.org/t/overlapping-wildcard-order-identifiers/57151 Do we need to change something in acmebot or in my config to make it work again without errors? Separate requests? Is there a possibility?

[plinss]

I just realized the problem is with the pre-authorization order, not the certificate order. (The acme v2 api changed the authorization workflow and Lets Encrypt isn’t supporting real pre-authorization, so I create a fake certificate order to do the pre-authorizations.) So yes, there’s a problem I need to address. Unfortunately I probably won’t be able to get to it until Monday.

I believe certificate orders should process normally and this error should be mostly cosmetic except for master/follower use.

(I think there’s a separate issue with your hpkp setup, you should use the primary key from your wildcard cert as the backup key for the others. Otherwise your changeover will have pin failures unless you also rollover the key of the wildcard cert at the same time. I.e. the backup pins for the subdomains need to be the key you will be using after you switch.)

[plinss]

The authorization overlap issue should be fixed in a192faa83945f2782924d453d6a675a529bb0c10

It now splits authorization orders so that wildcard overlaps no longer happen.

[HansVanEijsden]

Thanks for your quick action, sorry for my late reply, and thanks for your suggestion about my backup keys. The errors are gone and acmebot works great. Enjoy your weekend!