You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
urn:ietf:params:acme:error:unauthorized: Order includes different number of DNSnames identifiers than CSR specifies
Googling that error message led me to letsencrypt/pebble#304, which I think says that Pebble is a little more compliant with the spec than Let's Encrypt and Boulder are, and a CSR must include the domain in the SAN:
Thanks for reporting! And @felixfontein thanks for digging out the link to the previous Pebble issue. The Pebble behavior is indeed intentional. In the early days of Let's Encrypt we chose to accept CSRs that only specify names in the CN without specifying them in the SAN. That was probably a mistake, but a minor one, and correcting it now would introduce compatibility problems with little benefit.
Our general goal with Pebble is to be a bit stricter about things, not to match all behavior of other implementations like Boulder and Buypass. So we're planning to keep the current behavior. If you'd like to maximize compatibility between the three implementations, I think putting all names in the SAN should work.
Indeed, simply including domain in the SAN fixes the issue in my case: golang/crypto@9860d60.
The text was updated successfully, but these errors were encountered:
FiloSottile
changed the title
x/crypto: acme autocert seems not to work with github.com/letsencrypt/pebble
x/crypto/acme/autocert: error with github.com/letsencrypt/pebble
Jun 22, 2020
More compliant with the spec and allows autocert to work
with Pebble (see letsencrypt/pebble#304).
Fixesgolang/go#39746.
Change-Id: I0f41d5b41800d57eb53055cad248e50573c6070f
GitHub-Last-Rev: 777115c545a5266609fad6888d24d586ed4c2916
GitHub-Pull-Request: golang/crypto#143
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/294389
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Dmitri Shuralyov <dmitshur@golang.org>
BiiChris
pushed a commit
to BiiChris/crypto
that referenced
this issue
Sep 15, 2023
More compliant with the spec and allows autocert to work
with Pebble (see letsencrypt/pebble#304).
Fixesgolang/go#39746.
Change-Id: I0f41d5b41800d57eb53055cad248e50573c6070f
GitHub-Last-Rev: 777115c
GitHub-Pull-Request: golang#143
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/294389
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
I'm using golang.org/x/crypto/acme/autocert against https://github.com/letsencrypt/pebble. I keep getting this error message:
Googling that error message led me to letsencrypt/pebble#304, which I think says that Pebble is a little more compliant with the spec than Let's Encrypt and Boulder are, and a CSR must include the domain in the SAN:
Indeed, simply including domain in the SAN fixes the issue in my case: golang/crypto@9860d60.
The text was updated successfully, but these errors were encountered: