Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/crypto/acme/autocert: error with github.com/letsencrypt/pebble #39746

Closed
trevordixon opened this issue Jun 21, 2020 · 2 comments
Closed

x/crypto/acme/autocert: error with github.com/letsencrypt/pebble #39746

trevordixon opened this issue Jun 21, 2020 · 2 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone
Unreleased

Comments

@trevordixon
Copy link

trevordixon commented Jun 21, 2020
edited

I'm using golang.org/x/crypto/acme/autocert against https://github.com/letsencrypt/pebble. I keep getting this error message:

urn:ietf:params:acme:error:unauthorized: Order includes different number of DNSnames identifiers than CSR specifies

Googling that error message led me to letsencrypt/pebble#304, which I think says that Pebble is a little more compliant with the spec than Let's Encrypt and Boulder are, and a CSR must include the domain in the SAN:

Thanks for reporting! And @felixfontein thanks for digging out the link to the previous Pebble issue. The Pebble behavior is indeed intentional. In the early days of Let's Encrypt we chose to accept CSRs that only specify names in the CN without specifying them in the SAN. That was probably a mistake, but a minor one, and correcting it now would introduce compatibility problems with little benefit.

Our general goal with Pebble is to be a bit stricter about things, not to match all behavior of other implementations like Boulder and Buypass. So we're planning to keep the current behavior. If you'd like to maximize compatibility between the three implementations, I think putting all names in the SAN should work.

Indeed, simply including domain in the SAN fixes the issue in my case: golang/crypto@9860d60.
@gopherbot gopherbot added this to the Unreleased milestone Jun 21, 2020
@FiloSottile
Copy link
Contributor

Thank you, we'd welcome a PR for this!

@FiloSottile FiloSottile changed the title x/crypto: acme autocert seems not to work with github.com/letsencrypt/pebble x/crypto/acme/autocert: error with github.com/letsencrypt/pebble Jun 22, 2020
@FiloSottile FiloSottile added the NeedsFix The path to resolution is known, but the work has not been done. label Jun 22, 2020
@trevordixon trevordixon mentioned this issue Jun 23, 2020
Closed
@gopherbot
Copy link

Change https://golang.org/cl/294389 mentions this issue: acme/autocert: include the domain in the SAN of the CSR

@golang golang locked and limited conversation to collaborators Mar 22, 2022
LewiGoddard pushed a commit to LewiGoddard/crypto that referenced this issue Feb 16, 2023
@trevordixon @FiloSottile
acme/autocert: include the domain in the SAN of the CSR
8356c7e 
More compliant with the spec and allows autocert to work
with Pebble (see letsencrypt/pebble#304).

Fixes golang/go#39746.

Change-Id: I0f41d5b41800d57eb53055cad248e50573c6070f
GitHub-Last-Rev: 777115c545a5266609fad6888d24d586ed4c2916
GitHub-Pull-Request: golang/crypto#143
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/294389
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Dmitri Shuralyov <dmitshur@golang.org>
BiiChris pushed a commit to BiiChris/crypto that referenced this issue Sep 15, 2023
@trevordixon @FiloSottile
acme/autocert: include the domain in the SAN of the CSR
f5c9368 
More compliant with the spec and allows autocert to work
with Pebble (see letsencrypt/pebble#304).

Fixes golang/go#39746.

Change-Id: I0f41d5b41800d57eb53055cad248e50573c6070f
GitHub-Last-Rev: 777115c
GitHub-Pull-Request: golang#143
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/294389
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Dmitri Shuralyov <dmitshur@golang.org>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Milestone
Unreleased
Development

Successfully merging a pull request may close this issue.

acme/autocert: include the domain in the SAN of the CSR trevordixon/crypto
3 participants
@FiloSottile @trevordixon @gopherbot