acme.sh icon indicating copy to clipboard operation
acme.sh copied to clipboard

Published 20 hours ago verified publisher icon acmesh-official

Unable to issue certificates using the same wildcard domain in both SAN and CN

Open ldlb9527 opened this issue 6 months ago • 1 comments

The reproduction process is as follows:

  1. Use the following command to issue a certificate acme.sh --sign-csr --csr ./domaint.csr --key-file ./private.key --dns dns_dp --home ./ --debug 2
  1. When the CN of CSR is c.ldlb.site and the SAN is a.ldlb.site,b.ldlb.site,c.ldlb.site 
v3.0.8
[Fri Aug 23 14:28:23     2024] Running cmd: signcsr
[Fri Aug 23 14:28:23     2024] _csrsubj='c.ldlb.site'
[Fri Aug 23 14:28:23     2024] _csrsubj='c.ldlb.site'
[Fri Aug 23 14:28:23     2024] _dnsAltnames='DNS:a.ldlb.site,DNS:b.ldlb.site,DNS:c.ldlb.site'
[Fri Aug 23 14:28:24     2024] AltNames contains subject
[Fri Aug 23 14:28:24     2024] _excapedAlgnames='DNS:a.ldlb.site,DNS:b.ldlb.site,DNS:c.ldlb.site'
[Fri Aug 23 14:28:24     2024] _escapedSubject='c.ldlb.site'
[Fri Aug 23 14:28:24     2024] _dnsAltnames='DNS:a.ldlb.site,DNS:b.ldlb.site'
[Fri Aug 23 14:28:24     2024] _csrdomainlist='a.ldlb.site,b.ldlb.site'

This can issue certificates normally.

  1. When the CN of CSR is *.c.ldlb.site and the SAN is *.a.ldlb.site,*.b.ldlb.site,*.c.ldlb.site 
v3.0.8
v3.0.8
[Fri Aug 23 13:53:53     2024] Running cmd: signcsr
[Fri Aug 23 13:53:53     2024] _csrsubj='*.c.ldlb.site'
[Fri Aug 23 13:53:53     2024] _csrsubj='*.c.ldlb.site'
[Fri Aug 23 13:53:54     2024] _dnsAltnames='DNS:*.a.ldlb.site,DNS:*.b.ldlb.site,DNS:*.c.ldlb.site'
[Fri Aug 23 13:53:54     2024] AltNames doesn't contain subject
[Fri Aug 23 13:53:54     2024] _csrdomainlist='*.a.ldlb.site,*.b.ldlb.site,*.c.ldlb.site'

AltNames doesn't contain subject prevents certificate issuance

This will result in the identifiers of the requestnewOrderbeing:

{"identifiers": [{"type":"dns","value":"*.c.ldlb.site"},{"type":"dns","value":"*.a.ldlb.site"},{"type":"dns","value":"*.b.ldlb.site"},{"type":"dns","value":"*.c.ldlb.site"}]}

CA will return an error as follows:

{"type":"urn:ietf:params:acme:error:rejectedIdentifier","status":400,"detail":"One or more identifiers are duplicated"}
  1. The reason for the above problem is that calling '_contains' in the function' _readSubjectAltNamesFromCSR 'does not recognize the wildcard domain name
_readSubjectAltNamesFromCSR() {
  _csrfile="$1"
  if [ -z "$_csrfile" ]; then
    _usage "_readSubjectAltNamesFromCSR mycsr.csr"
    return 1
  fi

  _csrsubj="$(_readSubjectFromCSR "$_csrfile")"
  _debug _csrsubj "$_csrsubj"

  _dnsAltnames="$(${ACME_OPENSSL_BIN:-openssl} req -noout -text -in "$_csrfile" | grep "^ *DNS:.*" | tr -d ' \n')"
  _debug _dnsAltnames "$_dnsAltnames"

  if _contains "$_dnsAltnames," "DNS:$_csrsubj,"; then
    _debug "AltNames contains subject"
    _excapedAlgnames="$(echo "$_dnsAltnames" | tr '*' '#')"
    _debug _excapedAlgnames "$_excapedAlgnames"
    _escapedSubject="$(echo "$_csrsubj" | tr '*' '#')"
    _debug _escapedSubject "$_escapedSubject"
    _dnsAltnames="$(echo "$_excapedAlgnames," | sed "s/DNS:$_escapedSubject,//g" | tr '#' '*' | sed "s/,\$//g")"
    _debug _dnsAltnames "$_dnsAltnames"
  else
    _debug "AltNames doesn't contain subject"
  fi

  echo "$_dnsAltnames" | sed "s/DNS://g"
}

ldlb9527 avatar Aug 23 '24 08:08 ldlb9527