fffonion
failed to set_subject_alt: X509_REQ_add_extensions
We get this error when lua-resty-acme tries to request a new certificate:
autossl.lua:659: failed to create rsa certificate for domain **-**********-***-****.******.dev: failed to create csr: failed to set_subject_alt: X509_REQ_add_extensions: code: 0, context: ssl_certificate_by_lua*
Any idea how we can fix this?
Versions:
- openresty docker image: 1.21.4.1-0-jammy
- lua-resty-acme: 0.15.0
require("resty.acme.autossl").init({
tos_accepted = true,
staging = false,
account_key_path = "/etc/openresty/account.key",
account_email = "*****@***.***",
renew_threshold = 30 * 86400,
blocking = true,
storage_adapter = "redis",
storage_config = {
host = "redis",
port = 6379,
database = 0
},
domain_whitelist_callback = function(domain, is_new_cert_needed)
if not is_new_cert_needed then
return true
end
if not is_whitelisted_in_storage(domain) then
log(ngx.ERR, "domain is not whitelisted: ", domain)
return false
end
log(ngx.ERR, "checking if valid cname: ", domain)
return has_valid_cname(domain)
end
})
```
Hi @fffonion, I also encountered the same error.
2024/11/27 18:31:00 [error] 7#7: 4 [acme] autossl.lua:228: error updating cert for xxx.xxx.co err: failed to create csr: failed to set_subject_alt: X509_REQ_add_extensions: code: 0, context: ssl_certificate_by_lua, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:443
Thanks for debugging this!
In the mean time we had to fix this because we had the problem in production so had to act quick. We moved to using Caddy in combination with on demand TLS and an ask endpoint that validates the requested domain: https://caddyserver.com/docs/caddyfile/options#on-demand-tls
This could be a bug in older version of openssl or change of API. @ctuIhu What version of openssl were you using prior to 3.0.15?
Hi @fffonion,
I think there is a bug on older version of openssl. I was using 1.1.1l prior to 3.0.15.