Again: urn:acme:error:unauthorized / SOLVED


#1

Hello,

I have an update for anybody getting the error "urn:acme:error:unauthorized"
At least I could share my problem and solution.

I used to create certificate requests by the following procedure:

  1. create an openssl configfile
  2. create an priv. key + certificate request
  3. call the LE client “https://github.com/diafygi/acme-tiny

that procedure worked for Debian Wheezy and Debian Jessie but fail on Debian Stretch
it turns out, older openssl versions ( Wheezy+Jessie) created requests with a version byte set to 0x00 while
openssl from Stretch write a version byte 0x01

My fault was to not include a subjectAltNames section into the request.
that produced the error “urn:acme:error:unauthorized”

No I use a modified openssl.cnf:
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
commonName = CommonName
commonName_default = stretch.example.org
[ v3_req ]
subjectAltName = @subjectAltNames
[ subjectAltNames ]
DNS.1 = stretch.example.org

now I use this command to create priv. key + certificate request:
$ openssl req -nodes -new -sha256 -newkey rsa:4096 -keyout /path/to/key.pem -config /path/to/openssl.cnf -out /path/to/request.pem -extensions v3_req

The imporant point: the request has to contain an v3 extension if openssl-1.1.x is used.

Andreas


#2

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.