I have an update for anybody getting the error "urn:acme:error:unauthorized"
At least I could share my problem and solution.
I used to create certificate requests by the following procedure:
- create an openssl configfile
- create an priv. key + certificate request
- call the LE client “https://github.com/diafygi/acme-tiny”
that procedure worked for Debian Wheezy and Debian Jessie but fail on Debian Stretch
it turns out, older openssl versions ( Wheezy+Jessie) created requests with a version byte set to 0x00 while
openssl from Stretch write a version byte 0x01
My fault was to not include a subjectAltNames section into the request.
that produced the error “urn:acme:error:unauthorized”
No I use a modified openssl.cnf:
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
commonName = CommonName
commonName_default = stretch.example.org
[ v3_req ]
subjectAltName = @subjectAltNames
[ subjectAltNames ]
DNS.1 = stretch.example.org
now I use this command to create priv. key + certificate request:
$ openssl req -nodes -new -sha256 -newkey rsa:4096 -keyout /path/to/key.pem -config /path/to/openssl.cnf -out /path/to/request.pem -extensions v3_req
The imporant point: the request has to contain an v3 extension if openssl-1.1.x is used.