Api Acme /finalize

To be fair ... I don't think that command is actually the bare minimum required? The link I posted makes it clear that Let's Encrypt requires a SAN in their CSRs.

In one of my previous posts I gave the exact syntax for the openssl command that getssl uses, which does put a SAN in the CSR.

However, the point stands that writing your own Let's Encrypt client does presume that you understand a fair amount about the details of certificates, and ... well, it seems like you do not. If you are struggling at this level, I do echo Osiris's suggestion that you use an already-existing client.

Maybe the staging environment doesn't, I dunno, my CSR didn't contain one. This is what Certbot send to the staging server:

2024-04-14 16:53:36,427:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/finalize/1590602/15919192514:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9yZWcvMTU5MDYwMiIsICJub25jZSI6ICJIQ0xKekFzT1FuRE9GUEtRaTlySjdKQXFwclpvcXE2NHZfOXkzdlZ1cU52MTlSQkc1U3ciLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvZmluYWxpemUvMTU5MDYwMi8xNTkxOTE5MjUxNCJ9",
  "signature": "ggesjJQc_UhIsZPDdSEZC6stmSoNYlNavf5q-x7j1kwOSa9ks3-OyhunOSMM1m9FkY_i6JEL1sWPy19aW1NbVvoomcs2jO5o516R1Q4XBcXkFmGzi5_zUcn7XVKv2L51jcySwFuOlNk0oIewhaMGbjjMa9WWB2N63g7Rk8Q0aCKAiw_nQdLx-xAt6ISXy9wTYSFM7ZT8wcSolw8YP9N-Nkli0zhA_cCK88O7jpJC-NIJIiApP3iJuhm32b14IXtPuWc0rbUQ5CSHnZzNJWREYIW8JCKsqeuAe7ivx2s9vnZbQBE9X9JicejMFgQbAHUYDWDSOMZ_8A5Nq7Q1Ve11TE08uhUj3-qDmsaAodT_sr61Gx3ss3Duc2taeDp5u2i--xOiXGG1SKBSd40b4vUlrByStKqWuERf5fEWX5bX3Ii9kkj28ChE0c-cYK72W1haFCr7FcBQk3t6Xw26Tlq735m8bqq5R98tNfygAqaOGifv-_saUJbdHU6Z6OhJ_R5Efzdv6_SoIg1l7X0Yyu71NDjpEpF3UGyNJbCNYeeNmTDrNmdNID6gDXX4NA4q8cHv6tEeGpVwcGOsvzu0L5NnfZcHaXeG4Sj6rdmqufP-70qQlAC_r6xwZpYY1Wt55RG9CuCA-x4hRWqHLdQLeR1ede1-ZeA6_kwS8RPJqKi_zps",
  "payload": "ewogICJjc3IiOiAiTUlJQ1pqQ0NBVTRDQVFBd0lURWZNQjBHQTFVRUF3d1diM05wY21semFXNW1aWEpwTG01c0xtVjFMbTl5WnpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTnRJeFZ3WVVjYVY1YUFtSmdraFhUMG5VM0pkQUJqdmlFckczTXJ2cC1VZVRhaU5weXlnWmdHaXZQcXBMYUtKNE5GaFpGYmJQODFPa2d6M295Ylk3a3J3S0laeE1ZZ0xRVktlTkNZR3BRUnJuXzhJX2lRWGN2NDl4YTNNaW5LbmZ5a0FQUFI3dW1ibkRwUF8zZlNvYndNeWpUSFF6Znp4blJnV0JUSnI1bkRtejJDTkQtMFBsMHJ3VXhBSDJUdGJiWWtoamtJelBFTlVnbXVySEQ4RmJvOGFqUUM3SGhZUkRDMGNoR3BSUjhWSUpaT1RPMDlBWmRlNkJCbWtPUlJJdkhNY3ozNmh1ZVhUdWt1US1YMi1qc1hXVVpUd3U0TkxCM09vUHp6LWJQNFYwOVFHY09HY2FyRTlWZG1UZ1JXaEQyaXVVdHVGYjI4OXZVVDNuQW5ZOG4wQ0F3RUFBYUFBTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFCdkdJRjVzWFZ2ZkpJUFk4MUh3M3FKMHJLaXlFdjExOTAxczR4S2l5NVNDX0VReDhEZVpENnFMWnZFenhjNThCSW05X0E1NzA4Ukl4cDZpY2JUVG1ETTdpRmtvVXd0dTY5NlBKcnM3MUlxbW1acllrOF9meE0zbHpTZkV4MVFKcjZBdzFlZHZtdDFxRXRucmx5dHJlU0c0alRqTGVyQ0x3bzUtSmdIQVNWNlhWT0htTFdwZEx5bkNjUlQ2WllUeUpEa0JkSklZbWYzU1dTcHZCcVZtTVI2aGp0c2JfUkstMC05TEctMmd5NkRYMDMzZDFPcmkwVzlSa0poV3g0XzhnMzdiLUVYSWNTdWxXa2JKY09rRzBVN0oydERCWlpkZURhUTFva1NqOFNId3E3ejZrdUJfY3oyTklXU05pVllCS0tqQU8yNVRRdXc1Tmx4TXlGVkxyb28iCn0"
}
2024-04-14 16:53:38,398:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/finalize/1590602/15919192514 HTTP/1.1" 200 362

And was just fine looking at the HTTP 200 response and the cert it got

Fair enough! I did notice one difference between your CSR and the one the original posted posted. The original one said:

        Attributes:
            Requested Extensions:

And yours says:

        Attributes:
            (none)
            Requested Extensions:

But I honestly lack the energy to dig into this further.

Well, even if the production environment requires a SAN, it's not that hard to add.. Just add -addext "subjectAltName = DNS:example.com" to the command line

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.