Authorizations not found or expired (bash client)


#1

I wrote bash client for LetsEncrypt and it was perfectly working until May 22.
So I’m wondering if anything changed in last few days.

The problem is that “new-cert” procedure returns status 403 for any CSR I generate

{
  "type": "urn:acme:error:unauthorized",
  "detail": "Error creating new cert :: Authorizations for these names not found or expired: domain.ltd",
  "status": 403
}

Here is how I generate CSR for one domain without SAN extention

openssl req -sha256 -new -batch -subj '\
/C=US/ST=California/localityName=San Francisco\
/O=Vesta/organizationalUnitName=IT/commonName=domain.ltd\
/emailAddress=admin@mail.ltd' \
-key domain.ltd.key -out domain.ltd.csr

Is there something wrong with that command?

Thanks


#2

The error you’ve described says you don’t have current authorizations for name you asked for. You need to perform an authorization for that name. Perhaps your bash client has a bug where it forgets to check if authorization is needed, or skips actually performing the authorization?

The CSR contains a very detailed subject DN that Let’s Encrypt won’t issue for, but I think that shouldn’t be a problem, Let’s Encrypt will construct a certificate from scratch, ignoring most of what you wrote in the CSR. All public CAs (are supposed to) do this because it reduces exposure to weird bugs in certificate extension handling. It might be a problem to lack the SAN for the DNS name you want, but again Let’s Encrypt might just sort that out for itself anyway.


#3

I’m not sure if it’s related, but the JSON format from the ACME servers changed slightly ( now in a “pretty” format, with more spaces and line feeds )


#4

Yes! it was the case. Thank you for help.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.