CSR contains more than 100 DNS names - But there are less than 50 aliases

Hi,

I have been using Let’s Encrypt for a while - using the Plesk extention, and all has been working fine.

However - I have one domain that is now having problems. This particular domain has A LOT of aliases. However - we are still under the 100 threshold, so although it always takes a while for Let’s Encrypt to work - it has been working fine of this domain.

However… I have been trying to remove some aliases from the SSL. But when i try to renew, i get the following message

Invalid response from https://acme-v02.api.letsencrypt.org/acme/finalize/58926100/696983326.
Details:
Type: urn:ietf:params:acme:error:malformed
Status: 400
Detail: Error finalizing order :: CSR contains more than 100 DNS names

…Which, i find odd - as i am removing aliases, rather than adding. The current SSL for this domain includes 60 aliases (which only works because I am not including the “www” for each). But, I am trying to remove 13 of these aliases, which would bring the total of aliases down to 47. I was hoping that this would allow me to also secure the “www” versions - but i get the same error message both with and without selecting the “include www” checkbox.

What’s even stranger is that i even tried removing ALL of the sub-domains (i thought i’d start again, and see if that helped) - but it still came up with the “CSR contains more than 100 DNS names” message.

If anyone is able to help me with this issue, i’d be most appreciative.

My domain is:
hub.wombatcms.com (plus 47 aliases)

I ran this command:
Using Plesk interface to renew certificate (it's not expired - but I would like to remove some of the aliases)

It produced this output:
Invalid response from https://acme-v02.api.letsencrypt.org/acme/finalize/58926100/696983326. Details: Type: urn:ietf:params:acme:error:malformed Status: 400 Detail: Error finalizing order :: CSR contains more than 100 DNS names

My web server is (include version):
Intel(R) Xeon(R) CPU E3-1230 V2 @ 3.30GHz (8 core(s)) Plesk Onyx v17.8.11_build1708180301.19 os_CentOS 6

The operating system my web server runs on is (include version):
CentOS 6.10

My hosting provider, if applicable, is:
UK FAST

I can login to a root shell on my machine (yes or no, or I don’t know):
Should be possible - If given clear instructions. Not really confident at command line stuff - so tend to do all my server management via the Plesk interface.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes - Plesk.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Let's Encrypt (Version 2.8.1-524) - Plesk Extension.

Hi @lukeymo

if you use Plesk and Plesk throws that error, then it’s a Plesk bug.

So if you don’t have a “great error” in your interface usage, you should ask Plesk. That’s a “closed world”.

1 Like

I am still able to issue Let’s Encrypt SSL certificates on other domains on the same server - All using the Let’s Encrypt Plesk extension. It’s only this domain that is throwing this error.

I am considering removing the SSL from this domain altogether - and then re-issuing a fresh one… but i am concerned that if this doesn’t work, the domain will be left unsecured - when at least at the moment the existing SSL is still valid - at least until the next renewal date anyway!

Yes, but that’s the reason I think it’s a Plesk bug.

I wouldn’t try that.

Your certificate is valid ( https://check-your-website.server-daten.de/?q=hub.wombatcms.com )

CN=hub.wombatcms.com
	09.07.2019
	07.10.2019
expires in 88 days	84world.com, 94finance.com, 94legal.com, 94tech.com, acrefieldsolutions.co.uk, 
adme.me.uk, admin.wombatcms.com, agency.wombatcms.com, anme.co.uk, asoe.me.uk, 
brook.w-sussex.sch.uk, camouse.co.uk, cheltenhamlaminating.co.uk, claygateceramics.co.uk, 
cms.wombatcms.com, demoshr.co.uk, dts.solutions, eccrow.co.uk, ecochoice.co.uk, 
edwardwaites.com, ejwminiatures.co.uk, ejwsilver.co.uk, elytaxis.co.uk, future-memories.co.uk, 
gershonderosa.com, greenandpurple.net, greysofely.co.uk, hub.wombatcms.com, hytera-apps.co.uk, 
indextus.com, jamesfanshawe.com, jameswillett.tv, koala.co.uk, legalsurveyors.co.uk, linton-pc.gov.uk, 
malcofreight.co.uk, maurerinstruments.com, megahertz.co.uk, mnt-sas.com, oceacovers.co.uk, 
oghl.co.uk, ogsi.ae, ogsl.com, oilandgasmeasurement.com, olympictyres.co.uk, pettittsports.co.uk, 
picturemephotography.uk.com, poolboy.co.uk, property-helpline.com, showcase.dts.solutions, 
thebridgefirstaid.co.uk, trbonet.co.uk, ukpoolandspaawards.co.uk, vscarpets.co.uk, waterlines.co.uk, 
waveoncloud.co.uk, whytes.co.uk, winsoncoaches.co.uk, wombatcms.com, xtremeactive.co.uk, 
xtremecorporate.co.uk - 
61 entries

but you have a lot of active certificates.

7 certificates in the last 7 days, 14 active.

Perhaps it may be easier if you change your setup: Different small certificates, one certificate per main domain.

And ask Plesk. Perhaps they can fix that in some days, sounds like a bug.

There

is a link to the Plesk forum.

1 Like

I agree with @JuergenAuer here. @lukeymo I think you’ll need to ask Plesk to investigate this on your behalf.

I was able to find the CSR Plesk sent Let’s Encrypt in our error logs. I decoded it and found it had 217 DNS Names:

"hub.wombatcms.com"
"www.hub.wombatcms.com"
"cms.wombatcms.com"
"agency.wombatcms.com"
"ejwminiatures.co.uk"
"ejwsilver.co.uk"
"edwardwaites.com"
"pettittsports.co.uk"
"brook.w-sussex.sch.uk"
"oghl.co.uk"
"elytaxis.co.uk"
"maurerinstruments.com"
"oilandgasmeasurement.com"
"dts.solutions"
"greysofely.co.uk"
"mnt-sas.com"
"jamesfanshawe.com"
"ecochoice.co.uk"
"camouse.co.uk"
"whytes.co.uk"
"ogsl.com"
"winsoncoaches.co.uk"
"84world.com"
"poolboy.co.uk"
"thebridgefirstaid.co.uk"
"94finance.com"
"xtremeactive.co.uk"
"malcofreight.co.uk"
"gershonderosa.com"
"demoshr.co.uk"
"xtremecorporate.co.uk"
"cheltenhamlaminating.co.uk"
"hytera-apps.co.uk"
"trbonet.co.uk"
"anme.co.uk"
"waveoncloud.co.uk"
"showcase.dts.solutions"
"94tech.com"
"jameswillett.tv"
"adme.me.uk"
"linton-pc.gov.uk"
"asoe.me.uk"
"94legal.com"
"acrefieldsolutions.co.uk"
"waterlines.co.uk"
"koala.co.uk"
"admin.wombatcms.com"
"ogsi.ae"
"wombatcms.com"
"www.cms.wombatcms.com"
"www.agency.wombatcms.com"
"www.ejwminiatures.co.uk"
"www.ejwsilver.co.uk"
"www.edwardwaites.com"
"www.pettittsports.co.uk"
"www.brook.w-sussex.sch.uk"
"www.oghl.co.uk"
"www.elytaxis.co.uk"
"www.maurerinstruments.com"
"www.oilandgasmeasurement.com"
"www.dts.solutions"
"www.greysofely.co.uk"
"www.mnt-sas.com"
"www.jamesfanshawe.com"
"www.ecochoice.co.uk"
"www.camouse.co.uk"
"www.whytes.co.uk"
"www.ogsl.com"
"www.winsoncoaches.co.uk"
"www.84world.com"
"www.poolboy.co.uk"
"www.thebridgefirstaid.co.uk"
"www.94finance.com"
"www.xtremeactive.co.uk"
"www.malcofreight.co.uk"
"www.gershonderosa.com"
"www.demoshr.co.uk"
"www.xtremecorporate.co.uk"
"www.cheltenhamlaminating.co.uk"
"www.hytera-apps.co.uk"
"www.trbonet.co.uk"
"www.anme.co.uk"
"www.waveoncloud.co.uk"
"www.showcase.dts.solutions"
"www.94tech.com"
"www.jameswillett.tv"
"www.adme.me.uk"
"www.linton-pc.gov.uk"
"www.asoe.me.uk"
"www.94legal.com"
"www.acrefieldsolutions.co.uk"
"www.waterlines.co.uk"
"www.koala.co.uk"
"www.admin.wombatcms.com"
"www.ogsi.ae"
"www.wombatcms.com"
"www.hub.wombatcms.com"
"cms.wombatcms.com"
"agency.wombatcms.com"
"ejwminiatures.co.uk"
"ejwsilver.co.uk"
"edwardwaites.com"
"pettittsports.co.uk"
"megahertz.co.uk"
"brook.w-sussex.sch.uk"
"oghl.co.uk"
"elytaxis.co.uk"
"maurerinstruments.com"
"oilandgasmeasurement.com"
"vscarpets.co.uk"
"dts.solutions"
"greysofely.co.uk"
"mnt-sas.com"
"jamesfanshawe.com"
"ecochoice.co.uk"
"camouse.co.uk"
"whytes.co.uk"
"ogsl.com"
"winsoncoaches.co.uk"
"84world.com"
"ukpoolandspaawards.co.uk"
"poolboy.co.uk"
"thebridgefirstaid.co.uk"
"future-memories.co.uk"
"94finance.com"
"xtremeactive.co.uk"
"malcofreight.co.uk"
"gershonderosa.com"
"greenandpurple.net"
"demoshr.co.uk"
"xtremecorporate.co.uk"
"picturemephotography.uk.com"
"cheltenhamlaminating.co.uk"
"indextus.com"
"property-helpline.com"
"hytera-apps.co.uk"
"trbonet.co.uk"
"anme.co.uk"
"oceacovers.co.uk"
"waveoncloud.co.uk"
"eccrow.co.uk"
"showcase.dts.solutions"
"olympictyres.co.uk"
"94tech.com"
"legalsurveyors.co.uk"
"jameswillett.tv"
"claygateceramics.co.uk"
"adme.me.uk"
"linton-pc.gov.uk"
"asoe.me.uk"
"94legal.com"
"acrefieldsolutions.co.uk"
"waterlines.co.uk"
"koala.co.uk"
"admin.wombatcms.com"
"ogsi.ae"
"wombatcms.com"
"www.cms.wombatcms.com"
"www.agency.wombatcms.com"
"www.ejwminiatures.co.uk"
"www.ejwsilver.co.uk"
"www.edwardwaites.com"
"www.pettittsports.co.uk"
"www.megahertz.co.uk"
"www.brook.w-sussex.sch.uk"
"www.oghl.co.uk"
"www.elytaxis.co.uk"
"www.maurerinstruments.com"
"www.oilandgasmeasurement.com"
"www.vscarpets.co.uk"
"www.dts.solutions"
"www.greysofely.co.uk"
"www.mnt-sas.com"
"www.jamesfanshawe.com"
"www.ecochoice.co.uk"
"www.camouse.co.uk"
"www.whytes.co.uk"
"www.ogsl.com"
"www.winsoncoaches.co.uk"
"www.84world.com"
"www.ukpoolandspaawards.co.uk"
"www.poolboy.co.uk"
"www.thebridgefirstaid.co.uk"
"www.future-memories.co.uk"
"www.94finance.com"
"www.xtremeactive.co.uk"
"www.malcofreight.co.uk"
"www.gershonderosa.com"
"www.greenandpurple.net"
"www.demoshr.co.uk"
"www.xtremecorporate.co.uk"
"www.picturemephotography.uk.com"
"www.cheltenhamlaminating.co.uk"
"www.indextus.com"
"www.property-helpline.com"
"www.hytera-apps.co.uk"
"www.trbonet.co.uk"
"www.anme.co.uk"
"www.oceacovers.co.uk"
"www.waveoncloud.co.uk"
"www.eccrow.co.uk"
"www.showcase.dts.solutions"
"www.olympictyres.co.uk"
"www.94tech.com"
"www.legalsurveyors.co.uk"
"www.jameswillett.tv"
"www.claygateceramics.co.uk"
"www.adme.me.uk"
"www.linton-pc.gov.uk"
"www.asoe.me.uk"
"www.94legal.com"
"www.acrefieldsolutions.co.uk"
"www.waterlines.co.uk"
"www.koala.co.uk"
"www.admin.wombatcms.com"
"www.ogsi.ae"
"www.wombatcms.com"
1 Like

Hi, Thanks for your help with this. This is interesting… because although there are 217 domains… that seems to be because each and every domain is listed 4 times… twice without the “www” and twice with the “www”.

The “www” versions of each aliases shouldn’t be on this list at all… because i did not tick the “include www” tickbox.

The aliases that i have been trying to remove are also listed here (when they shouldn’t be) - but those domains are only listed twice (once with and once without the ‘www’)

The main domain is listed three times… once without the “www” and twice with the “www”.

So it’s all a bit odd,

My hosting company (UK Fast) is also looking into the issue.

If this is a Plesk issue - the issue is likely to reside in the LetsEncrypt plesk extension… but who do i go to for help with that? Plesk or LetsEncrypt?

I’m still considering removing the affected SSL from the domain completely - and then reapplying a new LetsEncrypt SSL… although this does feel like a risky move.

What are your thoughts? And again… i really appreciate that you have taken the time to look into this. It’s much appreciated.

1 Like

It would be Plesk who would have to help you with this. We don’t participate directly in any client/plugin development.

I’m sorry, I’m not familiar enough with Plesk to guess at the root cause here or whether this would help. Perhaps someone in the forum with more Plesk experience would know.

JFYI: we (Plesk) are investigating this issue.

3 Likes