NotBefore and NotAfter are not supported


#1

Hi

I’m developing a php client(acme2) for let’sencrypt on staging server. When I test creating an order with notBefore and notAfter, the server responsed messages like bellow.

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 125
Boulder-Requester: 5680691
Replay-Nonce: yRgaFJqqd8rK23pCAtoLDHWGbp93y0pDS1d6N4fUN5c
Expires: Sat, 03 Mar 2018 12:11:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 03 Mar 2018 12:11:52 GMT
Connection: close, the body is: Array

(
    [type] => urn:ietf:params:acme:error:malformed
    [detail] => NotBefore and NotAfter are not supported
    [status] => 400
)

In test, I supported the notBefore as "2018-03-03T00:00:00Z", the notAfter as "2018-04-01T00:00:00Z", then the server returned the messages aboved(I processed the raw body json string to an php array).

I really don’t konw why! I wish you can tell me the reason.

Thanks.


#2

I’m assuming this is the phase you’re sending the CSR to the ACME server, correct?

Let’s Encrypt sets the time and dates of those values, it’s not possible for the client to set them in the final certificate. I was under the assumption the ACME server just ignored those values from the CSR, but perhaps the ACME v2 server doesn’t allow them.

Further reading:


#3

Section 7.4 of draft-09 specifically says:

The server MUST return an error if it cannot fulfill the request as
specified, and MUST NOT issue a certificate with contents other than
those requested. If the server requires the request to be modified
in a certain way, it should indicate the required changes using an
appropriate error type and description.

The validity period of Let’s Encrypt certificates are not end-user configurable. If we receive a newOrder request with a notbefore and notafter we can not fulfill the request as specified and so we return an error.

The solution is to not submit the notbefore/notafter.

Hope that helps,


#4

Your explanation had solved my bewilderment.
Thanks for your help @cpu @Osiris


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.