pyaggi
December 6, 2021, 7:49pm
1
Hi, I'm developing my own client, I have everything running but when I try to finalize an order, I keep getting the following error:
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Error parsing certificate request: x509: invalid subject alternative names",
"status": 400
}
I'm listing two domains in the certificate request, both are correctly validated:
brain.asds.com.ar
www.brain.asds.com.ar
I'm checking the CSR with this tool: https://certlogik.com/decoder/
and it shows the two domains listed in the SAN and brain.asds.com.ar being the Common Name.
Here is the CSR I'm sending to the finalize url:
-----BEGIN CERTIFICATE REQUEST-----
MIICqzCCAZMCAQAwHDEaMBgGA1UEAwwRYnJhaW4uYXNkcy5jb20uYXIwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlOlwAEVzLXuoQhGDdYPpi2YdvRm2b
75wFyMLKn5bq0/BaWhzqZRZO5DQPddRAp/R0EC2ykvla5+KLyMIvSeLGtqG7hNST
lUGygvl1y3ZSI94JPpQnEHj6eMdKFM0wzbv9Ua8cFjXvSxsflIDw8yc1QoWxvjab
v5lX1tc+gdeYFRIsgqQ5LIg3mpcX6yl8ZL/2px/JpZF8YnnKCM+lenMzOyAn81+y
BHw+e0YbJvsy06HUSFMov88uplCt1DokddChbg3fOqJeMBbVsK86IDvmzVs+As21
5ARZRQ4O82/DSTyGpixSPsBdAHaVjz2NHFFJn+DHXRRnuV7osgM+oe9vAgMBAAGg
SjBIBgkqhkiG9w0BCQ4xOzA5MDcGA1UdEQQwRE5TOmJyYWluLmFzZHMuY29tLmFy
LCBETlM6d3d3LmJyYWluLmFzZHMuY29tLmFyMA0GCSqGSIb3DQEBCwUAA4IBAQCi
Z0lI/yQSyeXu+Th5nmMdCPJkkZdOok/Y2LGAIqD60L7EKPkOh7enRVFYrj2N0L6Z
q2vDTNpDWH4dSZFoW8P7bLfdaetm3jsXdPNJcoePZCoD8NSsE6MGf9fwZNjrRbDi
4PXlRg5ZjQ++Fr9QU0U8oK5aCShws0leVbQWW5n+mw7KY8zZoYszgkhrE3y6Ft1+
gEqW6ZnGTPaZLyQZ6JmJ0j3nsizHddJUB+7C1ZDOAOVKGIzdDGadjxQuzumRVivz
IrUFXfgXQLeXc35BDyCYIbUmwtEWfgZNNOYKO1uhpEHxPevToIvoRRGF9+nVEInZ
3aoGmIXK+txmLnjapu/M
-----END CERTIFICATE REQUEST-----
Any ideas ?
2 Likes
_az
December 6, 2021, 9:11pm
2
However you generated your CSR, it is not the right way to encode subjectAltName.
Your CSR looks like this:
335 74: [0] {
337 72: SEQUENCE {
339 9: OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
: (PKCS #9 via CRMF)
350 59: SET {
352 57: SEQUENCE {
354 55: SEQUENCE {
356 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
: (X.509 extension)
361 48: OCTET STRING
: 44 4E 53 3A 62 72 61 69 DNS:brai
: 6E 2E 61 73 64 73 2E 63 n.asds.c
: 6F 6D 2E 61 72 2C 20 44 om.ar, D
: 4E 53 3A 77 77 77 2E 62 NS:www.b
: 72 61 69 6E 2E 61 73 64 rain.asd
: 73 2E 63 6F 6D 2E 61 72
: }
: }
: }
: }
: }
: }
As in, you have literally encoded a string that says DNS:brain.asds.com.ar, DNS:www.brain.asds.com.ar
.
But the expected format is a sequence of strings, as documented here , e.g. it should be:
307 70: [0] {
309 68: SEQUENCE {
311 9: OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
: (PKCS #9 via CRMF)
322 55: SET {
324 53: SEQUENCE {
326 51: SEQUENCE {
328 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
: (X.509 extension)
333 44: OCTET STRING
: 30 2A 82 11 62 72 61 69 0*..brai
: 6E 2E 61 73 64 73 2E 63 n.asds.c
: 6F 6D 2E 61 72 82 15 77 om.ar..w
: 77 77 2E 62 72 61 69 6E ww.brain
: 2E 61 73 64 73 2E 63 6F .asds.co
: 6D 2E 61 72 m.ar
: }
: }
: }
: }
: }
: }
The DNS:
thing is just how OpenSSL chooses to pretty-print the extension.
6 Likes
Osiris
December 6, 2021, 9:17pm
3
Also, shouldn't the CSR be version 3 for extensions to be supported? (Not related to the SAN issue though.)
3 Likes
pyaggi
December 6, 2021, 11:12pm
4
I missed that, thanks a lot. Now its working. cheers!
5 Likes
system
Closed
January 5, 2022, 11:13pm
5
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.