SAN / Multi-domain request error

Hi, I'm developing my own client, I have everything running but when I try to finalize an order, I keep getting the following error:
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Error parsing certificate request: x509: invalid subject alternative names",
"status": 400
}
I'm listing two domains in the certificate request, both are correctly validated:
brain.asds.com.ar
www.brain.asds.com.ar
I'm checking the CSR with this tool: https://certlogik.com/decoder/
and it shows the two domains listed in the SAN and brain.asds.com.ar being the Common Name.
Here is the CSR I'm sending to the finalize url:

-----BEGIN CERTIFICATE REQUEST-----
MIICqzCCAZMCAQAwHDEaMBgGA1UEAwwRYnJhaW4uYXNkcy5jb20uYXIwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDlOlwAEVzLXuoQhGDdYPpi2YdvRm2b
75wFyMLKn5bq0/BaWhzqZRZO5DQPddRAp/R0EC2ykvla5+KLyMIvSeLGtqG7hNST
lUGygvl1y3ZSI94JPpQnEHj6eMdKFM0wzbv9Ua8cFjXvSxsflIDw8yc1QoWxvjab
v5lX1tc+gdeYFRIsgqQ5LIg3mpcX6yl8ZL/2px/JpZF8YnnKCM+lenMzOyAn81+y
BHw+e0YbJvsy06HUSFMov88uplCt1DokddChbg3fOqJeMBbVsK86IDvmzVs+As21
5ARZRQ4O82/DSTyGpixSPsBdAHaVjz2NHFFJn+DHXRRnuV7osgM+oe9vAgMBAAGg
SjBIBgkqhkiG9w0BCQ4xOzA5MDcGA1UdEQQwRE5TOmJyYWluLmFzZHMuY29tLmFy
LCBETlM6d3d3LmJyYWluLmFzZHMuY29tLmFyMA0GCSqGSIb3DQEBCwUAA4IBAQCi
Z0lI/yQSyeXu+Th5nmMdCPJkkZdOok/Y2LGAIqD60L7EKPkOh7enRVFYrj2N0L6Z
q2vDTNpDWH4dSZFoW8P7bLfdaetm3jsXdPNJcoePZCoD8NSsE6MGf9fwZNjrRbDi
4PXlRg5ZjQ++Fr9QU0U8oK5aCShws0leVbQWW5n+mw7KY8zZoYszgkhrE3y6Ft1+
gEqW6ZnGTPaZLyQZ6JmJ0j3nsizHddJUB+7C1ZDOAOVKGIzdDGadjxQuzumRVivz
IrUFXfgXQLeXc35BDyCYIbUmwtEWfgZNNOYKO1uhpEHxPevToIvoRRGF9+nVEInZ
3aoGmIXK+txmLnjapu/M
-----END CERTIFICATE REQUEST-----

Any ideas ?

2 Likes

However you generated your CSR, it is not the right way to encode subjectAltName.

Your CSR looks like this:

335  74:     [0] {
337  72:       SEQUENCE {
339   9:         OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
      :           (PKCS #9 via CRMF)
350  59:         SET {
352  57:           SEQUENCE {
354  55:             SEQUENCE {
356   3:               OBJECT IDENTIFIER subjectAltName (2 5 29 17)
      :                 (X.509 extension)
361  48:               OCTET STRING
      :                 44 4E 53 3A 62 72 61 69    DNS:brai
      :                 6E 2E 61 73 64 73 2E 63    n.asds.c
      :                 6F 6D 2E 61 72 2C 20 44    om.ar, D
      :                 4E 53 3A 77 77 77 2E 62    NS:www.b
      :                 72 61 69 6E 2E 61 73 64    rain.asd
      :                 73 2E 63 6F 6D 2E 61 72
      :               }
      :             }
      :           }
      :         }
      :       }
      :     }

As in, you have literally encoded a string that says DNS:brain.asds.com.ar, DNS:www.brain.asds.com.ar.

But the expected format is a sequence of strings, as documented here, e.g. it should be:

307  70:     [0] {
309  68:       SEQUENCE {
311   9:         OBJECT IDENTIFIER extensionRequest (1 2 840 113549 1 9 14)
      :           (PKCS #9 via CRMF)
322  55:         SET {
324  53:           SEQUENCE {
326  51:             SEQUENCE {
328   3:               OBJECT IDENTIFIER subjectAltName (2 5 29 17)
      :                 (X.509 extension)
333  44:               OCTET STRING
      :                 30 2A 82 11 62 72 61 69    0*..brai
      :                 6E 2E 61 73 64 73 2E 63    n.asds.c
      :                 6F 6D 2E 61 72 82 15 77    om.ar..w
      :                 77 77 2E 62 72 61 69 6E    ww.brain
      :                 2E 61 73 64 73 2E 63 6F    .asds.co
      :                 6D 2E 61 72                m.ar
      :               }
      :             }
      :           }
      :         }
      :       }
      :     }

The DNS: thing is just how OpenSSL chooses to pretty-print the extension.

6 Likes

Also, shouldn't the CSR be version 3 for extensions to be supported? (Not related to the SAN issue though.)

3 Likes

I missed that, thanks a lot. Now its working. cheers!

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.