It seems that when responding to dvsni challenges for multiple domains, the python client creates an independent self-signed challenge certificate for each DVSNI challenge.
These are certificates with SAN <32chars>.<32chars>.acme.invalid.
Each of these certificates needs to be loaded into the TLS speaking application (apache or whatever), and the application needs to be configured to use the appropriate certificate in response to client hellos which reference the .acme.invalid name.
Do I have this right so far?
My problem with the scheme is in
acme/acme/crypto_util.py, which contains the following:
Each certificate came from the same issuer (
dummy), and sports the same serial number (
1337). These are effectively the same certificate. I’m unable to load them concurrently into my application (a 3rd party hardware device).
This seems to fix it but, being random, invites collisions.
--- crypto_util.py 2016-04-14 19:50:56.786495094 +0000 +++ /tmp/crypto_util.py 2016-04-14 19:50:48.567495584 +0000 @@ -203,7 +203,8 @@ """ assert domains, "Must provide one or more hostnames for the cert." cert = OpenSSL.crypto.X509() - cert.set_serial_number(1337) + import random + cert.set_serial_number(random.randint(10,1000)) cert.set_version(2) extensions = [
Or… Maybe all of the challenges are supposed to be solved by a single certificate with an alt name for each challenge? If so, I’ve gone horribly off the rails somewhere!