v3 and multi domains


#1

openssl spec says to use(well it does if you specify or not) a cnf config file to create a multiple domain csr file. you dont use the /CN subject flag. You use a config file and let the autogenerated csr request under v3 requirements do the magic for you.

you edit the config file to say you want more than one domain or ip. as such the request file now has this info in it. Note this is NOT in the subject line.

Webserver auth/verify passes but trips 500 error on execute of certificate request to ACME.This shouldnt be. THis indicates that ACME doesnt properly support openssl v3 requests for signed csr requests.

So how are we supposed to request multiple website domain/configs if you dont follow standards?
For example:
www.somesite.com and somesite.com point to same ip and servers but if cert is issued only one of these forms will work.(the puddle im standing in now) www. is optional prefix these days. Good hosts will use either or neither or both. Im guessing based on this that subdomains will break too.
–A strict requirement?

*.somesite.com is the more proper way to do this (and will include subdomains) but as noted elsewhere, this is not implemented(yet).

The alternative to the above is to use v3 openssl requirements.
see here:
http://wiki.cacert.org/FAQ/subjectAltName
but as noted this trips 500 errors.

as a side note: the no-root method works(with some tweaks) on shared hosts with no root access.Noting of course the above faults.


#2

Hello @frazzledjazz,

Of course Let’s Encrypt allows SAN, indeed all the certs created have SAN. How did you create the CSR?, maybe you created it in PEM format but Let’s Encrypt needs it in DER format -outform der

Cheers,
sahsanu