Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Policy value in issued certificates is malformed #425

Closed
diafygi opened this issue Jun 30, 2015 · 2 comments
Closed

Policy value in issued certificates is malformed #425

diafygi opened this issue Jun 30, 2015 · 2 comments

Comments

@diafygi
Copy link

diafygi commented Jun 30, 2015

From diafygi/acme-nosudo#5, when getting a certificate issued using the new --csr client feature, I received a signed certificate with some odd text in the certificate policy. Unsure if that's intended or not.

X509v3 Certificate Policies: 
    0...0...g.....07..+..........0(0&..+.........http://cps.letsencrypt.org0....+..........0..0....+..........This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/documents/

Full example:

$ openssl req -new -sha256 -key domain.key -subj "/" -reqexts SAN -outform DER -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:daylightpirates.org,DNS:www.daylightpirates.org")) > ~/Desktop/domain.csr

$ openssl req -text -noout -inform DER -in domain.csr 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: 
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a7:61:e4:22:06:ef:1f:c5:37:c7:92:b8:e5:a5:
                    cd:29:c4:f1:f1:ad:7f:43:e2:c2:dd:7f:b7:70:77:
                    e0:29:d4:fb:ec:79:b7:44:b2:96:b5:9e:f6:21:74:
                    35:52:15:98:35:e2:74:d9:85:bd:10:79:bc:9f:a6:
                    5b:44:f4:c8:18:02:24:3c:62:5e:19:85:7f:d5:a9:
                    38:c7:34:9f:7e:9a:2e:6f:af:50:6c:9a:69:c9:94:
                    ca:90:41:fd:1c:30:2c:61:14:5f:33:97:8c:18:52:
                    9a:5d:75:83:30:02:68:3c:1e:c8:69:f6:db:80:85:
                    f1:99:ed:33:92:9c:32:98:b7:79:61:1d:81:70:e0:
                    7d:46:dd:35:da:58:69:c0:62:a6:a3:6d:bf:32:15:
                    4b:8b:78:7a:91:7d:0e:e2:2c:d6:e2:17:4f:81:c4:
                    9a:89:b7:52:71:6d:28:11:28:6e:4e:f5:86:8d:aa:
                    08:45:a6:2b:21:51:92:99:f7:c1:d9:b2:d8:92:08:
                    32:f5:50:74:23:5a:5f:c9:e9:40:c8:c0:10:31:00:
                    16:0e:07:e6:0d:20:e1:e3:38:97:11:ee:b3:51:f0:
                    ce:8a:fe:68:7e:eb:ca:f3:ef:96:44:c7:43:7c:67:
                    89:88:77:3c:a6:77:c0:a0:a8:d7:26:17:bf:b0:d9:
                    97:e0:12:15:29:bc:9e:c0:21:df:92:b9:01:01:fd:
                    70:49:3a:cc:65:c6:44:77:0a:10:a2:06:7f:10:c9:
                    07:ee:9e:78:96:59:b7:29:13:c6:28:7f:e0:e0:e3:
                    34:7b:5a:0b:f0:64:bd:d5:cc:9a:9c:47:0b:67:0d:
                    e3:2c:24:14:71:9f:a3:fe:50:37:6c:11:d1:b5:c8:
                    ef:f0:73:68:41:ac:0d:67:a9:58:33:00:25:3c:dc:
                    5a:9d:72:b2:81:dc:7c:04:d4:41:49:9d:a4:96:3d:
                    13:38:32:f7:19:2b:3a:7e:4d:57:03:4c:23:d1:e2:
                    03:e8:c0:1e:02:32:e4:7f:b3:b2:96:13:dd:db:15:
                    f1:b7:ea:36:4a:cf:cd:0c:ba:38:ba:2c:0f:71:95:
                    7a:3d:b3:3f:4a:01:6c:58:b0:0d:c9:59:79:9b:1e:
                    a2:65:e7:22:ea:ed:ea:25:f5:c3:77:da:7c:ed:0f:
                    e0:34:a1:25:46:94:8a:31:4c:8c:18:f6:c1:ee:e4:
                    03:81:83:db:ad:a1:66:da:8b:5a:91:5a:02:63:a3:
                    c8:c2:ab:1a:b8:c5:5e:4b:7a:7f:dc:95:88:bd:97:
                    96:c8:4a:be:b6:24:f9:af:44:64:90:9f:79:82:68:
                    a2:0d:b5:f7:19:fa:60:1a:c9:22:dd:02:e0:b5:f6:
                    ee:da:63
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:daylightpirates.org, DNS:www.daylightpirates.org
    Signature Algorithm: sha256WithRSAEncryption
         56:28:8e:b0:01:f6:d6:04:9a:fc:be:1e:c0:5b:8f:5e:76:1e:
         4b:4e:f8:8f:fd:b7:ae:43:c0:5c:a8:c3:7a:06:cc:f8:33:24:
         fc:16:44:f5:67:c3:e5:7e:05:41:7d:c3:bc:31:9b:6b:cd:92:
         d4:45:86:98:cf:23:31:72:49:fb:85:4f:01:1d:be:d2:47:dd:
         8e:cb:a5:6d:11:55:a8:bc:45:09:9c:e3:c5:8e:75:49:05:96:
         50:9a:74:b6:59:ed:e6:ce:38:c1:d1:4d:34:00:f6:59:3a:28:
         47:39:40:fe:c9:22:6f:74:39:ac:f6:e4:a9:42:fd:12:b6:5d:
         f5:65:6e:02:28:9d:1c:f5:2a:ca:1f:5e:b3:99:6a:14:88:d2:
         d9:eb:71:d5:3d:68:76:fe:c9:04:e1:3f:c8:e9:a5:9d:5f:01:
         ff:e2:0c:90:e6:43:57:21:45:e2:1b:0a:5a:24:68:58:0f:04:
         a6:8e:bb:c5:2b:d2:4b:0c:8b:bb:be:8f:c9:bb:29:95:d8:38:
         ed:30:b4:e1:28:df:cb:12:ab:d4:0f:ae:8f:9e:6c:e0:4d:c1:
         a7:e4:a6:4f:e9:a7:da:3d:5a:56:94:a3:61:a6:26:04:52:d3:
         e5:6c:ca:ff:16:91:13:01:a3:99:e4:1c:99:7b:07:88:80:78:
         2e:3b:ca:13:e4:d3:50:ed:ac:15:db:0d:c2:ab:5c:8f:6f:63:
         c3:7d:b5:59:94:bd:b1:2f:ea:1b:de:32:07:60:ff:dc:68:13:
         4b:17:93:59:a1:9f:ac:99:e0:b7:6f:80:10:10:b0:02:c4:c5:
         43:e7:fd:14:49:81:5d:88:95:db:68:24:66:b6:9d:c3:86:53:
         57:dd:5e:9e:4e:84:fe:3d:95:84:58:10:4f:8b:3a:38:37:32:
         14:9e:41:fb:5b:4c:ec:46:c3:6a:11:d4:18:ba:5d:49:7b:74:
         c1:2e:42:d9:1c:fa:32:6a:85:7a:d7:16:00:db:47:b6:a3:ef:
         4e:cb:c2:2f:b1:c5:70:a0:ff:73:a3:fe:fc:4a:ad:68:35:2f:
         12:00:4c:8e:bb:46:1b:86:ba:27:e3:15:e0:e9:c1:b0:d3:79:
         c5:da:77:c6:5b:bb:87:da:17:08:83:49:ca:31:b3:0f:b6:02:
         4d:73:b5:5c:16:d1:ef:f2:bc:05:03:8a:f6:04:d3:82:10:bc:
         9f:77:1d:4e:55:e5:40:ee:34:10:de:f6:5b:f5:9f:ca:34:81:
         c9:79:74:6b:55:be:9f:66:8a:1b:40:84:63:69:75:cb:9e:91:
         e7:29:d2:fb:6b:94:7a:97:3c:b5:5c:93:52:42:d9:c4:c0:f5:
         fe:1b:a4:f4:fd:83:c4:dc


$ ./venv/bin/letsencrypt --debug --agree-eula --email diafygi@gmail.com --text --no-simple-http-tls --authenticator manual --work-dir /tmp/work/ --config-dir /tmp/config/ --logs-dir /tmp/logs/ auth --cert-path /tmp/certs/ --chain-path /tmp/chains/ --csr ~/Desktop/domain.csr

...<followed instructions>...

$ openssl x509 -text -in /tmp/certs/0000_ -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:00:00:00:00:00:01:20:37:30:9d:56:0a:ed:ea:92
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=happy hacker fake CA
        Validity
            Not Before: Jun 30 16:55:00 2015 GMT
            Not After : Sep 28 16:55:00 2015 GMT
        Subject: CN=daylightpirates.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:a7:61:e4:22:06:ef:1f:c5:37:c7:92:b8:e5:a5:
                    cd:29:c4:f1:f1:ad:7f:43:e2:c2:dd:7f:b7:70:77:
                    e0:29:d4:fb:ec:79:b7:44:b2:96:b5:9e:f6:21:74:
                    35:52:15:98:35:e2:74:d9:85:bd:10:79:bc:9f:a6:
                    5b:44:f4:c8:18:02:24:3c:62:5e:19:85:7f:d5:a9:
                    38:c7:34:9f:7e:9a:2e:6f:af:50:6c:9a:69:c9:94:
                    ca:90:41:fd:1c:30:2c:61:14:5f:33:97:8c:18:52:
                    9a:5d:75:83:30:02:68:3c:1e:c8:69:f6:db:80:85:
                    f1:99:ed:33:92:9c:32:98:b7:79:61:1d:81:70:e0:
                    7d:46:dd:35:da:58:69:c0:62:a6:a3:6d:bf:32:15:
                    4b:8b:78:7a:91:7d:0e:e2:2c:d6:e2:17:4f:81:c4:
                    9a:89:b7:52:71:6d:28:11:28:6e:4e:f5:86:8d:aa:
                    08:45:a6:2b:21:51:92:99:f7:c1:d9:b2:d8:92:08:
                    32:f5:50:74:23:5a:5f:c9:e9:40:c8:c0:10:31:00:
                    16:0e:07:e6:0d:20:e1:e3:38:97:11:ee:b3:51:f0:
                    ce:8a:fe:68:7e:eb:ca:f3:ef:96:44:c7:43:7c:67:
                    89:88:77:3c:a6:77:c0:a0:a8:d7:26:17:bf:b0:d9:
                    97:e0:12:15:29:bc:9e:c0:21:df:92:b9:01:01:fd:
                    70:49:3a:cc:65:c6:44:77:0a:10:a2:06:7f:10:c9:
                    07:ee:9e:78:96:59:b7:29:13:c6:28:7f:e0:e0:e3:
                    34:7b:5a:0b:f0:64:bd:d5:cc:9a:9c:47:0b:67:0d:
                    e3:2c:24:14:71:9f:a3:fe:50:37:6c:11:d1:b5:c8:
                    ef:f0:73:68:41:ac:0d:67:a9:58:33:00:25:3c:dc:
                    5a:9d:72:b2:81:dc:7c:04:d4:41:49:9d:a4:96:3d:
                    13:38:32:f7:19:2b:3a:7e:4d:57:03:4c:23:d1:e2:
                    03:e8:c0:1e:02:32:e4:7f:b3:b2:96:13:dd:db:15:
                    f1:b7:ea:36:4a:cf:cd:0c:ba:38:ba:2c:0f:71:95:
                    7a:3d:b3:3f:4a:01:6c:58:b0:0d:c9:59:79:9b:1e:
                    a2:65:e7:22:ea:ed:ea:25:f5:c3:77:da:7c:ed:0f:
                    e0:34:a1:25:46:94:8a:31:4c:8c:18:f6:c1:ee:e4:
                    03:81:83:db:ad:a1:66:da:8b:5a:91:5a:02:63:a3:
                    c8:c2:ab:1a:b8:c5:5e:4b:7a:7f:dc:95:88:bd:97:
                    96:c8:4a:be:b6:24:f9:af:44:64:90:9f:79:82:68:
                    a2:0d:b5:f7:19:fa:60:1a:c9:22:dd:02:e0:b5:f6:
                    ee:da:63
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                68:31:B1:F9:95:2D:C4:85:A4:EA:FA:B8:F1:B3:9B:97:ED:7A:A4:27
            X509v3 Authority Key Identifier: 
                keyid:FB:78:4F:12:F9:60:15:83:2C:9F:17:7F:34:19:B3:2E:36:EA:41:89

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x1.letsencrypt.org
                CA Issuers - URI:http://cert.int-x1.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:daylightpirates.org, DNS:www.daylightpirates.org
            X509v3 Certificate Policies: 
                0...0...g.....07..+..........0(0&..+.........http://cps.letsencrypt.org0....+..........0..0....+..........This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/documents/
    Signature Algorithm: sha256WithRSAEncryption
         2a:0f:4d:83:38:e0:d7:6b:d9:74:ed:9b:ba:3e:aa:49:c1:05:
         9a:33:c3:24:e5:8f:7d:68:59:1a:13:48:dd:43:6f:4b:4c:b9:
         23:d1:e5:15:b1:ef:ec:be:b0:cf:f3:9f:72:73:cd:ff:8e:4c:
         fb:4c:cf:4d:ba:08:e4:7c:2a:83:65:22:7e:0d:03:cf:5c:a0:
         a3:2b:df:d0:fa:3b:7f:2b:78:bb:46:18:0e:b0:4f:a6:53:20:
         49:59:79:ec:8a:46:51:16:25:05:89:49:66:c5:13:e6:43:1d:
         5b:a7:8d:7f:c8:69:98:f2:0f:5c:e9:3a:71:0c:c6:21:c7:59:
         ec:4d:f7:7a:19:c4:74:4a:c9:b6:b5:59:ba:9a:75:1e:ba:f7:
         ec:f4:01:9b:6a:7a:b8:36:98:08:86:d0:8f:ab:f1:9f:5b:b3:
         99:a8:2c:1c:2d:03:47:b6:48:35:08:72:16:fb:6e:78:54:7a:
         3f:e7:d0:c8:b0:94:e0:1d:d2:cd:b6:9f:a2:27:d5:ef:67:58:
         4c:4a:51:0f:68:a6:74:a9:88:d9:e6:7d:0f:7c:a1:2a:e1:5a:
         76:8d:28:43:b1:13:8f:ab:45:ed:b6:6b:d5:2d:93:d8:83:46:
         e2:9d:36:12:f6:32:34:ec:47:e2:6e:ae:1e:b5:57:0d:07:37:
         46:14:ae:cb
@jsha
Copy link
Contributor

jsha commented Jul 1, 2015

Is this on latest master? Or against a remote server? Seems related to #407.

@jcjones
Copy link
Contributor

jcjones commented Jul 1, 2015

Duplicate of #407.

@jcjones jcjones closed this as completed Jul 1, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jsha @jcjones @diafygi