diff options
author | Andrew Cady <d@jerkface.net> | 2016-01-22 23:39:59 -0500 |
---|---|---|
committer | Andrew Cady <d@jerkface.net> | 2016-01-22 23:39:59 -0500 |
commit | 60cc8e93ae7a647c5f5da5ee8628c6aca5b58d02 (patch) | |
tree | ab8f040cd93e3089ecd0f56b943a720da0f93393 | |
parent | 7c7a91bfb50528a199b0b29d7dbab6b78028889a (diff) |
Use subjectAltName X509v3 extension
-rw-r--r-- | acme.hs | 21 | ||||
-rw-r--r-- | stack.yaml | 2 |
2 files changed, 22 insertions, 1 deletions
@@ -117,8 +117,29 @@ genReq domainKeyFile domain = withOpenSSL $ do | |||
117 | setSubjectName req [("CN", domain)] | 117 | setSubjectName req [("CN", domain)] |
118 | setVersion req 0 | 118 | setVersion req 0 |
119 | setPublicKey req pub | 119 | setPublicKey req pub |
120 | when False $ | ||
121 | -- This certificate seems well-formed ('openssl req' can parse it) but Let's Encrypt rejects it. | ||
122 | void $ addExtensions req | ||
123 | [ nidSubjectAltName %%% "DNS:" ++ domain | ||
124 | , nidKeyUsage %%% "critical,digitalSignature,keyEncipherment" | ||
125 | ] | ||
126 | |||
127 | -- This, on the other hand, is accepted: | ||
128 | void $ addExtensions req [nidSubjectAltName %%% "DNS:" ++ domain] | ||
129 | |||
130 | -- Trying to name other domains, though, results in this: | ||
131 | -- | ||
132 | -- void $ addExtensions req [nidSubjectAltName %%% "DNS:" ++ domain ++ ", DNS:www." ++ domain] | ||
133 | -- | ||
134 | -- urn:acme:error:unauthorized ---- Error creating new cert :: Authorizations | ||
135 | -- for these names not found or expired: www.fifty.childrenofmay.org | ||
120 | signX509Req req priv (Just dig) | 136 | signX509Req req priv (Just dig) |
121 | writeX509ReqDER req | 137 | writeX509ReqDER req |
138 | where | ||
139 | nidKeyUsage = 83 | ||
140 | nidSubjectAltName = 85 | ||
141 | (%%%) = (,) | ||
142 | infixr 0 %%% | ||
122 | 143 | ||
123 | readKeyFile :: FilePath -> IO (Maybe Keys) | 144 | readKeyFile :: FilePath -> IO (Maybe Keys) |
124 | readKeyFile = readFile >=> readKeys | 145 | readKeyFile = readFile >=> readKeys |
@@ -8,7 +8,7 @@ packages: | |||
8 | - '.' | 8 | - '.' |
9 | - location: | 9 | - location: |
10 | git: git@github.com:afcady/HSOpenSSL.git | 10 | git: git@github.com:afcady/HSOpenSSL.git |
11 | commit: d120a92678da80cf8a992cc2b80c147730a05f83 | 11 | commit: 11f5c83fbe44d6c1c496be4cc3017fd925ba26e2 |
12 | extra-dep: true | 12 | extra-dep: true |
13 | 13 | ||
14 | # Packages to be pulled from upstream that are not in the resolver (e.g., acme-missiles-0.3) | 14 | # Packages to be pulled from upstream that are not in the resolver (e.g., acme-missiles-0.3) |