From 60cc8e93ae7a647c5f5da5ee8628c6aca5b58d02 Mon Sep 17 00:00:00 2001 From: Andrew Cady Date: Fri, 22 Jan 2016 23:39:59 -0500 Subject: Use subjectAltName X509v3 extension --- acme.hs | 21 +++++++++++++++++++++ stack.yaml | 2 +- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/acme.hs b/acme.hs index a7ccd3a..2731b15 100644 --- a/acme.hs +++ b/acme.hs @@ -117,8 +117,29 @@ genReq domainKeyFile domain = withOpenSSL $ do setSubjectName req [("CN", domain)] setVersion req 0 setPublicKey req pub + when False $ + -- This certificate seems well-formed ('openssl req' can parse it) but Let's Encrypt rejects it. + void $ addExtensions req + [ nidSubjectAltName %%% "DNS:" ++ domain + , nidKeyUsage %%% "critical,digitalSignature,keyEncipherment" + ] + + -- This, on the other hand, is accepted: + void $ addExtensions req [nidSubjectAltName %%% "DNS:" ++ domain] + + -- Trying to name other domains, though, results in this: + -- + -- void $ addExtensions req [nidSubjectAltName %%% "DNS:" ++ domain ++ ", DNS:www." ++ domain] + -- + -- urn:acme:error:unauthorized ---- Error creating new cert :: Authorizations + -- for these names not found or expired: www.fifty.childrenofmay.org signX509Req req priv (Just dig) writeX509ReqDER req + where + nidKeyUsage = 83 + nidSubjectAltName = 85 + (%%%) = (,) + infixr 0 %%% readKeyFile :: FilePath -> IO (Maybe Keys) readKeyFile = readFile >=> readKeys diff --git a/stack.yaml b/stack.yaml index a4a966d..df9bc13 100644 --- a/stack.yaml +++ b/stack.yaml @@ -8,7 +8,7 @@ packages: - '.' - location: git: git@github.com:afcady/HSOpenSSL.git - commit: d120a92678da80cf8a992cc2b80c147730a05f83 + commit: 11f5c83fbe44d6c1c496be4cc3017fd925ba26e2 extra-dep: true # Packages to be pulled from upstream that are not in the resolver (e.g., acme-missiles-0.3) -- cgit v1.2.3