Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

failed to set_subject_alt: X509_REQ_add_extensions #125

Open
HenkVanMaanen opened this issue Nov 22, 2024 · 7 comments
Open

failed to set_subject_alt: X509_REQ_add_extensions #125

HenkVanMaanen opened this issue Nov 22, 2024 · 7 comments

Comments

@HenkVanMaanen
Copy link

HenkVanMaanen commented Nov 22, 2024
edited
Loading

We get this error when lua-resty-acme tries to request a new certificate:

autossl.lua:659: failed to create rsa certificate for domain **-**********-***-****.******.dev: failed to create csr: failed to set_subject_alt: X509_REQ_add_extensions: code: 0, context: ssl_certificate_by_lua*

Any idea how we can fix this?

Versions:

  • openresty docker image: 1.21.4.1-0-jammy
  • lua-resty-acme: 0.15.0
@fffonion
Copy link
Owner

could you share your config? You can replace sensitive fields with *.

@HenkVanMaanen
Copy link
Author 

require("resty.acme.autossl").init({
            tos_accepted = true,
            staging = false,
            account_key_path = "/etc/openresty/account.key",
            account_email = "*****@***.***",
            renew_threshold = 30 * 86400,
            blocking = true,
            storage_adapter = "redis",
            storage_config = {
                host = "redis",
                port = 6379,
                database = 0
            },
            domain_whitelist_callback = function(domain, is_new_cert_needed)
                if not is_new_cert_needed then
                    return true
                end

                if not is_whitelisted_in_storage(domain) then
                    log(ngx.ERR, "domain is not whitelisted: ", domain)
		            return false
                end

                log(ngx.ERR, "checking if valid cname: ", domain)
                return has_valid_cname(domain)
            end
        })
        ```

@ctuIhu
Copy link

ctuIhu commented Nov 27, 2024

Hi @fffonion, I also encountered the same error.

2024/11/27 18:31:00 [error] 7#7: 4 [acme] autossl.lua:228: error updating cert for xxx.xxx.co err: failed to create csr: failed to set_subject_alt: X509_REQ_add_extensions: code: 0, context: ssl_certificate_by_lua, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:443

@ctuIhu
Copy link

ctuIhu commented Nov 27, 2024

Hi @HenkVanMaanen,

I switched to openssl 3.0.15 and it fixed the issue.

@HenkVanMaanen
Copy link
Author

Thanks for debugging this!

In the mean time we had to fix this because we had the problem in production so had to act quick. We moved to using Caddy in combination with on demand TLS and an ask endpoint that validates the requested domain: https://caddyserver.com/docs/caddyfile/options#on-demand-tls

@fffonion
Copy link
Owner

This could be a bug in older version of openssl or change of API. @ctuIhu What version of openssl were you using prior
to 3.0.15?

@ctuIhu
Copy link

ctuIhu commented Dec 3, 2024

Hi @fffonion,

I think there is a bug on older version of openssl. I was using 1.1.1l prior to 3.0.15.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fffonion @HenkVanMaanen @ctuIhu