Missing domain/altname when requesting several domains certificate #20

Nova issue

Fechado

2018-09-19 17:04:08 +00:00 abertas por Ghost · 16 comentários

Ghost comentou 2018-09-19 17:04:08 +00:00

Copiar link

I asked a question on Stack overflow but I thought to also ask it here :

I’m Using greenlock to geenrate certificates, I pass it three domains, and only get 2 in my altnames:

console.log({ domains })
return greenlock.register({
      domains,
      email: myemail,
      challengeType: 'dns-01',
    })
.then((result) => {
    console.log(result)
})

here are my logs:

{ domains: [ 'domain1', 'domain3', 'domain2' ] } true true true { result: { privkey: '-----BEGIN PRIVATE KEY-----\n\n-----END CERTIFICATE-----\n', chain: '-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n', subject: 'domain2', altnames: [ 'domain1', 'domain2' ], _issuedAt: 2018-09-19T14:43:31.000Z, _expiresAt: 2018-12-18T14:43:31.000Z, issuedAt: 1537368211000, expiresAt: 1545144211000 } }

As you can see it’s not even my first two domains that end up in my altnames but rather those that where already in the old certificate (not sure this is why tho).

I asked a question on Stack overflow but I thought to also ask it here : I’m Using greenlock to geenrate certificates, I pass it three domains, and only get 2 in my altnames: ``` console.log({ domains }) return greenlock.register({ domains, email: myemail, challengeType: 'dns-01', }) .then((result) => { console.log(result) }) ``` here are my logs: ``` { domains: [ 'domain1', 'domain3', 'domain2' ] } true true true { result: { privkey: '-----BEGIN PRIVATE KEY-----\n\n-----END CERTIFICATE-----\n', chain: '-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n', subject: 'domain2', altnames: [ 'domain1', 'domain2' ], _issuedAt: 2018-09-19T14:43:31.000Z, _expiresAt: 2018-12-18T14:43:31.000Z, issuedAt: 1537368211000, expiresAt: 1545144211000 } } ``` As you can see it’s not even my first two domains that end up in my altnames but rather those that where already in the old certificate (not sure this is why tho).

coolaj86 comentou 2018-09-19 19:49:50 +00:00

Proprietário

Copiar link

Watch this: https://www.youtube.com/watch?v=bTEn93gxY50&index=3&list=PLZaEVINf2Bq_lrS-OOzTUJB4q3HxarlXk&t=26s

And read this: https://git.coolaj86.com/coolaj86/greenlock-express.js

Essentially: use the approveDomains callback instead of a static list. Also, the default fs plugin is very simple and doesn't support relationships. There are other plugins available in the plugins section of the page above.

Watch this: https://www.youtube.com/watch?v=bTEn93gxY50&index=3&list=PLZaEVINf2Bq_lrS-OOzTUJB4q3HxarlXk&t=26s And read this: https://git.coolaj86.com/coolaj86/greenlock-express.js Essentially: use the `approveDomains` callback instead of a static list. Also, the default fs plugin is very simple and doesn't support relationships. There are other plugins available in the plugins section of the page above.

coolaj86 comentou 2018-09-19 19:51:25 +00:00

Proprietário

Copiar link

Also: Welcome! :)

I'm at work atm, just coming in from lunch. I gotta get back to that, but after you review those things feel free to comment again if you're still having trouble and I'll be around in the eveing.

Also: Welcome! :) I'm at work atm, just coming in from lunch. I gotta get back to that, but after you review those things feel free to comment again if you're still having trouble and I'll be around in the eveing.

Ghost comentou 2018-09-20 08:29:16 +00:00

Autor

Copiar link

:)

Passing approve Domains to my greenlock constructor doesn't seem to change much.
I still don't have my new domain (domain2) listed in my certificate :

openssl x509 -text < /etc/letsencrypt/live/domain1/fullchain.pem  | grep 'DNS:' | sed 's/\s*DNS:\([a-z0-9.\-]*\)[,\s]\?/\1 /g'

> domain1 domain3

:) Passing approve Domains to my greenlock constructor doesn't seem to change much. I still don't have my new domain (domain2) listed in my certificate : ``` openssl x509 -text < /etc/letsencrypt/live/domain1/fullchain.pem | grep 'DNS:' | sed 's/\s*DNS:\([a-z0-9.\-]*\)[,\s]\?/\1 /g' > domain1 domain3 ```

Ghost comentou 2018-09-20 08:36:55 +00:00

Autor

Copiar link

NVM I just passed an array instead of a function. What is the correct syntax to use dns challenge instead of http ?

NVM I just passed an array instead of a function. What is the correct syntax to use dns challenge instead of http ?

Ghost comentou 2018-09-20 08:46:14 +00:00

Autor

Copiar link

Doesn't this part :

if (certs) {
    opts.domains = certs.altnames;
  }

rewrite my domain list?

Doesn't this part : ``` if (certs) { opts.domains = certs.altnames; } ``` rewrite my domain list?

Ghost comentou 2018-09-20 08:54:30 +00:00

Autor

Copiar link

Also my function approveDomains doesn't seem to be executed.

Also my function approveDomains doesn't seem to be executed.

coolaj86 comentou 2018-09-22 19:50:36 +00:00

Proprietário

Copiar link

Yes, you'll want to remove the old certs and let everything refresh anew.

Also, yeah, I don't know why I put that line in there. I should probably remove that because it's more counter-productive than productive for the simple use case (and probably non-simple use cases as well).

Re: dns-01 challenges

{ challengeType: 'dns-01'
, challenges: { 'dns-01': require("le-challenge-dnsxyz").create({ ... }) }
}

Yes, you'll want to remove the old certs and let everything refresh anew. Also, yeah, I don't know why I put that line in there. I should probably remove that because it's more counter-productive than productive for the simple use case (and probably non-simple use cases as well). Re: dns-01 challenges ``` { challengeType: 'dns-01' , challenges: { 'dns-01': require("le-challenge-dnsxyz").create({ ... }) } } ```

Ghost comentou 2018-09-22 20:02:53 +00:00

Autor

Copiar link

So you advise removing the older certs before creating new ones with greenlock? I don't understand why they collide though...

Also, What happens to request received in the meantime (I am using nginx and unclear if the older certificate will get cached)?

So you advise removing the older certs before creating new ones with greenlock? I don't understand why they collide though... Also, What happens to request received in the meantime (I am using nginx and unclear if the older certificate will get cached)?

Ghost comentou 2018-09-22 20:03:33 +00:00

Autor

Copiar link

How does the old cert paly a role in my request for a new cerificate?

How does the old cert paly a role in my request for a new cerificate?

coolaj86 comentou 2018-09-22 20:06:07 +00:00

Proprietário

Copiar link

removing the older certs before creating new ones with greenlock?

Not in general, but unless you switch to one of the more advanced le-store-* strategies, the default fs strategy doesn't manage the case where you have an existing list of certs and you want to add more certs to that list -- that's a new list.

What happens to request received in the meantime

If you're not using the approve domains callback instead of array then you're all good.

> removing the older certs before creating new ones with greenlock? Not in general, but unless you switch to one of the more advanced le-store-* strategies, the default fs strategy doesn't manage the case where you have an existing list of certs and you want to add more certs to that list -- that's a new list. > What happens to request received in the meantime If you're not using the approve domains callback instead of array then you're all good.

coolaj86 comentou 2018-09-22 20:08:16 +00:00

Proprietário

Copiar link

How does the old cert play a role in my request for a new certificate?

When you define the array of certificates the default plugins assumes that the first element in the array is to be used for the filename and that if the cert is valid then all altnames are already present.

So it's not using the array that's the problem, it's that with the default plugin it expects the array to represent what's on the cert.

> How does the old cert play a role in my request for a new certificate? When you define the array of certificates the default plugins assumes that the first element in the array is to be used for the filename and that if the cert is valid then all altnames are already present. So it's not using the array that's the problem, it's that with the default plugin it expects the array to represent what's on the cert.

coolaj86 comentou 2018-09-22 20:09:05 +00:00

Proprietário

Copiar link

Parsing certificates is now possible, but it's very expensive (a 1mb require of llvm / asm.js type stuff) and it wasn't possible when the plugin was first created.

Parsing certificates is now possible, but it's very expensive (a 1mb require of llvm / asm.js type stuff) and it wasn't possible when the plugin was first created.

Ghost comentou 2018-09-23 19:19:11 +00:00

Autor

Copiar link

I want one cert with several domains behind added as time goes on. I have a cert with two domains (1 and 3 in my op) and I want to add a third, or in any case create a certifacte that covers all three domains. I'm passing all three domains to greenlock but only get a cert that covers the inital two...

If I delete the old certificate, I assume for your answer that greenlock will stop from (wrongly) assuming that all my altnames are here, and will generate a new certificate 'from scratch', am I correct ?

Thank you for your time and help anyways :)

I want one cert with several domains behind added as time goes on. I have a cert with two domains (1 and 3 in my op) and I want to add a third, or in any case create a certifacte that covers all three domains. I'm passing all three domains to greenlock but only get a cert that covers the inital two... If I delete the old certificate, I assume for your answer that greenlock will stop from (wrongly) assuming that all my altnames are here, and will generate a new certificate 'from scratch', am I correct ? Thank you for your time and help anyways :)

Ghost comentou 2018-10-26 08:08:04 +00:00

Autor

Copiar link

It looks like this issue can be closed - do you agree Kudmath? The call limits in LE don't look like they will affect you with the numbers you are talking about - is there a reason why you want all your domains listed on the same cert?

You might find it easiest to use an existing plugin and then modify it + pull request any changes.

AJ - some of these questions are ones I had and that I've seen other have. What is the best way to contribute additional documentation? A docs folder with markdown? Additional docs in the code?

It looks like this issue can be closed - do you agree Kudmath? The call limits in LE don't look like they will affect you with the numbers you are talking about - is there a reason why you want all your domains listed on the same cert? You might find it easiest to use an existing plugin and then modify it + pull request any changes. AJ - some of these questions are ones I had and that I've seen other have. What is the best way to contribute additional documentation? A docs folder with markdown? Additional docs in the code?

coolaj86 comentou 2018-11-05 07:33:24 +00:00

Proprietário

Copiar link

@chanoch I'm pretty laid back about these things. I think both of those are great ideas.

I'd definitely like to see something in the examples folder and a link to that in the README.

Sorry I've been slow to respond, but how's the plugin coming? How can I help?

@chanoch I'm pretty laid back about these things. I think both of those are great ideas. I'd definitely like to see something in the examples folder and a link to that in the README. Sorry I've been slow to respond, but how's the plugin coming? How can I help?

coolaj86 fechou esta issue 2018-11-05 07:33:24 +00:00

coolaj86 comentou 2018-11-05 07:34:01 +00:00

Proprietário

Copiar link

@kudmath please reopen if you feel the issue isn't adequately addressed.

@kudmath please reopen if you feel the issue isn't adequately addressed.

Acesse para participar desta conversação.

Nenhum branch/tag especificado

Branches Tags

master

github

next

v4

npm

v3

wip

dns-challenge-regression-fix

v2.4

v2.5

v2.3

v2

v2.2

acmev2

v2.1

greenlock

v1

node-letsencrypt-python

v4.0.5

v4.0.4

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.5

v3.1.4

v3.1.3

v3.0.25

v3.0.24

v3.0.23

v3.0.21

v3.0.20

v3.0.19

v3.0.18

v3.0.17

v3.0.16

v3.0.15

v3.0.12

v3.0.11

v3.0.10

v3.0.9

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.23

v2.7.22

v2.7.21

v2.7.20

v2.7.19

v2.7.18

v2.7.17

v2.7.16

v2.7.15

v2.7.14

v2.7.13

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.10

v2.6.9

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.10

v2.4.9

v2.4.8

v2.4.7

v2.4.2

v2.4.1

v2.4.0

v2.3.13

v2.3.12

v2.3.11

v2.3.10

v2.3.9

v2.3.8

v2.3.7

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.20

v2.2.19

v2.2.18

v2.2.17

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.0

v2.1.19

v2.1.18

v2.1.17

v2.1.16

v2.1.15

v2.1.14

v2.1.13

v2.1.12

v2.1.11

v2.1.10

v2.1.9

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v1.5.8

v2.0.5

v2.0.4

v1.5.7

v1.5.6

v1.5.5

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.2.0

v1.1.0

v1.0.2

v1.0.0

v1.0.1

Etiquetas

Nenhum item

Sem etiqueta

Marco

Nenhum item

Sem marco

Responsáveis

Limpar responsáveis

jshaver coolaj86

Sem responsável

2 participante(s)

Notificações

Inscrever-se

Data limite

Data limite não informada.

Dependências

Nenhuma dependência definida.

Referência: coolaj86/greenlock.js-ARCHIVED#20

Nenhuma descrição fornecida.