Missing domain/altname when requesting several domains certificate #20

New Issue

Closed

opened 2018-09-19 17:04:08 +00:00 by Ghost · 16 comments

Ghost commented 2018-09-19 17:04:08 +00:00

Copy Link

I asked a question on Stack overflow but I thought to also ask it here :

I’m Using greenlock to geenrate certificates, I pass it three domains, and only get 2 in my altnames:

console.log({ domains })
return greenlock.register({
      domains,
      email: myemail,
      challengeType: 'dns-01',
    })
.then((result) => {
    console.log(result)
})

here are my logs:

{ domains: [ 'domain1', 'domain3', 'domain2' ] } true true true { result: { privkey: '-----BEGIN PRIVATE KEY-----\n\n-----END CERTIFICATE-----\n', chain: '-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n', subject: 'domain2', altnames: [ 'domain1', 'domain2' ], _issuedAt: 2018-09-19T14:43:31.000Z, _expiresAt: 2018-12-18T14:43:31.000Z, issuedAt: 1537368211000, expiresAt: 1545144211000 } }

As you can see it’s not even my first two domains that end up in my altnames but rather those that where already in the old certificate (not sure this is why tho).

I asked a question on Stack overflow but I thought to also ask it here : I’m Using greenlock to geenrate certificates, I pass it three domains, and only get 2 in my altnames: ``` console.log({ domains }) return greenlock.register({ domains, email: myemail, challengeType: 'dns-01', }) .then((result) => { console.log(result) }) ``` here are my logs: ``` { domains: [ 'domain1', 'domain3', 'domain2' ] } true true true { result: { privkey: '-----BEGIN PRIVATE KEY-----\n\n-----END CERTIFICATE-----\n', chain: '-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----\n', subject: 'domain2', altnames: [ 'domain1', 'domain2' ], _issuedAt: 2018-09-19T14:43:31.000Z, _expiresAt: 2018-12-18T14:43:31.000Z, issuedAt: 1537368211000, expiresAt: 1545144211000 } } ``` As you can see it’s not even my first two domains that end up in my altnames but rather those that where already in the old certificate (not sure this is why tho).

coolaj86 commented 2018-09-19 19:49:50 +00:00

Owner

Copy Link

Watch this: https://www.youtube.com/watch?v=bTEn93gxY50&index=3&list=PLZaEVINf2Bq_lrS-OOzTUJB4q3HxarlXk&t=26s

And read this: https://git.coolaj86.com/coolaj86/greenlock-express.js

Essentially: use the approveDomains callback instead of a static list. Also, the default fs plugin is very simple and doesn't support relationships. There are other plugins available in the plugins section of the page above.

Watch this: https://www.youtube.com/watch?v=bTEn93gxY50&index=3&list=PLZaEVINf2Bq_lrS-OOzTUJB4q3HxarlXk&t=26s And read this: https://git.coolaj86.com/coolaj86/greenlock-express.js Essentially: use the `approveDomains` callback instead of a static list. Also, the default fs plugin is very simple and doesn't support relationships. There are other plugins available in the plugins section of the page above.

coolaj86 commented 2018-09-19 19:51:25 +00:00

Owner

Copy Link

Also: Welcome! :)

I'm at work atm, just coming in from lunch. I gotta get back to that, but after you review those things feel free to comment again if you're still having trouble and I'll be around in the eveing.

Also: Welcome! :) I'm at work atm, just coming in from lunch. I gotta get back to that, but after you review those things feel free to comment again if you're still having trouble and I'll be around in the eveing.

Ghost commented 2018-09-20 08:29:16 +00:00

Author

Copy Link

:)

Passing approve Domains to my greenlock constructor doesn't seem to change much.
I still don't have my new domain (domain2) listed in my certificate :

openssl x509 -text < /etc/letsencrypt/live/domain1/fullchain.pem  | grep 'DNS:' | sed 's/\s*DNS:\([a-z0-9.\-]*\)[,\s]\?/\1 /g'

> domain1 domain3

:) Passing approve Domains to my greenlock constructor doesn't seem to change much. I still don't have my new domain (domain2) listed in my certificate : ``` openssl x509 -text < /etc/letsencrypt/live/domain1/fullchain.pem | grep 'DNS:' | sed 's/\s*DNS:\([a-z0-9.\-]*\)[,\s]\?/\1 /g' > domain1 domain3 ```

Ghost commented 2018-09-20 08:36:55 +00:00

Author

Copy Link

NVM I just passed an array instead of a function. What is the correct syntax to use dns challenge instead of http ?

NVM I just passed an array instead of a function. What is the correct syntax to use dns challenge instead of http ?

Ghost commented 2018-09-20 08:46:14 +00:00

Author

Copy Link

Doesn't this part :

if (certs) {
    opts.domains = certs.altnames;
  }

rewrite my domain list?

Doesn't this part : ``` if (certs) { opts.domains = certs.altnames; } ``` rewrite my domain list?

Ghost commented 2018-09-20 08:54:30 +00:00

Author

Copy Link

Also my function approveDomains doesn't seem to be executed.

Also my function approveDomains doesn't seem to be executed.

coolaj86 commented 2018-09-22 19:50:36 +00:00

Owner

Copy Link

Yes, you'll want to remove the old certs and let everything refresh anew.

Also, yeah, I don't know why I put that line in there. I should probably remove that because it's more counter-productive than productive for the simple use case (and probably non-simple use cases as well).

Re: dns-01 challenges

{ challengeType: 'dns-01'
, challenges: { 'dns-01': require("le-challenge-dnsxyz").create({ ... }) }
}

Yes, you'll want to remove the old certs and let everything refresh anew. Also, yeah, I don't know why I put that line in there. I should probably remove that because it's more counter-productive than productive for the simple use case (and probably non-simple use cases as well). Re: dns-01 challenges ``` { challengeType: 'dns-01' , challenges: { 'dns-01': require("le-challenge-dnsxyz").create({ ... }) } } ```

Ghost commented 2018-09-22 20:02:53 +00:00

Author

Copy Link

So you advise removing the older certs before creating new ones with greenlock? I don't understand why they collide though...

Also, What happens to request received in the meantime (I am using nginx and unclear if the older certificate will get cached)?

So you advise removing the older certs before creating new ones with greenlock? I don't understand why they collide though... Also, What happens to request received in the meantime (I am using nginx and unclear if the older certificate will get cached)?

Ghost commented 2018-09-22 20:03:33 +00:00

Author

Copy Link

How does the old cert paly a role in my request for a new cerificate?

How does the old cert paly a role in my request for a new cerificate?

coolaj86 commented 2018-09-22 20:06:07 +00:00

Owner

Copy Link

removing the older certs before creating new ones with greenlock?

Not in general, but unless you switch to one of the more advanced le-store-* strategies, the default fs strategy doesn't manage the case where you have an existing list of certs and you want to add more certs to that list -- that's a new list.

What happens to request received in the meantime

If you're not using the approve domains callback instead of array then you're all good.

> removing the older certs before creating new ones with greenlock? Not in general, but unless you switch to one of the more advanced le-store-* strategies, the default fs strategy doesn't manage the case where you have an existing list of certs and you want to add more certs to that list -- that's a new list. > What happens to request received in the meantime If you're not using the approve domains callback instead of array then you're all good.

coolaj86 commented 2018-09-22 20:08:16 +00:00

Owner

Copy Link

How does the old cert play a role in my request for a new certificate?

When you define the array of certificates the default plugins assumes that the first element in the array is to be used for the filename and that if the cert is valid then all altnames are already present.

So it's not using the array that's the problem, it's that with the default plugin it expects the array to represent what's on the cert.

> How does the old cert play a role in my request for a new certificate? When you define the array of certificates the default plugins assumes that the first element in the array is to be used for the filename and that if the cert is valid then all altnames are already present. So it's not using the array that's the problem, it's that with the default plugin it expects the array to represent what's on the cert.

coolaj86 commented 2018-09-22 20:09:05 +00:00

Owner

Copy Link

Parsing certificates is now possible, but it's very expensive (a 1mb require of llvm / asm.js type stuff) and it wasn't possible when the plugin was first created.

Parsing certificates is now possible, but it's very expensive (a 1mb require of llvm / asm.js type stuff) and it wasn't possible when the plugin was first created.

Ghost commented 2018-09-23 19:19:11 +00:00

Author

Copy Link

I want one cert with several domains behind added as time goes on. I have a cert with two domains (1 and 3 in my op) and I want to add a third, or in any case create a certifacte that covers all three domains. I'm passing all three domains to greenlock but only get a cert that covers the inital two...

If I delete the old certificate, I assume for your answer that greenlock will stop from (wrongly) assuming that all my altnames are here, and will generate a new certificate 'from scratch', am I correct ?

Thank you for your time and help anyways :)

I want one cert with several domains behind added as time goes on. I have a cert with two domains (1 and 3 in my op) and I want to add a third, or in any case create a certifacte that covers all three domains. I'm passing all three domains to greenlock but only get a cert that covers the inital two... If I delete the old certificate, I assume for your answer that greenlock will stop from (wrongly) assuming that all my altnames are here, and will generate a new certificate 'from scratch', am I correct ? Thank you for your time and help anyways :)

Ghost commented 2018-10-26 08:08:04 +00:00

Author

Copy Link

It looks like this issue can be closed - do you agree Kudmath? The call limits in LE don't look like they will affect you with the numbers you are talking about - is there a reason why you want all your domains listed on the same cert?

You might find it easiest to use an existing plugin and then modify it + pull request any changes.

AJ - some of these questions are ones I had and that I've seen other have. What is the best way to contribute additional documentation? A docs folder with markdown? Additional docs in the code?

It looks like this issue can be closed - do you agree Kudmath? The call limits in LE don't look like they will affect you with the numbers you are talking about - is there a reason why you want all your domains listed on the same cert? You might find it easiest to use an existing plugin and then modify it + pull request any changes. AJ - some of these questions are ones I had and that I've seen other have. What is the best way to contribute additional documentation? A docs folder with markdown? Additional docs in the code?

coolaj86 commented 2018-11-05 07:33:24 +00:00

Owner

Copy Link

@chanoch I'm pretty laid back about these things. I think both of those are great ideas.

I'd definitely like to see something in the examples folder and a link to that in the README.

Sorry I've been slow to respond, but how's the plugin coming? How can I help?

@chanoch I'm pretty laid back about these things. I think both of those are great ideas. I'd definitely like to see something in the examples folder and a link to that in the README. Sorry I've been slow to respond, but how's the plugin coming? How can I help?

coolaj86 closed this issue 2018-11-05 07:33:24 +00:00

coolaj86 commented 2018-11-05 07:34:01 +00:00

Owner

Copy Link

@kudmath please reopen if you feel the issue isn't adequately addressed.

@kudmath please reopen if you feel the issue isn't adequately addressed.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

github

next

v4

npm

v3

wip

dns-challenge-regression-fix

v2.4

v2.5

v2.3

v2

v2.2

acmev2

v2.1

greenlock

v1

node-letsencrypt-python

v4.0.5

v4.0.4

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.5

v3.1.4

v3.1.3

v3.0.25

v3.0.24

v3.0.23

v3.0.21

v3.0.20

v3.0.19

v3.0.18

v3.0.17

v3.0.16

v3.0.15

v3.0.12

v3.0.11

v3.0.10

v3.0.9

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v2.8.8

v2.8.7

v2.8.6

v2.8.5

v2.8.4

v2.8.3

v2.8.2

v2.8.1

v2.8.0

v2.7.23

v2.7.22

v2.7.21

v2.7.20

v2.7.19

v2.7.18

v2.7.17

v2.7.16

v2.7.15

v2.7.14

v2.7.13

v2.7.12

v2.7.11

v2.7.10

v2.7.9

v2.7.8

v2.7.7

v2.7.6

v2.7.5

v2.7.4

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.10

v2.6.9

v2.6.8

v2.6.7

v2.6.6

v2.6.5

v2.6.4

v2.6.3

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.10

v2.4.9

v2.4.8

v2.4.7

v2.4.2

v2.4.1

v2.4.0

v2.3.13

v2.3.12

v2.3.11

v2.3.10

v2.3.9

v2.3.8

v2.3.7

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.20

v2.2.19

v2.2.18

v2.2.17

v2.2.16

v2.2.15

v2.2.14

v2.2.13

v2.2.12

v2.2.11

v2.2.10

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.0

v2.1.19

v2.1.18

v2.1.17

v2.1.16

v2.1.15

v2.1.14

v2.1.13

v2.1.12

v2.1.11

v2.1.10

v2.1.9

v2.1.7

v2.1.6

v2.1.5

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0

v1.5.8

v2.0.5

v2.0.4

v1.5.7

v1.5.6

v1.5.5

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.2.0

v1.1.0

v1.0.2

v1.0.0

v1.0.1

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

2 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coolaj86/greenlock.js-ARCHIVED#20

No description provided.