>Synopsis: acme-client fails to renew certificates with multiple subject
>alternative names
>Category: system
>Environment:
System : OpenBSD 6.1
Details : OpenBSD 6.1 (GENERIC.MP) #20: Sat Apr 1 13:45:56 MDT 2017
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
Architecture: OpenBSD.amd64
Machine : amd64
>Description:
When acme-client is asked to renew a certificate which uses the Subject
Alternative Names feature, it fails with the error "domain not listed:
example.com". The configuration file I'm using is below:
#
# $OpenBSD: acme-client.conf,v 1.4 2017/03/22 11:14:14 benno Exp $
#
authority letsencrypt {
agreement url
"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
api url "https://acme-v01.api.letsencrypt.org/directory";
account key "/etc/acme/letsencrypt-privkey.pem"
}
authority letsencrypt-staging {
agreement url
"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf";
api url "https://acme-staging.api.letsencrypt.org/directory";
account key "/etc/acme/letsencrypt-staging-privkey.pem"
}
domain headcount.se.rit.edu {
alternative names { headcount.se.rit.edu peanut.se.rit.edu }
domain key "/etc/ssl/acme/private/headcount.se.rit.edu.key"
domain certificate "/etc/ssl/acme/headcount.se.rit.edu.crt"
domain full chain certificate
"/etc/ssl/acme/headcount.se.rit.edu.fullchain.pem"
sign with letsencrypt-staging
}
>How-To-Repeat:
1. Use acme-client to request a certificate with at least two SANs.
2. Use acme-client to renew that certificate
>Fix:
As far as I can tell, the problem lies with the for loop beginning on
line 247 of revokeproc.c. When there are multiple SANs, this code fails
immediately after finding a SAN that doesn't match the requested domain name,
even if it has already found the requested domain name. If I'm not mistaken, it
should exit the loop after finding the requested domain.
dmesg:
OpenBSD 6.1 (GENERIC.MP) #20: Sat Apr 1 13:45:56 MDT 2017
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 4206497792 (4011MB)
avail mem = 4074336256 (3885MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xe9ec0 (81 entries)
bios0: vendor Hewlett-Packard version "786G7 v01.13" date 07/20/2011
bios0: Hewlett-Packard HP Compaq 8000 Elite SFF PC
acpi0 at bios0: rev 0
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC ASF! MCFG TCPA SLIC HPET DMAR
acpi0: wakeup devices COM1(S4) PCI0(S4) PEG1(S4) PEG2(S4) IGBE(S4) PCX1(S4)
PCX2(S4) PCX5(S4) PCX6(S4) HUB_(S4) USB1(S3) USB2(S3) USB3(S3) USB4(S3)
USB5(S3) USB6(S3) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM)2 Quad CPU Q9550 @ 2.83GHz, 2826.60 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu0: 6MB 64b/line 16-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 7 var ranges, 88 fixed ranges
cpu0: apic clock running at 332MHz
cpu0: mwait min=64, max=64, C-substates=0.2.2.2.2, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM)2 Quad CPU Q9550 @ 2.83GHz, 2826.26 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu1: 6MB 64b/line 16-way L2 cache
cpu1: smt 0, core 2, package 0
cpu2 at mainbus0: apid 3 (application processor)
cpu2: Intel(R) Core(TM)2 Quad CPU Q9550 @ 2.83GHz, 2826.25 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu2: 6MB 64b/line 16-way L2 cache
cpu2: smt 0, core 3, package 0
cpu3 at mainbus0: apid 1 (application processor)
cpu3: Intel(R) Core(TM)2 Quad CPU Q9550 @ 2.83GHz, 2826.25 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,XSAVE,NXE,LONG,LAHF,PERF,SENSOR
cpu3: 6MB 64b/line 16-way L2 cache
cpu3: smt 0, core 1, package 0
ioapic0 at mainbus0: apid 1 pa 0xfec00000, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf4000000, bus 0-63
acpihpet0 at acpi0: 14318179 Hz
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (PEG1)
acpiprt2 at acpi0: bus -1 (PEG2)
acpiprt3 at acpi0: bus 32 (PCX1)
acpiprt4 at acpi0: bus 48 (PCX2)
acpiprt5 at acpi0: bus -1 (PCX5)
acpiprt6 at acpi0: bus -1 (PCX6)
acpiprt7 at acpi0: bus 16 (HUB_)
acpicpu0 at acpi0: !C2(500@17 mwait.1@0x10), C1(1000@1 mwait.1), PSS
acpicpu1 at acpi0: !C2(500@17 mwait.1@0x10), C1(1000@1 mwait.1), PSS
acpicpu2 at acpi0: !C2(500@17 mwait.1@0x10), C1(1000@1 mwait.1), PSS
acpicpu3 at acpi0: !C2(500@17 mwait.1@0x10), C1(1000@1 mwait.1), PSS
"PNP0F13" at acpi0 not configured
"PNP0303" at acpi0 not configured
"PNP0501" at acpi0 not configured
"PNP0003" at acpi0 not configured
tpm0 at acpi0: TPM_ addr 0xfed40000/0x5000: Infineon SLB9635 1.2 rev 0x10
acpibtn0 at acpi0: PBTN
"PNP0C14" at acpi0 not configured
cpu0: Enhanced SpeedStep 2826 MHz: speeds: 2833, 1998 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Q45 Host" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel Q45 PCIE" rev 0x03: msi
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 vendor "NVIDIA", unknown product 0x042f rev 0xa1
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"Intel Q45 HECI" rev 0x03 at pci0 dev 3 function 0 not configured
puc0 at pci0 dev 3 function 3 "Intel Q45 KT" rev 0x03: ports: 1 com
com4 at puc0 port 0 apic 1 int 17: ns16550a, 16 byte fifo
com4: probed fifo depth: 15 bytes
em0 at pci0 dev 25 function 0 "Intel ICH10 D BM LM" rev 0x02: msi, address
d8:d3:85:7b:e2:44
uhci0 at pci0 dev 26 function 0 "Intel 82801JD USB" rev 0x02: apic 1 int 20
uhci1 at pci0 dev 26 function 1 "Intel 82801JD USB" rev 0x02: apic 1 int 21
uhci2 at pci0 dev 26 function 2 "Intel 82801JD USB" rev 0x02: apic 1 int 22
ehci0 at pci0 dev 26 function 7 "Intel 82801JD USB" rev 0x02: apic 1 int 22
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00
addr 1
azalia0 at pci0 dev 27 function 0 "Intel 82801JD HD Audio" rev 0x02: msi
azalia0: codecs: Realtek ALC662
audio0 at azalia0
ppb1 at pci0 dev 28 function 0 "Intel 82801JD PCIE" rev 0x02: msi
pci2 at ppb1 bus 32
ppb2 at pci0 dev 28 function 1 "Intel 82801JD PCIE" rev 0x02: msi
pci3 at ppb2 bus 48
uhci3 at pci0 dev 29 function 0 "Intel 82801JD USB" rev 0x02: apic 1 int 20
uhci4 at pci0 dev 29 function 1 "Intel 82801JD USB" rev 0x02: apic 1 int 21
uhci5 at pci0 dev 29 function 2 "Intel 82801JD USB" rev 0x02: apic 1 int 22
ehci1 at pci0 dev 29 function 7 "Intel 82801JD USB" rev 0x02: apic 1 int 20
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00
addr 1
ppb3 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0xa2
pci4 at ppb3 bus 16
pcib0 at pci0 dev 31 function 0 "Intel 82801JDO LPC" rev 0x02
ahci0 at pci0 dev 31 function 2 "Intel 82801JD AHCI" rev 0x02: msi, AHCI 1.2
ahci0: port 0: 3.0Gb/s
ahci0: port 1: 1.5Gb/s
ahci0: PHY offline on port 2
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, ST3160318AS, HP35> SCSI3 0/direct fixed
naa.5000c500206ee662
sd0: 152627MB, 512 bytes/sector, 312581808 sectors
cd0 at scsibus1 targ 1 lun 0: <hp, DVD-RAM GH40L, RB12> ATAPI 5/cdrom removable
usb2 at uhci0: USB revision 1.0
uhub2 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
usb3 at uhci1: USB revision 1.0
uhub3 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
usb4 at uhci2: USB revision 1.0
uhub4 at usb4 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
usb5 at uhci3: USB revision 1.0
uhub5 at usb5 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
usb6 at uhci4: USB revision 1.0
uhub6 at usb6 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
usb7 at uhci5: USB revision 1.0
uhub7 at usb7 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00
addr 1
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm0 at mainbus0: VMX
uhidev0 at uhub2 port 1 configuration 1 interface 0 "CHICONY HP Basic USB
Keyboard" rev 1.10/3.00 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (abb5e8d9a002d016.a) swap on sd0b dump on sd0b
usbdevs:
Controller /dev/usb0:
addr 1: high speed, self powered, config 1, EHCI root hub(0x0000),
Intel(0x8086), rev 1.00
port 1 powered
port 2 powered
port 3 powered
port 4 powered
port 5 powered
port 6 powered
Controller /dev/usb1:
addr 1: high speed, self powered, config 1, EHCI root hub(0x0000),
Intel(0x8086), rev 1.00
port 1 powered
port 2 powered
port 3 powered
port 4 powered
port 5 powered
port 6 powered
Controller /dev/usb2:
addr 1: full speed, self powered, config 1, UHCI root hub(0x0000),
Intel(0x8086), rev 1.00
port 1 addr 2: low speed, power 100 mA, config 1, HP Basic USB
Keyboard(0x0024), CHICONY(0x03f0), rev 3.00
port 2 powered
Controller /dev/usb3:
addr 1: full speed, self powered, config 1, UHCI root hub(0x0000),
Intel(0x8086), rev 1.00
port 1 powered
port 2 powered
Controller /dev/usb4:
addr 1: full speed, self powered, config 1, UHCI root hub(0x0000),
Intel(0x8086), rev 1.00
port 1 powered
port 2 powered
Controller /dev/usb5:
addr 1: full speed, self powered, config 1, UHCI root hub(0x0000),
Intel(0x8086), rev 1.00
port 1 powered
port 2 powered
Controller /dev/usb6:
addr 1: full speed, self powered, config 1, UHCI root hub(0x0000),
Intel(0x8086), rev 1.00
port 1 powered
port 2 powered
Controller /dev/usb7:
addr 1: full speed, self powered, config 1, UHCI root hub(0x0000),
Intel(0x8086), rev 1.00
port 1 powered
port 2 powered
