Comments (4)
Hi @jacekjaros,
Thanks for your report!
in my CA i use only root ca (there are no intermediate ca)
Hmm! I must say this is something that has never occurred to me to try. I can't be sure without checking of course, but this might also be an issue in certbot itself.
I will definitely try to reproduce this right away. I would appreciate the following additional info:
- certbot, Django and cryptography version?
- Do webserver or Celery broker throw any errors anywhere?
- The request log of the webserver - it's sufficient to get the request URL paths (so everything like
/django_ca/acme/...
), request body should not be needed. - The output of
manage.py list_cas
andmanage.py view_ca your-serial-here
?
Thanks, Mat
from django-ca.
FWIW, I'm not aware of any restriction in RFC 8555 that would forbid such a setup. So it's definitely a bug in either django-ca or certbot.
from django-ca.
hi @mathiasertl
CA:
root@CA:~# /opt/CA/bin/python --version
Python 3.9.8
root@CA:~# /opt/CA/bin/python -m pip list
Package Version
--------------------- ---------
acme 1.22.0
asgiref 3.4.1
asn1crypto 1.4.0
certifi 2021.10.8
cffi 1.15.0
charset-normalizer 2.0.10
configparser 5.2.0
cryptography 36.0.1
Django 4.0.1
django-ca 1.19.1
django-object-actions 3.1.0
dnspython 2.1.0
idna 3.3
josepy 1.11.0
packaging 21.3
pip 21.3.1
psycopg2-binary 2.9.3
pycparser 2.21
pyOpenSSL 21.0.0
pyparsing 3.0.6
pyRFC3339 1.1
pytz 2021.3
requests 2.27.1
requests-toolbelt 0.9.1
setuptools 60.5.0
six 1.16.0
sqlparse 0.4.2
urllib3 1.26.8
client:
root@WEB1:~# python3 --version
Python 3.9.2
root@WEB1:~# certbot --version
certbot 1.12.0
root@WEB1:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye
Clients are talking directly to Django - i have no middle ware.
django access log:
Jan 17 18:10:25 CA python3[15720]: [17/Jan/2022 18:10:25] "GET /django_ca/acme/directory/ HTTP/1.1" 200 557
Jan 17 18:10:25 CA python3[15720]: [17/Jan/2022 18:10:25] "HEAD /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/new-nonce/ HTTP/1.1" 200 0
Jan 17 18:10:25 CA python3[15720]: [17/Jan/2022 18:10:25] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/new-order/ HTTP/1.1" 201 348
Jan 17 18:10:25 CA python3[15720]: [17/Jan/2022 18:10:25] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/authz/m1evIN3NEwVo/ HTTP/1.1" 200 615
Jan 17 18:10:25 CA python3[15720]: [17/Jan/2022 18:10:25] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/chall/P1LYlR36BN6E/ HTTP/1.1" 200 247
Jan 17 18:10:27 CA python3[15720]: [17/Jan/2022 18:10:27] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/authz/m1evIN3NEwVo/ HTTP/1.1" 200 403
Jan 17 18:10:27 CA python3[15720]: [17/Jan/2022 18:10:27] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/order/T05UZP89lCIR/finalize/ HTTP/1.1" 200 232
Jan 17 18:10:28 CA python3[15720]: [17/Jan/2022 18:10:28] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/order/T05UZP89lCIR/ HTTP/1.1" 200 339
Jan 17 18:10:28 CA python3[15720]: [17/Jan/2022 18:10:28] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/cert/zrdBXVX3y14q/ HTTP/1.1" 200 3687
Jan 17 18:11:29 CA python3[15720]: [17/Jan/2022 18:11:29] "GET /django_ca/acme/directory/ HTTP/1.1" 200 557
Jan 17 18:11:29 CA python3[15720]: [17/Jan/2022 18:11:29] "HEAD /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/new-nonce/ HTTP/1.1" 200 0
Jan 17 18:11:29 CA python3[15720]: [17/Jan/2022 18:11:29] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/new-order/ HTTP/1.1" 201 348
Jan 17 18:11:29 CA python3[15720]: [17/Jan/2022 18:11:29] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/authz/cD3GIXySGHXa/ HTTP/1.1" 200 615
Jan 17 18:11:30 CA python3[15720]: [17/Jan/2022 18:11:30] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/chall/r94ZVVDWdnIC/ HTTP/1.1" 200 247
Jan 17 18:11:31 CA python3[15720]: [17/Jan/2022 18:11:31] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/authz/cD3GIXySGHXa/ HTTP/1.1" 200 403
Jan 17 18:11:31 CA python3[15720]: [17/Jan/2022 18:11:31] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/order/RWflL9KLvdVJ/finalize/ HTTP/1.1" 200 232
Jan 17 18:11:32 CA python3[15720]: [17/Jan/2022 18:11:32] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/order/RWflL9KLvdVJ/ HTTP/1.1" 200 339
Jan 17 18:11:32 CA python3[15720]: [17/Jan/2022 18:11:32] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/cert/8D5yq5mACeYk/ HTTP/1.1" 200 3687
Jan 17 18:17:23 CA python3[15720]: [17/Jan/2022 18:17:23] "GET /django_ca/acme/directory/ HTTP/1.1" 200 557
Jan 17 18:17:23 CA python3[15720]: [17/Jan/2022 18:17:23] "HEAD /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/new-nonce/ HTTP/1.1" 200 0
Jan 17 18:17:23 CA python3[15720]: [17/Jan/2022 18:17:23] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/new-order/ HTTP/1.1" 201 348
Jan 17 18:17:23 CA python3[15720]: [17/Jan/2022 18:17:23] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/authz/ssEFImQGhnGo/ HTTP/1.1" 200 615
Jan 17 18:17:23 CA python3[15720]: [17/Jan/2022 18:17:23] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/chall/zqQkf4L2NBif/ HTTP/1.1" 200 247
Jan 17 18:17:25 CA python3[15720]: [17/Jan/2022 18:17:25] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/authz/ssEFImQGhnGo/ HTTP/1.1" 200 403
Jan 17 18:17:25 CA python3[15720]: [17/Jan/2022 18:17:25] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/order/3qijN1JTiCRA/finalize/ HTTP/1.1" 200 232
Jan 17 18:17:26 CA python3[15720]: [17/Jan/2022 18:17:26] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/order/3qijN1JTiCRA/ HTTP/1.1" 200 339
Jan 17 18:17:26 CA python3[15720]: [17/Jan/2022 18:17:26] "POST /django_ca/acme/24C2611A2189967175A7C04E9D098BFF3082BAEE/cert/sehjVrW90Lui/ HTTP/1.1" 200 3687
root@CA:~# /opt/CA/bin/python /opt/CA/ca/manage.py list_cas
24:C2:61:1A:21:89:96:71:75:A7:C0:4E:9D:09:8B:FF:30:82:BA:EE - JarosOrgPlInfraCA
root@CA:~# /opt/CA/bin/python /opt/CA/ca/manage.py view_ca 24:C2:61:1A:21:89:96:71:75:A7:C0:4E:9D:09:8B:FF:30:82:BA:EE
JarosOrgPlInfraCA (enabled):
* Serial: 24:C2:61:1A:21:89:96:71:75:A7:C0:4E:9D:09:8B:FF:30:82:BA:EE
* Path to private key:
/opt/CA/ca/files/ca/24C2611A2189967175A7C04E9D098BFF3082BAEE.key
* Is a root CA.
* Has no children.
* Distinguished Name: /C=PL/L=Krakow/O=jaros.org.pl/OU=infra/CN=ca.jaros.org.pl
* Maximum levels of sub-CAs (pathlen): 0
* HPKP pin: kHNjkK+bk9Eh1mTs3IjW9uq6RAUbU2JyYNZyieAf4fo=
ACMEv2 support:
* Enabled: True
* Requires contact: True
X509 v3 certificate extensions for CA:
AuthorityKeyIdentifier:
* KeyID: 28:03:D1:73:06:51:D1:60:BF:D5:07:F4:AE:9D:9D:9A:77:B4:82:69
BasicConstraints (critical):
CA:TRUE, pathlen:0
KeyUsage (critical):
* cRLSign
* keyCertSign
SubjectKeyIdentifier:
28:03:D1:73:06:51:D1:60:BF:D5:07:F4:AE:9D:9D:9A:77:B4:82:69
X509 v3 certificate extensions for signed certificates:
* Certificate Revokation List (CRL): None
* Issuer URL: None
* OCSP URL: None
* Issuer Alternative Name: None
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
i have other box based on Ubuntu 20.04 and Certbot 0.40.0-1ubuntu0.1 - on that box everything is working fine.
from django-ca.
Hi @jacekjaros,
The issue can easily be reproduced by following Testing ACMEv2, but instead of creating an intermediate CA for ACME, use the root CA instead.
Turns out that this is actually somewhat a bug in certbot, which expects a PEM certificate chain to end with a newline. That is probably commonly the case, but is not strictly required in RFC 7468. ef3e53d appends a newline to the chain, thus fixing the issue on our side.
kr, Mat
from django-ca.
Related Issues (20)
- REST api HOT 8
- ACME error HOT 5
- Configure OCSP response validity when using docker compose HOT 4
- Acme Disable new accounts HOT 4
- Parsing issues running init_ca HOT 2
- OCSP request for unknown cert received HOT 7
- Ability to sign certificate via configurable hook / external HSM HOT 15
- Smartcard Extension 1.3.6.1.4.1.311.25.2 support HOT 1
- The client sent an unacceptable anti-replay nonce :: Bad or invalid nonce HOT 7
- Save private key and ocsp in database HOT 5
- ecc_curve in 'init_ca' command HOT 5
- acme clients not working, bad nonce HOT 7
- multiple SAN attributes not working HOT 3
- CA_PROFILES expiration time is ignored HOT 2
- CRL Issuing Distribution Point (IDP) should be configurable in CertificateRevocationListView HOT 7
- TypeError: cannot pickle 'builtins.ObjectIdentifier' object HOT 3
- Config is not read HOT 2
- Generate CT Certificate Transparency logs HOT 2
- CA_DEFAULT_SUBJECT HOT 2
- Profiles - default, custom and command line HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-ca.