Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-32462

wildcard support in ACME is broken

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-9.5
    • rhel-9.5
    • pki-core
    • pki-core-11.5.1-1.el9
    • None
    • None
    • sst_idm_cs
    • 20
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None

      Cloned from https://github.com/dogtagpki/pki/issues/4556
       

      Even though wildcard support is enabled by default in ACME pki issuer, it cannot be used with DNS challenge.

      {{# certbot -v certonly --server https://ipa-ca.ipa.test/acme/directory --manual -d *.ipa.test --preferred-challenges dns 
      Saving debug log to /var/log/letsencrypt/letsencrypt.log
      Plugins selected: Authenticator manual, Installer None
      Requesting a certificate for *.ipa.test
      An unexpected error occurred:
      Failed to construct URI for DNS name *.ipa.test
      Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.}}

      If I look at the log, the following is there:

      {{2023-09-01 13:39:37,759:DEBUG:acme.client:Storing nonce: opPEys-Xi0v5ewxyA_Dhug
      2023-09-01 13:39:37,760:DEBUG:acme.client:JWS payload:
      b'{\n  "identifiers": [\n    

      {\n      "type": "dns",\n      "value": "*.ipa.test"\n    }

      \n  ]\n}'
      2023-09-01 13:39:37,762:DEBUG:acme.client:Sending POST request to https://master.ipa.test/acme/new-order:

      {   "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vbWFzdGVyLmlwYS50ZXN0L2FjbWUvYWNjdC95WTBqZkdRR2FyUWtMRk9Vd3hkUkhjX0tnQ3FBQnpyYWoxajBsNnluTEpVIiwgIm5vbmNlIjogIm9wUEV5cy1YaTB2NWV3eHlBX0RodWciLCAidXJsIjogImh0dHBzOi8vbWFzdGV yLmlwYS50ZXN0L2FjbWUvbmV3LW9yZGVyIn0",   "signature": "El-V71wnpU9xDpK7zit9NR3sBh-HCIIhARwxTNwqQAG3zsiASqu0QpBn7TBX0Xu9ZKKbRuCFsC1M1WuY9OQw2vuvCVNjw-Ye0EQXgMAp-xcAmHarphwOSAAWkUHz4KfO3-0T6h0SalHCz8Qaf4IWHa3giyUDGkRAmFmA_Uiy6OtkWrqh2RFU3sJ1upxmkWuQ7ORdTSJEPyNvWFPZ_dutk2g1QceX0Y9zFlCEanCe0cTBzEVIAXgwTImSb2rOZ8GpZ9sC_5_Pv2fm2bnwFfWbwC4-QDLWPq8I4FqfuyRDAjXYUHOAJx2vv8UNYI30aT41D3ZSqJDlbogwpiXpLZtl-A",   "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIiouaXBhLnRlc3QiCiAgICB9CiAgXQp9" }

      2023-09-01 13:39:37,775:DEBUG:urllib3.connectionpool:https://master.ipa.test:443 "POST /acme/new-order HTTP/1.1" 400 106
      2023-09-01 13:39:37,776:DEBUG:acme.client:Received response:
      HTTP 400
      Date: Fri, 01 Sep 2023 13:39:37 GMT
      Server: Apache/2.4.57 (Fedora Linux) OpenSSL/3.0.9 mod_wsgi/4.9.4 Python/3.11 mod_auth_gssapi/1.6.5
      Content-Type: application/problem+json
      Content-Length: 106
      Connection: close

      {"type":"urn:ietf:params:acme:error:malformed","detail":"Failed to construct URI for DNS name *.ipa.test"}

      }}

      Indeed, this is because validateSyntaxDNS() helper does attempt to construct URI() instance after validating the value (*.ipa.test). URI class rejects it because http://*.ipa.test is not a valid URI.

            edewata Endi Dewata
            rhn-engineering-rcrit Rob Crittenden
            RHCS Maintenance RHCS Maintenance
            Gilbert Kimetto Gilbert Kimetto
            Votes:
            3 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated: