The acmesmith-google-cloud-dns from nagachika

Failed to create wildcard certificate with SANs

I tried to create wildcard certificate, and found a problem.

When I tried to create wildcard certificate without SANs (SAN=X509v3 Subject Alternative Name)
by following command, it succeeded.

acmesmith order '*.yasooon2018.work'

command output

tsuyoshi@wezen% bundle exec acmesmith order '*.yasooon2018.work'
=> Ordering a certificate for the following identifiers:

 * *.yasooon2018.work

=> Generating CSR
=> Placing an order
=> Looking for required domain authorizations

 * yasooon2018.work

=> Responsing to the challenges for the following identifier:

 * Responder:   Acmesmith::ChallengeResponders::GoogleCloudDns
 * Identifiers:
     - yasooon2018.work (dns-01)

=> Responding challenge dns-01 for yasooon2018.work in Acmesmith::ChallengeResponders::GoogleCloudDns
 * create_change: TXT "_acme-challenge.yasooon2018.work.", "yGhh6dL7Zmgp5dgibrKNKXF1SeXo6yVkaKk0semdwh4"
 * requested change: 62
 * change "62" is still "pending"
 * synced!
=> Checking DNS resource record
 * nameservers: ["ns-cloud-c1.googledomains.com.", "ns-cloud-c2.googledomains.com.", "ns-cloud-c3.googledomains.com.", "ns-cloud-c4.googledomains.com."]
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] success: ttl=5, data="yGhh6dL7Zmgp5dgibrKNKXF1SeXo6yVkaKk0semdwh4"
 * [ns-cloud-c2.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c2.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c2.googledomains.com.] success: ttl=5, data="yGhh6dL7Zmgp5dgibrKNKXF1SeXo6yVkaKk0semdwh4"
 * [ns-cloud-c3.googledomains.com.] success: ttl=5, data="yGhh6dL7Zmgp5dgibrKNKXF1SeXo6yVkaKk0semdwh4"
 * [ns-cloud-c4.googledomains.com.] success: ttl=5, data="yGhh6dL7Zmgp5dgibrKNKXF1SeXo6yVkaKk0semdwh4"
=> Requesting validations...

 * yasooon2018.work (dns-01) ... [ ok ]

=> Waiting for the validation...

 * [yasooon2018.work] status: valid

=> Cleaning the responses the challenges for the following identifier:

 * Responder:   Acmesmith::ChallengeResponders::GoogleCloudDns
 * Identifiers:
     - yasooon2018.work (dns-01)

=> Authorized!
=> Finalizing the order

 * Requesting... [ ok ]

=> Certificate issued

 * securing into the storage ... [ ok ]

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            fa:5f:86:13:68:ba:66:de:97:4a:bb:ce:e3:79:f7:97:0a:4d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Fake LE Intermediate X1
        Validity
            Not Before: Aug 22 17:51:40 2018 GMT
            Not After : Nov 20 17:51:40 2018 GMT
        Subject: CN=*.yasooon2018.work
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:de:6a:a0:94:43:a3:13:ac:d1:2b:22:9e:72:f3:
                    93:a4:5d:e2:5b:d3:68:2c:90:44:4e:33:54:41:c0:
                    a5:c0:5b:45:83:3e:74:dc:00:2f:bf:9c:a0:1d:be:
                    dc:89:20:1a:b2:59:1f:32:22:a5:27:58:77:73:0f:
                    c3:9a:ca:61:b5:85:da:e9:79:44:23:85:33:3e:00:
                    ca:f6:6f:c7:87:42:b5:9a:f0:42:24:ff:b2:b4:27:
                    dc:89:b2:7a:74:f8:ae:6f:80:68:07:a5:fe:a0:7b:
                    51:0e:ee:72:1a:81:ba:57:3d:49:bb:c9:b8:69:eb:
                    19:55:04:07:1a:92:67:1d:5f:5a:2e:a8:f1:b3:ea:
                    cf:7e:77:08:e3:c7:74:73:82:13:be:32:d1:06:1c:
                    d4:b1:0e:c9:8e:41:9f:e6:c3:27:40:bb:e2:ec:d8:
                    4c:65:16:4d:18:8f:8e:a9:b5:27:98:63:91:d5:56:
                    f7:9b:10:5a:dc:f5:8d:9a:96:81:5d:85:b5:e3:ee:
                    b2:cb:56:d9:e5:66:8b:8f:e5:3d:71:1f:c5:5f:b8:
                    78:eb:d8:67:e8:2c:3e:cc:e0:7d:57:ed:93:0c:1d:
                    f0:4c:03:20:bc:f7:a0:8a:15:69:67:32:53:0f:91:
                    1d:79:1c:39:21:01:a5:fc:0e:17:8a:f2:d5:db:1f:
                    4f:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                B5:16:48:4F:7D:A1:98:16:7E:F6:4D:2D:D6:A5:69:E5:A9:3F:11:71
            X509v3 Authority Key Identifier: 
                keyid:C0:CC:03:46:B9:58:20:CC:5C:72:70:F3:E1:2E:CB:20:A6:F5:68:3A

            Authority Information Access: 
                OCSP - URI:http://ocsp.stg-int-x1.letsencrypt.org
                CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:*.yasooon2018.work
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DD:99:34:FC:A5:E7:24:80:C9:56:68:7D:81:34:99:08:
                                49:B2:49:F7:B5:69:D8:C7:BC:AB:3F:5C:C1:F3:6E:64
                    Timestamp : Aug 22 18:51:40.117 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:41:73:07:B7:61:F0:CD:D4:50:BB:AC:04:
                                41:7A:B0:BB:A0:DD:E7:D1:33:FE:41:6A:A3:A3:8A:E6:
                                A1:4C:87:6E:02:21:00:85:80:FE:B1:23:14:65:B2:86:
                                04:18:3E:18:C4:B6:19:85:BF:82:7D:88:2C:E1:F8:61:
                                E1:A5:46:9C:C4:7C:2C
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : B0:CC:83:E5:A5:F9:7D:6B:AF:7C:09:CC:28:49:04:87:
                                2A:C7:E8:8B:13:2C:63:50:B7:C6:FD:26:E1:6C:6C:77
                    Timestamp : Aug 22 18:51:40.193 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:5B:21:45:FB:92:B1:E1:23:74:A3:43:98:
                                FF:5D:F6:EF:72:91:C6:73:3E:3D:91:32:E8:9E:8E:2B:
                                4B:C3:44:4F:02:21:00:A4:9A:C2:9A:AF:4F:3C:D8:0C:
                                A1:31:B5:6F:75:03:97:5B:6D:98:C1:04:C6:B0:F0:68:
                                7A:C1:E5:D5:69:70:05
    Signature Algorithm: sha256WithRSAEncryption
         26:b3:f5:27:e2:2e:06:dd:69:94:04:a7:c5:9e:3a:be:35:fd:
         47:b2:13:c2:1a:b8:ad:b0:49:c3:b0:f4:ee:d5:d8:db:e6:0b:
         fe:16:36:bd:3b:55:85:d6:7c:fd:64:ba:2c:eb:ee:0e:fa:20:
         b7:06:23:5d:f1:86:c0:a8:cd:f9:00:ed:27:58:8b:8a:81:c8:
         ed:1d:7e:ee:15:30:ba:9e:ce:a6:42:f9:fe:6b:7b:f5:04:46:
         03:e6:f7:08:1d:ab:c2:40:c9:bd:88:aa:b5:61:01:3c:00:95:
         77:bf:65:64:73:d7:ef:c5:0b:b1:e4:fc:3a:a1:63:82:ab:d3:
         d5:48:d6:e7:ae:bb:24:24:0d:66:16:87:d2:8b:08:ba:41:d7:
         46:2e:09:86:c3:81:4e:4b:e5:8f:e3:f8:03:64:29:fd:34:e6:
         3a:16:e4:a0:04:bd:63:7b:ac:67:a7:f6:e9:69:f2:d8:dc:e9:
         2f:ce:b8:66:c4:d0:d4:d5:d3:c1:06:b9:c8:08:5f:ad:42:10:
         f9:7a:3e:c4:48:bb:28:c3:a3:2a:16:eb:48:a3:33:b5:bd:9e:
         9c:3c:43:84:ab:36:32:49:39:bd:90:8b:62:79:95:91:36:f4:
         59:98:1d:40:b0:79:f2:aa:9b:a2:18:39:b9:01:8b:7a:32:03:
         b7:db:0d:b4
-----BEGIN CERTIFICATE-----
(...snip...)
-----END CERTIFICATE-----

But when I tried to create wildcard certificate with SANs by following command,

acmesmith order yasooon2018.work '*.yasooon2018.work'

it failed with this error message.

Google::Apis::ClientError: alreadyExists: The resource 'entity.change.additions[0]' named '_acme-challenge.yasooon2018.work. (TXT)' already exists

command output

tsuyoshi@wezen% bundle exec acmesmith order yasooon2018.work '*.yasooon2018.work'
=> Ordering a certificate for the following identifiers:

 * yasooon2018.work
 * *.yasooon2018.work

=> Generating CSR
=> Placing an order
=> Looking for required domain authorizations

 * yasooon2018.work
 * yasooon2018.work

=> Responsing to the challenges for the following identifier:

 * Responder:   Acmesmith::ChallengeResponders::GoogleCloudDns
 * Identifiers:
     - yasooon2018.work (dns-01)
     - yasooon2018.work (dns-01)

=> Responding challenge dns-01 for yasooon2018.work in Acmesmith::ChallengeResponders::GoogleCloudDns
 * create_change: TXT "_acme-challenge.yasooon2018.work.", "9vEO-G5XR8cJ7DnOhzFriptEsYFOP8ecpQBQDju8i0A"
 * requested change: 66
 * change "66" is still "pending"
 * synced!
=> Checking DNS resource record
 * nameservers: ["ns-cloud-c1.googledomains.com.", "ns-cloud-c2.googledomains.com.", "ns-cloud-c3.googledomains.com.", "ns-cloud-c4.googledomains.com."]
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] failed: DNS result has no information for _acme-challenge.yasooon2018.work.
 * [ns-cloud-c1.googledomains.com.] success: ttl=5, data="9vEO-G5XR8cJ7DnOhzFriptEsYFOP8ecpQBQDju8i0A"
 * [ns-cloud-c2.googledomains.com.] success: ttl=5, data="9vEO-G5XR8cJ7DnOhzFriptEsYFOP8ecpQBQDju8i0A"
 * [ns-cloud-c3.googledomains.com.] success: ttl=5, data="9vEO-G5XR8cJ7DnOhzFriptEsYFOP8ecpQBQDju8i0A"
 * [ns-cloud-c4.googledomains.com.] success: ttl=5, data="9vEO-G5XR8cJ7DnOhzFriptEsYFOP8ecpQBQDju8i0A"
=> Responding challenge dns-01 for yasooon2018.work in Acmesmith::ChallengeResponders::GoogleCloudDns
 * create_change: TXT "_acme-challenge.yasooon2018.work.", "GlhDWWcxnk385Kdpo2w4v3hoftSLpKYX0Jhf269-kFg"
bundler: failed to load command: acmesmith (/home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/bin/acmesmith)
Google::Apis::ClientError: alreadyExists: The resource 'entity.change.additions[0]' named '_acme-challenge.yasooon2018.work. (TXT)' already exists
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/google-api-client-0.23.4/lib/google/apis/core/http_command.rb:218:in `check_status'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/google-api-client-0.23.4/lib/google/apis/core/api_command.rb:116:in `check_status'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/google-api-client-0.23.4/lib/google/apis/core/http_command.rb:183:in `process_response'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/google-api-client-0.23.4/lib/google/apis/core/http_command.rb:299:in `execute_once'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/google-api-client-0.23.4/lib/google/apis/core/http_command.rb:104:in `block (2 levels) in execute'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/retriable-3.1.2/lib/retriable.rb:61:in `block in retriable'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/retriable-3.1.2/lib/retriable.rb:56:in `times'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/retriable-3.1.2/lib/retriable.rb:56:in `retriable'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/google-api-client-0.23.4/lib/google/apis/core/http_command.rb:101:in `block in execute'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/retriable-3.1.2/lib/retriable.rb:61:in `block in retriable'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/retriable-3.1.2/lib/retriable.rb:56:in `times'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/retriable-3.1.2/lib/retriable.rb:56:in `retriable'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/google-api-client-0.23.4/lib/google/apis/core/http_command.rb:93:in `execute'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/google-api-client-0.23.4/lib/google/apis/core/base_service.rb:360:in `execute_or_queue_command'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/google-api-client-0.23.4/generated/google/apis/dns_v1/service.rb:95:in `create_change'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/acmesmith-google-cloud-dns-0.1.1/lib/acmesmith/challenge_responders/google_cloud_dns.rb:46:in `respond'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/acmesmith-2.1.0/lib/acmesmith/challenge_responders/base.rb:23:in `block in respond_all'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/acmesmith-2.1.0/lib/acmesmith/challenge_responders/base.rb:22:in `each'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/acmesmith-2.1.0/lib/acmesmith/challenge_responders/base.rb:22:in `respond_all'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/acmesmith-2.1.0/lib/acmesmith/client.rb:224:in `block in process_authorizations'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/acmesmith-2.1.0/lib/acmesmith/client.rb:214:in `each'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/acmesmith-2.1.0/lib/acmesmith/client.rb:214:in `process_authorizations'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/acmesmith-2.1.0/lib/acmesmith/client.rb:42:in `order'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/acmesmith-2.1.0/lib/acmesmith/command.rb:36:in `order'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/thor-0.20.0/lib/thor/command.rb:27:in `run'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/thor-0.20.0/lib/thor/invocation.rb:126:in `invoke_command'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/thor-0.20.0/lib/thor.rb:387:in `dispatch'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/thor-0.20.0/lib/thor/base.rb:466:in `start'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/gems/acmesmith-2.1.0/bin/acmesmith:4:in `<top (required)>'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/bin/acmesmith:23:in `load'
  /home/tsuyoshi/tmp/acmesmith-20180704/vendor/bundle/ruby/2.5.0/bin/acmesmith:23:in `<top (required)>'

other informations:

acmesmith.yml:

# directory: https://acme-v02.api.letsencrypt.org/directory
directory: https://acme-staging-v02.api.letsencrypt.org/directory

storage:
  type: filesystem
  path: keys

challenge_responders:
  - google_cloud_dns:
      project_id: my-project-id
      private_key_json_file: /path/to/service-account-key.json
      ttl: 5

versions:
- acmesmith v2.1.0
- acmesmith-google-cloud-dns v0.1.1

nagachika / acmesmith-google-cloud-dns Goto Github PK

acmesmith-google-cloud-dns's People

Contributors

Stargazers

Watchers

Forkers

acmesmith-google-cloud-dns's Issues

Failed to create wildcard certificate with SANs

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent