-
-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to acquire wildcard certificate from Entrust but the process works fine for single and multi-domain certificates #567
Comments
Hey @jamiekowalczik, thanks for reaching out and thanks a ton for the debug output as well. For future reference, you don't need to redact the nonce values. They're just random strings generated by the ACME server that are included to prevent replay attacks. The first thing I notice from the logs is that the ACME response following the
But the response order object had:
Normally, I'd assume this was just an accidental typo in the log redaction. But then later when the module requests the authorization object ( It seems like this Entrust ACME endpoint is purposefully stripping the wildcard portion of identifiers as if they're not allowed. I'm pretty sure the errors stem from the fact that the identifiers in the requested order don't match the identifiers in the resulting order object that was returned by Entrust. There's some internal code that needs to match the authz URLs with their associated identifier. But since the authz data doesn't match any of the identifiers in the module's copy of the order object, things go wonky. |
Thanks @rmbolger! Appreciate the quick response. I shared this link with support. Hoping for a resolution. I'll keep you posted. |
The Entrust support ticket got escalated. Still waiting for a response. I made the following adjustment as a workaround that got me a wildcard certificate, however as you are likely aware, if I tried to acquire a certificate with both *.domain.com and domain.com in the SAN field, no bueno.
After trying to determine how to maintain order when converting a json string to a powershell object manually, assuming that was the problem with associating the order name with an authorization URL, I stumbled on the following note here (I'm using 7.4.3): https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/convertfrom-json?view=powershell-7.4 I followed up with returning the code back to how it was and commented out the section below. After that, I've had repeated success with acquiring single, multi and wildcard domain certificates from Entrust.
UPDATE: It had a good run.. ..and then I ran into some occasions of "Timed out waiting 60 seconds for authorizations to become valid". Really hoping Entrust can make some adjustments on their end. |
It's still so weird that they'd deviate from the spec like that. Like, I get maybe a bug in their implementation that strips the You said you were able to get a cert with both bare apex and wildcard apex in the same cert after commenting out the identifier matching code? Did that order still require validation on those names? Or did it go through automatically because the previous authorizations had been cached? I'm really curious what the resulting order object JSON response looked like on that one too. I suppose even if the resulting order had 2 identical identifiers probably would have worked because the order doesn't matter since the TXT records ultimately get created at the same FQDN for both. Things might get wonky if there were other identifiers in the order as well. The more distinct names, the higher the chance that the TXT records get set to the wrong FQDNs. I knew about the PowerShell 7.3 JSON ordering thing. But sadly doesn't actually help in this case because it's the order sent back by the ACME CA that we can't count on. |
I'm trying to acquire a wildcard certificate from Entrust but the process is not working. I have separate EAB accounts for single, multi and wildcard certificates. The process works fine for single and multi-domain certificates but is failing for wildcard certificates. Below is the debug output, any information you can provide to assist would be greatly appreciated. I also have Entrust involved to rule out issues on there end.
--- snippets of the script ---
--- output below ---
The text was updated successfully, but these errors were encountered: