SANS in acme.json vs SANS in dumped certificate
Opened this issue · 3 comments
I've just executed
docker run -v $(pwd):/data ldez/traefik-certs-dumper:latest file --version v2 --source /data/acme-http.json --dest /data/dump/acme-http
(traefik 2.10.7)
then if I inspect one of the dumped cert
openssl x509 -text -noout -in ./dump/acme-http/certs/servizi.example.com.crt
I see, as expected, my long list of SANS, but:
-
the
Subject: CNdoes is notservizi.example.comused in the filename: well, no problem with that, but I'm just curious it is not a bug (or, worse for me, some issues with myacme-http.json... we are having issue with it) -
I was expecting that in the file
acme-http.jsonthedomain.mainwould be what I would find inSubject: CNonce the certificate is dumped , and also the domain indomain.sanswould be exactly the SANS in the certificatX509v3 Subject Alternative Name:and this is not true.
In details if in acme-http.json I have
"domain": {
"main": "servizi.example.com",
"sans": [
"servizi.example1.com",
"servizi.example2.com",
"servizi.example3.com",
"servizi.example4.com"
]
},
then in the output of openssl x509 -text -noout -in ./dump/acme-http/certs/servizi.example.com.crt I have
Subject: CN = servizi.example99.com
X509v3 Subject Alternative Name:
DNS:servizi.example2.com, DNS:servizi.example3.com, DNS:servizi.example88.com
it is just me?
(many thanks for your notes in the internet about the issue with Traefik upgrade 2.8=> 2.9/10 and the LEGO_DISABLE_CNAME_SUPPORT=true .... we struggled a week till we've hit your feeds!)
Hello,
Common Name has been deprecated since 2000.
The order of domains can be changed during the certificate generation by Traefik, lego, or the ACME server.
The domain inside the certificates may be different from the list because it depends on your traefik configuration: traefik-certs-dumper doesn't "generate" certificates from main and sans, it just extracts them from the acme.json file.
thanks when I check a certificate with Firefox I see that "Common Name" and the "Sabject Alt Names": those are, I suppose, the Subject: CN and X509v3 Subject Alternative Name: I get from the output of openssl x509 -text -noout -in mycert.pem
I would expect a 1:1 relationship between these 2 fields and the main and sans in the Traefik acme-http.json file.
Since you just extract the certificate (yes, I've got that) that is probably not true?
There is no identity between main/sans and Subject/Subject Alt Names because, in the internal of Traefik, lego, and the ACME server, there is only a list of domains without real order.
There is no identity between main/sans in the Traefik configuration and the acme.json file because the domains are re-ordered during the certificate generation process.