Clever Geek Handbook

Let Encrypt API not return root certificate?

I am working on adapting Let's Encrypt for DotNet Core heavily derived from this awesome post ( https://medium.com/@MaartenSikkema/automatically-request-and-use-lets-encrypt-certificates-in-dotnet-core-9d0d152a59b5 ) ...

I have 99% of the way; the call request is accepted and accepted and I am properly on the End Encrypt AP and getting the acme-staging certificates.

The problem is that of the two certificates I receive from the API, neither is considered "root", which is the case where the IssuerDN certificate is equal to the SubjectDN certificate. Below is the code of interest and the resulting lines in the console.

var certificates = issuers.Values
            .Select(cert => {
                Console.WriteLine("IssuerDN: " + cert.IssuerDN.ToString());
                Console.WriteLine("SubjectDB: " + cert.SubjectDN.ToString());
                Console.WriteLine("========");
                return new
                {
                    IsRoot = cert.IssuerDN.Equivalent(cert.SubjectDN),
                    Cert = cert
                };
            });
var rootCerts = new HashSet(certificates.Where(c => c.IsRoot).Select(c => new TrustAnchor(c.Cert, null)));



IssuerDN: CN=Fake LE Root X1
SubjectDN: CN=Fake LE Intermediate X1
========
IssuerDN: CN=Fake LE Root X1
SubjectDN: CN=Fake LE Intermediate X1
========

Since there are no root certificates, the ACME client is aborted. I suppose I followed every step in the above tutorial, but have any ideas why there are no certificates with the same Issuer number and SubjectDN? Thank you for your time.

+3


source to share


2 answers


The problem was that certain .cer dependencies that I needed were not marked as embedded resources. The code I used uses this library called Certes ( https://github.com/fszlin/certes ) to handle ACME communication. I am using DotNet Core and VS Code, which means I had to manually add to csproj:

<ItemGroup>
     <EmbeddedResource Include="**/*.cer" />
</ItemGroup>


If you're looking for a great way to make your DotNet Core HTTPS app free with Let's Encrypt, among many other modern bells and whistles, I highly recommend the @Maarten library ( https://github.com/Maarten88/rrod ) and the blog post series!

+2


source


Thanks for complimenting my blog!

Why are you trying to get multiple certifications? It is supposed to work with a single certificate with multiple alternative names if you transfer multiple domains. Sample code looks like this:



var csr = new CertificationRequestBuilder();
csr.AddName("CN", domainNames.First()); // "www.my_domain.com";
foreach (var alternativeName in domainNames.Skip(1))
{
    csr.SubjectAlternativeNames.Add(alternativeName);
}
var cert = await client.NewCertificate(csr);

// Export Pfx
var pfxBuilder = cert.ToPfx();
var pfx = pfxBuilder.Build(domainNames.First(), acmeSettings.PfxPassword);

See sample code here: https://github.com/Maarten88/rrod/blob/master/src/Webapp/Services/AcmeCertificateManager.cs#L148-L158

+1


source






More articles:


All Articles