Reputation: 181
Let's Encrypt API not returning root cert?
I am working on an adaptation of Let's Encrypt for DotNet Core heavily derived from this awesome post (https://medium.com/@MaartenSikkema/automatically-request-and-use-lets-encrypt-certificates-in-dotnet-core-9d0d152a59b5).
I have it 99% of the way there; the challenge request is received and accepted, and I am correctly hitting the acme-staging Let's Encrypt API endpoint and receiving certs.
The issue is that out of the two certs I am receiving back from the API, neither one is considered the "root", which is the case where the cert IssuerDN is equal to the cert SubjectDN. Below is the code of interest and the resulting lines in the console.
var certificates = issuers.Values
.Select(cert => {
Console.WriteLine("IssuerDN: " + cert.IssuerDN.ToString());
Console.WriteLine("SubjectDB: " + cert.SubjectDN.ToString());
Console.WriteLine("========");
return new
{
IsRoot = cert.IssuerDN.Equivalent(cert.SubjectDN),
Cert = cert
};
});
var rootCerts = new HashSet(certificates.Where(c => c.IsRoot).Select(c => new TrustAnchor(c.Cert, null)));
IssuerDN: CN=Fake LE Root X1
SubjectDN: CN=Fake LE Intermediate X1
========
IssuerDN: CN=Fake LE Root X1
SubjectDN: CN=Fake LE Intermediate X1
========
Because there are no root certs, the ACME client breaks. I believe I have followed every step in the aforementioned tutorial, but any ideas why there are no certs with the same IssuerDN and SubjectDN? Thanks for your time.
Upvotes: 3
Views: 800
Answers (2)
Reputation: 181
The issue was that certain .cer dependencies I needed were not marked as embedded resources. The code I was using leverages this library called Certes (https://github.com/fszlin/certes) to handle the ACME communication. I use DotNet Core and VS Code which means I had to manually add into the csproj:
<ItemGroup>
<EmbeddedResource Include="**/*.cer" />
</ItemGroup>
If you are looking for a super awesome way to make your DotNet Core application HTTPS for free with Let's Encrypt, among dozens of other modern bells and whistles, I highly recommend @Maarten's library (https://github.com/Maarten88/rrod) and blog post series!
Upvotes: 2
Reputation: 1951
Thanks for the compliment on my blogpost!
Why are you trying to get multiple certs? The way it is supposed to work is that it should generate a single cert with multiple alternative names in it if you pass in multiple domains. The sample code goes like this:
var csr = new CertificationRequestBuilder();
csr.AddName("CN", domainNames.First()); // "www.my_domain.com";
foreach (var alternativeName in domainNames.Skip(1))
{
csr.SubjectAlternativeNames.Add(alternativeName);
}
var cert = await client.NewCertificate(csr);
// Export Pfx
var pfxBuilder = cert.ToPfx();
var pfx = pfxBuilder.Build(domainNames.First(), acmeSettings.PfxPassword);
See the sample code here: https://github.com/Maarten88/rrod/blob/master/src/Webapp/Services/AcmeCertificateManager.cs#L148-L158
Upvotes: 1
Related Questions
- Let's Encrypt confirmation on IIS not working
- Root certificate isn't sent along with client certificate using HTTP client .NET 6
- .NET 5 fails to export letsencrypt certificate private key
- How to add SSL cert to asp.net core docker swarm + letsencrypt?
- Certificate Chain incomplete using Let's Encrypt and Certes (Azure webrole)
- Let's encrypt certificate with NO SNI
- ASP.NET Core fail to create root certificate
- Set web.config for letsencrypt - Certify with Asp.NET Core and Angular 2 (Javascript-services)
- Letsencrypt SSL certificate error
- SSL not resolving in IIS with Let's Encrypt