You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It should be possible to generate a CSR with only extendedKeyUsage=serverAuth. Currently, acme.sh hard codes extendedKeyUsage=serverAuth,clientAuth in the certificate signing request.
A use case is certificates with the CanSignHttpExchanges extension. Google does not allow clientAuth in the extended key usage field. Here's the response from https://dv-sxg.acme-v02.api.pki.goog/directory:
{
"type":"urn:ietf:params:acme:error:badCSR",
"detail":"SXG certificates do not support the clientAuth KeyPurposeId within the Extended Key Usage extension.",
"requestID":"<redacted>"
}
[Sat May 4 04:08:01 PM UTC 2024] Sign failed, finalize code is not 200.
[Sat May 4 04:08:01 PM UTC 2024] {"type":"urn:ietf:params:acme:error:badCSR","detail":"SXG certificates do not support the clientAuth KeyPurposeId within the Extended Key Usage extension.","requestID":"<redacted>"}
The text was updated successfully, but these errors were encountered:
Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.
It should be possible to generate a CSR with only
extendedKeyUsage=serverAuth
. Currently, acme.sh hard codesextendedKeyUsage=serverAuth,clientAuth
in the certificate signing request.A use case is certificates with the CanSignHttpExchanges extension. Google does not allow
clientAuth
in the extended key usage field. Here's the response from https://dv-sxg.acme-v02.api.pki.goog/directory:More information:
Steps to reproduce
Debug log
The text was updated successfully, but these errors were encountered: