Skip to content

CNAME delegation fails with "CSR does not specify same identifiers as Order" for subdomain certificates #953

@TrespassingTortoise

Description

@TrespassingTortoise

When using the experimental CNAME delegation feature (dnsAlias) to issue a certificate for a subdomain, the certificate request fails during the FinalizeOrder step with the error: "Error finalizing order :: CSR does not specify same identifiers as Order".

Environment

  • keyvault-acmebot version: v4.2.0 (or later)
  • Azure Function App runtime: .NET 8.0
  • Certificate request: REST API

Configuration

CNAME DNS record:

_acme-challenge.wiki.example.com CNAME _acme-challenge.wiki.acme.example.com.

REST API request:

{
  "dnsNames": ["wiki.example.com"],
  "dnsProviderName": "Azure DNS",
  "keyType": "RSA",
  "keySize": 2048,
  "dnsAlias": "wiki.acme.example.com"
}

Expected Behavior

The certificate should be issued for wiki.example.com after DNS validation is completed via the CNAME delegation.

Actual Behavior

  • DNS validation succeeds (TXT record is correctly created at _acme-challenge.wiki.acme.example.com)
  • Certificate request fails during FinalizeOrder with HTTP 403 error
  • Error message: "CSR does not specify same identifiers as Order"

Analysis

It appears the CSR generation may be incorrectly including the alias domain (wiki.acme.example.com) instead of the requested domain (wiki.example.com) when dnsAlias is specified for subdomain certificates. The DNS validation completes successfully, but the CSR sent to Let's Encrypt doesn't match the validated identifiers.

Workaround

None found. Direct certificate issuance without CNAME delegation works correctly.

Additional Context

This issue occurs specifically with subdomain certificates using CNAME delegation. The CNAME feature is marked as experimental in the documentation.

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions