When using the experimental CNAME delegation feature (dnsAlias) to issue a certificate for a subdomain, the certificate request fails during the FinalizeOrder step with the error: "Error finalizing order :: CSR does not specify same identifiers as Order".
Environment
- keyvault-acmebot version: v4.2.0 (or later)
- Azure Function App runtime: .NET 8.0
- Certificate request: REST API
Configuration
CNAME DNS record:
_acme-challenge.wiki.example.com CNAME _acme-challenge.wiki.acme.example.com.
REST API request:
{
"dnsNames": ["wiki.example.com"],
"dnsProviderName": "Azure DNS",
"keyType": "RSA",
"keySize": 2048,
"dnsAlias": "wiki.acme.example.com"
}Expected Behavior
The certificate should be issued for wiki.example.com after DNS validation is completed via the CNAME delegation.
Actual Behavior
- DNS validation succeeds (TXT record is correctly created at
_acme-challenge.wiki.acme.example.com)
- Certificate request fails during
FinalizeOrder with HTTP 403 error
- Error message:
"CSR does not specify same identifiers as Order"
Analysis
It appears the CSR generation may be incorrectly including the alias domain (wiki.acme.example.com) instead of the requested domain (wiki.example.com) when dnsAlias is specified for subdomain certificates. The DNS validation completes successfully, but the CSR sent to Let's Encrypt doesn't match the validated identifiers.
Workaround
None found. Direct certificate issuance without CNAME delegation works correctly.
Additional Context
This issue occurs specifically with subdomain certificates using CNAME delegation. The CNAME feature is marked as experimental in the documentation.
When using the experimental CNAME delegation feature (
dnsAlias) to issue a certificate for a subdomain, the certificate request fails during theFinalizeOrderstep with the error:"Error finalizing order :: CSR does not specify same identifiers as Order".Environment
Configuration
CNAME DNS record:
REST API request:
{ "dnsNames": ["wiki.example.com"], "dnsProviderName": "Azure DNS", "keyType": "RSA", "keySize": 2048, "dnsAlias": "wiki.acme.example.com" }Expected Behavior
The certificate should be issued for
wiki.example.comafter DNS validation is completed via the CNAME delegation.Actual Behavior
_acme-challenge.wiki.acme.example.com)FinalizeOrderwith HTTP 403 error"CSR does not specify same identifiers as Order"Analysis
It appears the CSR generation may be incorrectly including the alias domain (
wiki.acme.example.com) instead of the requested domain (wiki.example.com) whendnsAliasis specified for subdomain certificates. The DNS validation completes successfully, but the CSR sent to Let's Encrypt doesn't match the validated identifiers.Workaround
None found. Direct certificate issuance without CNAME delegation works correctly.
Additional Context
This issue occurs specifically with subdomain certificates using CNAME delegation. The CNAME feature is marked as experimental in the documentation.