I get the following error from openssl req
:
unable to find 'distinguished_name' in config
problems making Certificate Request
41035:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/SourceCache/OpenSSL098/OpenSSL098-52.30.1/src/crypto/conf/conf_lib.c:329:group=req name=distinguished_name
My understanding is that this is the "Subject" that it can't find… however, I am specifying that:
openssl req -new \
-key "$PRIVATE_KEY" \
-sha256 \
-config "$OPTIONS_FILE" \
-subj "/C=US/ST=California/L=San Francisco/O=ACME, Inc./CN=*.*.$DOMAIN/" \
-out "$CSR_FILENAME"
The manual's only suggestion is that the config file doesn't exist; I can cat "$OPTIONS_FILE"
, so it's definitely there, and the error isn't preceded by the error the manual notes it would be preceded by if this were the case, so I'm pretty sure openssl
sees the config file.
My config file contains the following:
[req]
req_extensions = v3_req
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.*.example.com
…which is pretty much literally the example in the docs.
What am I doing wrong here?
*.*.example.com
, is invalid. (You can only have 1*
, and only in the leftmost component.) This doesn't relate to the problem here, but don't c/p blindly.