Errors issuing ACME cert

[lc10239]

Hello,
I have a fresh install of TrueNAS Core 12.0U8. I've set up the AWS Route53 authenticator, created a CSR for a registered / hosted zone (which the authenticator has access to), and try to issue the certificate.

I can see the TXT record get created in my zone (if I delete the _acme_challenge record, it gets recreated), but the TrueNAS ACME client errors out during issuance with "Error [authenticator] Not an integer." Full error trace at bottom.

The CSR was for a RSA 4096 / SHA256 cert with CN as the FQDN (server1.domain.com), and a single SAN (DNS: server2.domain.com)

Any thoughts on why this might happen?

Error: Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 367, in run
await self.future
File "/usr/local/lib/python3.9/site-packages/middlewared/job.py", line 403, in __run_body
rv = await self.method(*([self] + args))
File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 975, in nf
return await f(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/crypto.py", line 1709, in do_create
data = await self.middleware.run_in_thread(
File "/usr/local/lib/python3.9/site-packages/middlewared/utils/run_in_thread.py", line 10, in run_in_thread
return await self.loop.run_in_executor(self.run_in_thread_executor, functools.partial(method, *args, **kwargs))
File "/usr/local/lib/python3.9/concurrent/futures/thread.py", line 52, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 979, in nf
return f(*args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/crypto.py", line 1757, in __create_acme_certificate
final_order = self.acme_issue_certificate(job, 25, data, csr_data)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/crypto.py", line 1398, in acme_issue_certificate
self.handle_authorizations(job, progress, order, dns_mapping_copy, acme_client, key)
File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/crypto.py", line 1434, in handle_authorizations
self.middleware.call_sync(
File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1283, in call_sync
return methodobj(*prepared_call.args)
File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 978, in nf
args, kwargs = clean_and_validate_args(args, kwargs)
File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 932, in clean_and_validate_args
value = attr.clean(args[args_index + i])
File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 607, in clean
data[key] = attr.clean(value)
File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 403, in clean
raise Error(self.name, 'Not an integer')
middlewared.schema.Error: [authenticator] Not an integer

 

[lc10239]

It appears that the issue may be due to the lack of basic constraints, key usage, and extended key usage.

After validating the credentials, selecting basic constraints ("Critical"), Key usage ("Digital Signature", "Key Encipherment", "Critical"), and Extended Key Usage ("Client auth", "Server auth"), the certificate issues.

 

[docgills]

Thank you, this solved my issue as well.