From eaf4b62ba94bcb51edeabf84d2f055d2b9c59dde Mon Sep 17 00:00:00 2001
From: neil <gitpc@neilpang.com>
Date: Wed, 6 May 2026 20:47:25 +0200
Subject: [PATCH] fix for ari

---
 acme.sh | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/acme.sh b/acme.sh
index bee84471..df11e6f3 100755
--- a/acme.sh
+++ b/acme.sh
@@ -6884,6 +6884,16 @@ _getARICertID() {
   _debug2 "_aki" "$_aki"
   _debug2 "_ser" "$_ser"
 
+  # RFC 9773 Section 4.1 requires the DER-encoded INTEGER value bytes of
+  # serialNumber. When the high bit of the first byte is set (>= 0x80) DER
+  # prepends a 0x00 sign byte to keep the integer positive; openssl's hex
+  # output strips that, so add it back. Boulder (LE) accepts either form,
+  # but Sectigo (ZeroSSL) is strict and rejects newOrder with HTTP 401
+  # "replaces field does not identify a certificate" if the byte is missing.
+  case "$_ser" in
+    [89aAbBcCdDeEfF]*) _ser="00$_ser" ;;
+  esac
+
   _akiurl="$(echo "$_aki" | _h2b | _base64 | _url_replace)"
   _debug2 "_akiurl" "$_akiurl"
   _serurl="$(echo "$_ser" | _h2b | _base64 | _url_replace)"