500 Error signing certificate


#1

I’m using the API via a script written by someone else, because replacing private keys causes problems with HPKP. The script is available here:

I’m trying to request two certificates, one with an ECDSA private key and another with an RSA private key. There are around 70 SANs on the certificate. I get the following error back from the live server:

Signing certificate…
Traceback (most recent call last):
File “./acme_tiny.py”, line 198, in
main(sys.argv[1:])
File “./acme_tiny.py”, line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File “./acme_tiny.py”, line 161, in get_crt
raise ValueError(“Error signing certificate: {0} {1}”.format(code, result))
ValueError: Error signing certificate: 500 {“type”:“urn:acme:error:serverInternal”,“detail”:“Error creating new cert”,“status”:500}

However, the staging server successfully issues the certificate, although not correctly signed, of course. Can anyone help me work out what’s wrong?


#2

Are you using a custom CSR?


#3

it’s a known issue on the CA side which will hopefully be fixed soon; sorry for the inconvenience.

In the meantime, your certificate likely was issued successfully (!), and if so, you can download a copy of it by searching for your site on https://crt.sh/ (although then our software can’t help you install it on your system).


#4

Since you’re using acme-tiny, I guess having our software install for you shouldn’t be a problem.

Would you want to use our Python client if it were easy to keep using the same private key? I have an issue tracked to provide a convenient option for that (most of the code is already written). Note that the 500 error is on the server side and is unrelated to which software you use; it wouldn’t go away if you switched to our Python client.


#5

I’d love to use the official Python client, but I have a couple of concerns about it.

  1. As far as I can see, there are only two opportunities to renew a certificate before it expires, which doesn’t seem robust. Ideally I’d like a job to run once a day to check for certificates heading towards expiry, and attempt to renew them if they breach a certain threshold. The official client doesn’t do this, as far as I’m aware - if you run it more often than once a month, you hit rate limits.
  2. A change in private key causes problems for HPKP, which for us is an unacceptable state of affairs.
  3. We have a relatively large number of sites under a single domain, which I need to keep under the same certificate using SANs in order to avoid hitting rate limits, and I’m unclear from the documentation whether this would be the case using the official client.
  4. We use both ECDSA and RSA certificates running side-by-side, in order to allow the majority of clients use ECDHE_ECDSA cipher suites and provide ECDHE_RSA or even plain RSA cipher suites for backward compatibility. I’m struggling to work out how to accomplish this with the official client.

If those four concerns could be fixed, or if they already have been and I’m just missing something, that would be great and I’d move to using the official client.

It turns out that my certificates were indeed issued (twice each, no less), which is going to cause me a problem trying to get them issued for our QA and production environments. But I have at least got these up and running in our development environment, which is great.


#6
  1. The renew mode in the official client will renew certs with under 30 days remaining, so can be run in a weekly or daily cron job.

  2. You can use a custom CSR with the --csr flag. Or pin the intermediates or root certs instead of your leafs.

  3. Use multiple -d flags for additional SANs.

  4. There isn’t an option to generate EC certs yet. But they can be used with a custom CSR