~/.acme.sh/acme.sh | string too long:crypto/asn1/a_mbstr.c:106:maxsize=64 error

I want to create a certificate with acme.sh script for my domain on centos 7.
MY domain is : "update.gerqwertyuiopasdfghjklzxcvbnmgerqwertyuiopasdfghjklzxcvbnm.site"
When i tried the command below i got error as mentioned below :

[root@artemis-art ~]# ~/.acme.sh/acme.sh --issue -d update.gerqwertyuiopasdfghjklzxcvbnmgerqwertyuiopasdfghjklzxcvbnm.site --standalone
[Sat Nov 2 14:30:34 +0330 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat Nov 2 14:30:34 +0330 2024] Standalone mode.
[Sat Nov 2 14:30:34 +0330 2024] Single domain='update.gerqwertyuiopasdfghjklzxcvbnmgerqwertyuiopasdfghjklzxcvbnm.site'
40D714598C7F0000:error:06800097:asn1 encoding routines:(unknown function):string too long:crypto/asn1/a_mbstr.c:106:maxsize=64
req: Error adding subject name attribute "/CN=update.gerqwertyuiopasdfghjklzxcvbnmgerqwertyuiopasdfghjklzxcvbnm.site"
[Sat Nov 2 14:30:34 +0330 2024] Error creating CSR.
[Sat Nov 2 14:30:34 +0330 2024] Please check log file for more details: /root/.acme.sh/acme.sh.log

what is that error (string too long) mean & how can i fix it?

Your hostname is longer than 64 characters, which is the maximum length of the "CommonName" (CN) in a certificate.

For Let's Encrypt this isn't an issue, because they'll just not use the CN (which is perfectly allowed, the CN is deprecatd anyway), but apparently acme.sh does not check the length of the hostname it wants to use as a CN.

Please report this as a bug to acme.sh if it hasn't been reported already.

To fix this without this being fixed in acme.sh, you could also include gerqwertyuiopasdfghjklzxcvbnmgerqwertyuiopasdfghjklzxcvbnm.site as the first (not sure if that's a requirement, for it to be first but better be safe than sorry) hostname, as that hostname is 63 characters long and should be allowed in the CN.

By the way, you already have a wildcard cert (crt.sh | 15148773180) issued a few days ago, why not use that one?

Would you please show me the commands for CentOS 7 os!

This is not necessary to use acme.sh.
So would you plaese show commands for crt.sh!

Thanks for the answer...

Just type https://crt.sh/ into your web browser.
Enter the Domain Name and hit Search.

image803×628 18.1 KB

That domain that you shared on previous post only check existance of certificate.
I need commands to bypass the error on centos 7.

Thanks for your future advance and attention on this topic

The crt.sh domain? Yes, it is.

I've already mentioned that there's a bug in acme.sh that needs to be addressed if you want to issue certs for hostnames of that length. Or use a different ACME client, like Certbot.

Would you please share cerbot commands!!!

The install instructions for Certbot are here. The snap install is recommended

The usage instructions are here
https://eff-certbot.readthedocs.io/en/stable/

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.