ASN.1 Syntax Error: Trailing Data on valid CSR?

DavidRawling · July 22, 2017, 3:26pm

I have a CSR generated using openssl 1.1.0 for a fairly simple request - two names, as a normal SAN certificate. All the CSR validators claim it is valid, and it seems to contain the right data.

When I attempt to use the ZeroSSL LE client to request a certificate, I get this error (which I think is coming from LE):

Error requesting certificate: Error parsing certificate request: asn1: syntax error: trailing data

I’m generating the CSR using this openssl command:

OpenSSL req -config PDConSec.cfg -new -sha256 -key PDConSec.KEY -out PDConSec.CRT -batch -subj "/CN=www.pdconsec.net"

There’s a corresponding configuration file SiteAlias.cfg:

[req]
req_extensions = req_ext
distinguished_name = dn
[ dn ]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1=www.pdconsec.net
DNS.2=pdconsec.net

It generates a CSR that validates on Comodo, Symantec etc. Is there something special I need to do to openssl to get it to generate “cleaner” output? I would have thought OpenSSL was basically the gold standard for most things SSL/certificate-based.

The only items I found in multiple Google searches were about changes to a Go code file, in which a change was merged to be strict about trailing data even though it’s not a security risk. I can’t see how that would affect this, but … you never know.

Suggestions on a fix are very welcome.

Edit: It seems that if I invert the order of the two names the CSR is accepted (so the last two lines of the CFG file are as follows:

DNS.1=pdconsec.net
DNS.2=www.pdconsec.net

This would seem to be functionally identical other than the order of the SANs. I’m not … horribly upset, but I’d really like to know what is going wrong so I don’t have to debug this in a hurry in six months time.

Edit 2: I don’t understand - some CSRs with a single name work, others with a single name fail. One with four names works with the www name first, but three others with only www.site.net and site.net do not unless I order them with the www name second. I don’t really even know what to look for, now.

schoen · July 22, 2017, 7:24pm

Hi @DavidRawling,

Could you post an example of a CSR that validates and an example of one that fails to validate?

DavidRawling · July 23, 2017, 5:08am

Hi Schoen

I’ve generated a test key using:

C:\OpenSSL-Win64\bin\openssl.exe genrsa -out PDConSec-Test.Key 2048

Here’s a failing sequence:

OpenSSL configuration PDConSec-Test1.cfg:

[req]
req_extensions = req_ext
distinguished_name = dn
[ dn ]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1=www.pdconsec.net
DNS.2=pdconsec.net

CSR generation:

C:\OpenSSL-Win64\bin\openssl.exe req -config .\PDConSec-Test1.cfg -new -sha256 -key .\PDConSec-Test.Key -out .\PDConSec-Test1.csr -batch -subj "/CN=www.pdconsec.net"

Resulting CSR (Fails ASN.1 validation for trailing data):

And the validated set follows.

OpenSSL configuration PDConSec-Test2.cfg:

[req]
req_extensions = req_ext
distinguished_name = dn
[ dn ]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1=pdconsec.net
DNS.2=www.pdconsec.net

CSR generation:

C:\OpenSSL-Win64\bin\openssl.exe req -config .\PDConSec-Test2.cfg -new -sha256 -key .\PDConSec-Test.Key -out .\PDConSec-Test2.csr -batch -subj "/CN=pdconsec.net"

Resulting CSR:

leader · July 23, 2017, 8:03am

Thanks for posting this, I’ll have a look. I believe online ZeroSSL client should have no problems with this CSR and also letting LE.pl/LE.exe to create a CSR based on your [domain] key (or the key generated for you by the client itself) should work fine, but it would be good to get to the root cause of this anyway.

P.S. I believe I might know what might be happening in this case. Just to double-check, could you send me a few examples of non-working CSRs exactly the way they are stored? I’ll pm the email.

DavidRawling · July 23, 2017, 8:48am

Thanks @leader, I’ve sent those to the email address in your PM. Luckily, I can regenerate them (since my script cleaned them up by default).

leader · July 23, 2017, 3:03pm

This should now be resolved - “a curious case” of CSRs produced with [some] external tools on Windows, and the way those were converted. Thanks for flagging that, it allowed me to replace one dependency with the code that should read those (and also some malformed) CSRs. The change will go to CPAN with v0.25, but it is now included already into Windows binaries of 0.24 release.

DavidRawling · July 23, 2017, 11:43pm

Looks good - all the certs I had left to renew were successfully renewed. Sorry for conflating the two potential sources of issue together - looks like it was definitely a ZeroSSL problem, now fixed.

schoen · July 24, 2017, 4:36pm

I’m glad @leader was able to take a look and figure this out!

system · August 23, 2017, 4:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ASN1 error when using CSR Help	3	5115	November 7, 2015
CSR is invalid. Make sure to disable all extensions but SAN on your CSR as any other extensions are not supported Help	4	3033	April 27, 2019
Error parsing certificate request RESOLVED Help	6	6674	September 11, 2017
CSR does not specify same identifiers as Order, but I can't figure out why Client dev	10	110	December 24, 2024
[RESOLVED] Various errors while generating a CSR, Not sure which is "better", need help finding a bug Client dev	23	336	December 24, 2024

ASN.1 Syntax Error: Trailing Data on valid CSR?

Related topics