ASN1 error when using CSR

I’m trying to issue a certificate using an existing private key (because key-pinning). I’ve generated the following CSR using openssl:

$ openssl req -new -sha256 -key private/example.org.key -out www.example.org-letsnencrypt.csr
[filled with only basic info]

$ openssl req -text -noout -verify -in /etc/ssl/www.example.org-letsencrypt.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=BR, O=example.org, CN=www.example.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    [...]
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         [...]

Result

Running with virtualenv: sudo /home/boppreh/.local/share/letsencrypt/bin/letsencrypt --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth --csr /etc/ssl/www.example.org-letsencrypt.csr
An unexpected error occurred.
Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error')]
Please see the logfiles in /var/log/letsencrypt for more details.

Stacktrace from logs:

2015-10-27 02:04:22,257:ERROR:letsencrypt.crypto_util:[('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error')]
Traceback (most recent call last):
  File "/home/boppreh/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/crypto_util.py", line 225, in _get_sans_from_cert_or_req
    cert_or_req = load_func(typ, cert_or_req_str)
  File "/home/boppreh/.local/share/letsencrypt/lib/python2.7/site-packages/OpenSSL/crypto.py", line 2380, in load_certificate_request
    _raise_current_error()
  File "/home/boppreh/.local/share/letsencrypt/lib/python2.7/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
    raise exception_type(errors)
Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error')]

Am I missing something in the CSR creation? Because OpenSSL can read the file just fine and other CAs have accepted similar CSRs with the exact same structure.

Yes I had the same trouble with it. You have to add the san/sni certificate extension into the csr. Then you need to convert it into the der format. If you need further information how to do this, write back and i send it to you as soon as I am on my PC

Thanks Knight, I got it working. Here’s how:

1. Add the SubjectAltName extension configuration at the end of /etc/ssl/openssl.cnf

    [SAN]
    subjectAltName=DNS:example.com,DNS:www.example.com
   

2. Create the CSR using the SAN extension and DER format

    $ openssl req -new -sha256 -key private/example.com.key -subj "/C=BR/CN=example.com" -reqexts SAN -out www.example.com.csr -outform der
   

3. Run the LetsEncrypt client passing the CSR

    $ ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth --csr www.example.com.csr

I’ve also figured out a way to do it with a one-liner (yay, ephemeral handles!):

openssl req -new -key domain.tld.pem -nodes -sha512 -subj "/CN=domain.tld" -reqexts SAN -out domain.tld.csr.der -outform der -config <(
cat <<-EOF
[req]
distinguished_name = dn
[dn]
[SAN]
subjectAltName=DNS:domain.tld,DNS:www.domain.tld
EOF
)

UPD: an even better option which just appends SAN to your default OpenSSL config (from https://github.com/diafygi/letsencrypt-nosudo)

openssl req -new -key domain.tld.key -nodes -sha512 -subj "/CN=domain.tld" -reqexts SAN -out domain.tld.csr.der -outform der -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:domain.tld,DNS:www.domain.tld"))