ASN1 error when using CSR


I’m trying to issue a certificate using an existing private key (because key-pinning). I’ve generated the following CSR using openssl:

$ openssl req -new -sha256 -key private/ -out
[filled with only basic info]

$ openssl req -text -noout -verify -in /etc/ssl/
Certificate Request:
        Version: 0 (0x0)
        Subject: C=BR,,
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption


Running with virtualenv: sudo /home/boppreh/.local/share/letsencrypt/bin/letsencrypt --agree-dev-preview --server auth --csr /etc/ssl/
An unexpected error occurred.
Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error')]
Please see the logfiles in /var/log/letsencrypt for more details.

Stacktrace from logs:

2015-10-27 02:04:22,257:ERROR:letsencrypt.crypto_util:[('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error')]
Traceback (most recent call last):
  File "/home/boppreh/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/", line 225, in _get_sans_from_cert_or_req
    cert_or_req = load_func(typ, cert_or_req_str)
  File "/home/boppreh/.local/share/letsencrypt/lib/python2.7/site-packages/OpenSSL/", line 2380, in load_certificate_request
  File "/home/boppreh/.local/share/letsencrypt/lib/python2.7/site-packages/OpenSSL/", line 48, in exception_from_error_queue
    raise exception_type(errors)
Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error')]

Am I missing something in the CSR creation? Because OpenSSL can read the file just fine and other CAs have accepted similar CSRs with the exact same structure.

Authorizations for these names not found or expired

Yes I had the same trouble with it. You have to add the san/sni certificate extension into the csr. Then you need to convert it into the der format. If you need further information how to do this, write back and i send it to you as soon as I am on my PC :smile:


Thanks Knight, I got it working. Here’s how:

  1. Add the SubjectAltName extension configuration at the end of /etc/ssl/openssl.cnf

  2. Create the CSR using the SAN extension and DER format

     $ openssl req -new -sha256 -key private/ -subj "/C=BR/" -reqexts SAN -out -outform der
  3. Run the LetsEncrypt client passing the CSR

     $ ./letsencrypt-auto --agree-dev-preview --server auth --csr


I’ve also figured out a way to do it with a one-liner (yay, ephemeral handles!):

openssl req -new -key domain.tld.pem -nodes -sha512 -subj "/CN=domain.tld" -reqexts SAN -out domain.tld.csr.der -outform der -config <(
cat <<-EOF
distinguished_name = dn

UPD: an even better option which just appends SAN to your default OpenSSL config (from

openssl req -new -key domain.tld.key -nodes -sha512 -subj "/CN=domain.tld" -reqexts SAN -out domain.tld.csr.der -outform der -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:domain.tld,DNS:www.domain.tld"))