ASN1 error when using CSR


#1

I’m trying to issue a certificate using an existing private key (because key-pinning). I’ve generated the following CSR using openssl:

$ openssl req -new -sha256 -key private/4mm.org.key -out www.4mm.org-letsnencrypt.csr
[filled with only basic info]

$ openssl req -text -noout -verify -in /etc/ssl/www.4mm.org-letsencrypt.csr
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=BR, O=4mm.org, CN=www.4mm.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    [...]
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha256WithRSAEncryption
         [...]

Result

Running with virtualenv: sudo /home/boppreh/.local/share/letsencrypt/bin/letsencrypt --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth --csr /etc/ssl/www.4mm.org-letsencrypt.csr
An unexpected error occurred.
Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error')]
Please see the logfiles in /var/log/letsencrypt for more details.

Stacktrace from logs:

2015-10-27 02:04:22,257:ERROR:letsencrypt.crypto_util:[('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error')]
Traceback (most recent call last):
  File "/home/boppreh/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/crypto_util.py", line 225, in _get_sans_from_cert_or_req
    cert_or_req = load_func(typ, cert_or_req_str)
  File "/home/boppreh/.local/share/letsencrypt/lib/python2.7/site-packages/OpenSSL/crypto.py", line 2380, in load_certificate_request
    _raise_current_error()
  File "/home/boppreh/.local/share/letsencrypt/lib/python2.7/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
    raise exception_type(errors)
Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error')]

Am I missing something in the CSR creation? Because OpenSSL can read the file just fine and other CAs have accepted similar CSRs with the exact same structure.


Authorizations for these names not found or expired
#2

Yes I had the same trouble with it. You have to add the san/sni certificate extension into the csr. Then you need to convert it into the der format. If you need further information how to do this, write back and i send it to you as soon as I am on my PC :smile:


#3

Thanks Knight, I got it working. Here’s how:

  1. Add the SubjectAltName extension configuration at the end of /etc/ssl/openssl.cnf

     [SAN]
     subjectAltName=DNS:example.com,DNS:www.example.com
    
  2. Create the CSR using the SAN extension and DER format

     $ openssl req -new -sha256 -key private/example.com.key -subj "/C=BR/CN=example.com" -reqexts SAN -out www.example.com.csr -outform der
    
  3. Run the LetsEncrypt client passing the CSR

     $ ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth --csr www.example.com.csr

#4

I’ve also figured out a way to do it with a one-liner (yay, ephemeral handles!):

openssl req -new -key domain.tld.pem -nodes -sha512 -subj "/CN=domain.tld" -reqexts SAN -out domain.tld.csr.der -outform der -config <(
cat <<-EOF
[req]
distinguished_name = dn
[dn]
[SAN]
subjectAltName=DNS:domain.tld,DNS:www.domain.tld
EOF
)

UPD: an even better option which just appends SAN to your default OpenSSL config (from https://github.com/diafygi/letsencrypt-nosudo)

openssl req -new -key domain.tld.key -nodes -sha512 -subj "/CN=domain.tld" -reqexts SAN -out domain.tld.csr.der -outform der -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:domain.tld,DNS:www.domain.tld"))