AssertionError: Authorizations list is empty


#1

Hi,

I’m having provlems having letsencrypt sign a CSR, which I generated on a system that has no webserver running.

The CSR was generated using:
root@server:~/sslCA# openssl req -new -sha256 -nodes -subj ‘/C=NL/ST=Utrecht/L=Amersfoort/O=domain B.V./CN=webmail.domain.nl/emailAddress=postmaster@domain.nl/subjectAltName=DNS:webmail.domain.nl’ -out csr/webmail.domain.nl.csr -outform der -keyout private/webmail.domain.nl.key -config /etc/ssl/openssl.cnf
Generating a 2048 bit RSA private key
…+++
…+++
writing new private key to ‘private/webmail.domain.nl.key’

Next I wanted to have LetsEncrypt issue the certificate using:

root@server:~/sslCA# cd …
root@server:~# cd
root@server:~# cd letsencrypt/
root@server:~/letsencrypt# ./letsencrypt-auto certonly --standalone --csr /root/sslCA/csr/webmail.domain.nl.csr
Updating letsencrypt and virtual environment dependencies…
Requesting root privileges to run with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --csr /root/sslCA/csr/webmail.domain.nl.csr
An unexpected error occurred:
AssertionError: Authorizations list is empty
Please see the logfiles in /var/log/letsencrypt for more details.

The /var/log/letsencrypt logfile shows:

2016-02-01 20:49:38,046:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-02-01 20:49:38,046:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-02-01 20:49:38,046:DEBUG:letsencrypt.cli:letsencrypt version: 0.3.0
2016-02-01 20:49:38,046:DEBUG:letsencrypt.cli:Arguments: [’–standalone’, ‘–csr’, ‘/root/sslCA/csr/webmail.domain.nl.csr’]
2016-02-01 20:49:38,046:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-02-01 20:49:38,049:DEBUG:letsencrypt.cli:Requested authenticator standalone and installer None
2016-02-01 20:49:38,174:DEBUG:letsencrypt.display.ops:Single candidate plugin: * standalone
Description: Automatically use a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = letsencrypt.plugins.standalone:Authenticator
Initialized: <letsencrypt.plugins.standalone.Authenticator object at 0x7f0b940f8f90>
Prep: True
2016-02-01 20:49:38,175:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.standalone.Authenticator object at 0x7f0b940f8f90> and installer None
2016-02-01 20:49:38,188:DEBUG:letsencrypt.cli:Picked account: <Account(27acacb22542d89b6d08b08d1ed076f8)>
2016-02-01 20:49:38,189:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-02-01 20:49:38,193:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-02-01 20:49:38,815:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 263
2016-02-01 20:49:38,816:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘263’, ‘Expires’: ‘Mon, 01 Feb 2016 20:49:31 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Mon, 01 Feb 2016 20:49:31 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘mOz1wSDrApI5B78OKOD3nAnk-ljv9ktmP2fYBXWUJhU’}. Content: '{“new-authz”:“https://acme-v01.api.letsencrypt.org/acme/new-authz",“new-cert”:“https://acme-v01.api.letsencrypt.org/acme/new-cert”,“new-reg”:“https://acme-v01.api.letsencrypt.org/acme/new-reg”,“revoke-cert”:"https://acme-v01.api.letsencrypt.org/acme/revoke-cert”}‘
2016-02-01 20:49:38,817:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘263’, ‘Expires’: ‘Mon, 01 Feb 2016 20:49:31 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Mon, 01 Feb 2016 20:49:31 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Replay-Nonce’: ‘mOz1wSDrApI5B78OKOD3nAnk-ljv9ktmP2fYBXWUJhU’}): ‘{“new-authz”:“https://acme-v01.api.letsencrypt.org/acme/new-authz",“new-cert”:“https://acme-v01.api.letsencrypt.org/acme/new-cert”,“new-reg”:“https://acme-v01.api.letsencrypt.org/acme/new-reg”,“revoke-cert”:"https://acme-v01.api.letsencrypt.org/acme/revoke-cert”}‘
2016-02-01 20:49:38,817:DEBUG:letsencrypt.client:CSR: CSR(file=’/root/sslCA/csr/webmail.domain.nl.csr’, data=‘0\x82\x03\x010\x82\x01\xe9\x02\x01\x000\x81\xbb1\x0b0\t\x06\x03U\x04\x06\x13\x02NL1\x100\x0e\x06\x03U\x04\x08\x0c\x07Utrecht1\x130\x11\x06\x03U\x04\x07\x0c\nAmersfoort1\x180\x16\x06\x03U\x04\n\x0c\x0fdomain B.V.1\x1e0\x1c\x06\x03U\x04\x03\x0c\x15webmail.domain.nl1’0%\x06\t*\x86H\x86\xf7\r\x01\t\x01\x16\x18postmaster@domain.nl1"0 \x06\x03U\x1d\x11\x0c\x19DNS:webmail.domain.nl0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xc0\x18\xe9\x02\xaak$\x19k\xeb\xdd\xcd\xd4\x0e,\xfeM\x01\xe8\xaf\x8et]%\x00\xe2\x8a\xe5\xec{#\xaa\x12\x15!\x05E;|\xe9\xd2xjA\x96\xbfds\xc0\xf2\x10\xa2\xea>\xfb\xc1\x81\x11\xe1\x8e#\xf5;q)\xe3\x88\x8b\x14M\x16\x18s/\xdb\xa8\xad\x0c\x0f\xe011\xa9\xd36\xba\xa8\x9f\x8f\xcdP&T\x12\x100i\xcb|\x11\x9dw,pw\xad\xd5\xd1\xe4\xc5\xfft\x8c+hR4Lc\x8dmG\xb4\xa7^\xe7!\x8b\x10\xd2\x83<\xbbJ[YVm\x1b\xf3\x85\xc4\x82 =\x03\x02@0\xcc\xda{>\x86\xe1\xcb\x92f,\xf7g\xe3\x19\x08\x00\xe5\x9b\xc2\x91P\x9b+x\x96L\x0c\x15\xa9\xb4\xaaX\xf7\xe7\x16+\xcc\x9bs\x94\x8d\x9dH\xf8jk\x86"&\xe1\xea[\xe2}\xb4od\xc8/s\x13\x97i\x94 \xd0\xb4\x84"T+\x1d3\x95iWe\\x13B\xb8\xcb\xbb\x9dR(\xca\xef\xe3G\xe4\xa7\xfe\xb7\xb3\xba\x89z\xb0>1\x82X\xea\x8d\x02\x03\x01\x00\x01\xa0\x000\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00S\xc3o\x90\x8c\xff\xb9\x99#’\xfc\xa7\xa8\x1e\x16t\xe8\xc0:$\x0c\xe6\xc8C\xe9h\x9e\xff\xd0\xf2K|L!/\x0e\xb1:c\x0b(\x9d\xbe\xe7\xb7\x1b\xac\xa7|\xaa\xbe\xc4\xbe\x93/\x97\x88\xf8\x1a\x8fM\x18A\x87\x16\x8b\x9e\x1f8\xea\xeb\x7f\x9f\xa5z\x91\x84\x93\x83\x10\xae\xd4\xa5r\xa2\x00\x18\xb4\xd9\xb2M\x15>\x9dq\x92J\x05\x96\x8bfY\x1d\xf7\xf2v\xb8\xd5s\xf0z\xf08p\xce\\xd6~FU\xf2\xf8\x03\xec@\x7f\xc4\xf38\x0f}\xa8F\xcdhD\xaa\xed\xa17a\xeb\xc2e\xa4yZ\x1e\x04\x07xEb\xadv7Z\xc9\x1d\x1e\xdf\x9cvV\xce \xe8\xda\xb04+\x1eE\x15\xe7\x9bo\x19\x80\xc1\xa2g\xd0\xc1\xca\xc3\x81\x01\xe3\x8b\xef\xc0\xc5e\xd1!\x93QD/%\xa3rZb\x13\xf1S,e\x835Y\x0b\x04)\x18L!\x1b\x8b28\x9b\x04\xfa\xbcQ\x05\xe4\x9f\xde\xe6\M\xd25s\\xfd\xfaZ\xe5\xd7\xf6]\xdc+\xfb=(\xae$\x9f\xdfw’, form=‘der’), domains: []
2016-02-01 20:49:38,818:INFO:letsencrypt.auth_handler:Performing the following challenges:
2016-02-01 20:49:38,818:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 1454, in main
return args.func(args, config, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 633, in obtain_cert
file=args.csr[0], data=args.csr[1], form=“der”))
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 245, in obtain_certificate_from_csr
csr.data, OpenSSL.crypto.FILETYPE_ASN1), csr)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 228, in _obtain_certificate
authzr)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 300, in request_issuance
assert authzrs, "Authorizations list is empty"
AssertionError: Authorizations list is empty

I have searched and this error seems to indicate a problem with a missing SAN, but as you can see I generated the CSR with both a CN and a SAN, both containing the domainname.

Any help appreciated.


#2

You can’t pass the subjectAltName to openssl on the command line that way. To see what happened, type:

openssl req -noout -text -in csr/webmail.domain.nl.csr -inform der

You will see, the subjectAltName was interpreted as part of the Subject.

The simplest solution is to add it to openssl.cnf instead. If you must pass it from the command line, you can do so using this technique.


#3

Thanks! I managed to get the right CSR now (checked by dumping the csr using openssl req) and the error is now gone. However, another error is introduced ;-):

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: webmail.domain.nl
    Type: urn:acme:error:unauthorized
    Detail: Correct zName not found for TLS SNI challenge. Found ‘’


#4

This seems to be a fairly common problem - my impression is that it’s often due to an existing self-signed cert for the wrong domain name, though tbh I don’t see how that would affect the standalone authenticator. Maybe the CSR is preventing the tls-sni-01 challenge from working correctly? Perhaps try

--standalone-supported-challenges http-01

to use the http-01 challenge instead?