Bug in ssl4free prevent use of CSR

My domain is: e-nexus.de

I ran this command:

It produced this output:
Certificate signature failed. If you supplied your own CSR make sure the domains on it match what you put on SSLForFree. If there is a rate limiting error at the end of this paragraph certificates per Domain is currently 5 per 7 days. Try asking Lets Encrypt to increase the limit or wait 7 days. Rate limits should increase in the near future. { “type”: “urn:ietf:params:acme:error:badPublicKey”, “detail”: “Error finalizing order :: invalid public key in CSR: error checking blocklist for key: \u0026{{18111848663142005571178770624881214696591339256823507023544605891411707081617152319519180201250440615163700426054396403795303435564101919053459832890139496933938670005799610981765220283775567361483662648340339405220348871308593627647076689407931875483406244310337925809427432681864623551598136302441690546585427193224254314088256212718983105131138772434658820375111735710449331518776858786793875865418124429269409118756812841019074631004956409706877081612616347900606555802111224022921017725537417047242635829949739109274666495826205002104010355456981211025738812433088757102520562459649777989718122219159982614304359 19689526866605154788513693571065914024068069442724893395618704484701 2859278237642201956931085611015389087970918161297522023542900348087718063098423976428252369340967506010054236052095950169272612831491902295835660747775572934757474194739347115870723217560530672532404847508798651915566434553729839971841903983916294692452760249019857108409189016993380919900231322610083060784269299257074905043636029708121288037909739559605347853174853410208334242027740275688698461842637641566056165699733710043802697192696426360843173620679214131951400148855611740858610821913573088059404459364892373027492936037789337011875710759208498486908611261954026964574111219599568903257472567764789616958430} 13708884834655530397676506653173405555394812073443875272547390643438895423336604601253605619088649939928016231827347450149276236007324918902630135687214308805395163459853017623730111143665317967249154015554291981831721825133634978099863836402587971520327608955283357580703191620825174565898258824741358927705280607697038018628631987146872264723046311902284927765264379773883241464216145365565073374771897925119972686917063519230365982498050912958533087740677326641022473818382538666688717432565184365429559778836645450871914868590377163373826447854768381257416916643600145770267244671698121699549704404454467361381802}”, “status”: 400 }

My web server is (include version): generic tomcat

The operating system my web server runs on is (include version): its implementation detail I wont offer to public.

My hosting provider, if applicable, is: its implementation detail I wont offer to public.

I can login to a root shell on my machine (yes or no, or I don’t know): its implementation detail I wont offer to public.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): its implementation detail I wont offer to public.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I do not use certbot.

Description: I used a CSR to create a certificate having multiple SANs. Since the CSR is only parsed maleformated (CSR classically have -----BEGIN NEW CERTIFICATE REQUEST----- in first line and -----END NEW CERTIFICATE REQUEST----- as last line what is well-formated) due to a bug in the language go, the CSR is rejected, no certificate is created but the domains are added to a blocklist and rejected during a second try (rejected by line https://github.com/letsencrypt/boulder/blob/master/goodkey/good_key.go#L85 ).

Please

  1. Remove the domains from the blocklist
  2. Fix the maleformated-only CSR parsing
  3. Do not add domains to the blocklist if no certificate is generated
1 Like

In order to better understand the problem, and as a CSR file is essentially a public document, please post the CSR file used here.
[CSR files contain no private information]

1 Like

The blocked keys list is (currently) statically defined during the runtime of Boulder. Nothing you do can alter its state.

I don’t think that there is a PEM-parsing bug.

We can see that the CSR was already at least parsed through the PEM form, because the raw bigint values of the public key are reported. Only way to get here is if we already went from PEM -> DER -> ASN.1 -> struct representation.

I agree with @rg305 , could you post the CSR please (or a different throwaway one)?

2 Likes

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIFFzCCBMMCAQAwaDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0G
A1UEBxMGQmVybGluMRMwEQYDVQQKEwpDb3JlU3RydWN0MQwwCgYDVQQLEwNDRU8x
FDASBgNVBAMTC1BldGVyIFJhZGVyMIIDQjCCAjUGByqGSM44BAEwggIoAoIBAQCP
eTXZuarpv6vtiHrPSVG28y7FnjuvNxjo6sSWHz79NgbnQ1GpxBgzObgJ58KuHFOb
p0dbhdARrbi0eYd1SYRpXKwOjxSzNggooi/6JxEKPWKpk0U0CaD+aWxGWPhL3SCB
nDcJoBBXsZWtzQAjPbpUhLYpH51kjviDRIZ3l5zsBLQ0pqwudemYXeI9sCkvwRGM
n/qdgYHnM423krcw17njSVkvaAmYchU5Feo9a4tGU8YzRY+AOzKkwuDycpAlbk4/
ijsIOKHEUOThjBopo33fXqFD3ktm/wSQPtXPFiPhWNSHxgjpfyEc2B3KI8tuOAdl
+CLjQr5ITAV2OTlgHNZnAh0AuvaWpoV499/e5/pnyXfHhe8ysjO65YDAvNVpXQKC
AQAWplxYIEhQcE51AqOXVwQNNNo6NHjBVNTkpcAtJC7gT5bmHkvQkEq9rI837rHg
nzGC0jyQQ8tkL4gAQWDt+coJsyB2p5wypifyRz6Rh5uixOdEvSCBVEy1W4AsNo0f
qD7UielOD6BojjJCilx4xHjGjQUntxyaOrsLC+EsRGiWOefTznTbEBplqiuH9kxo
Jts+xy9LVZmDS7TtsC98kOmkltOlXVNb6/xF1PYZ9j897buHOSXC8iTgdzEpbaiH
7B5HSPh++1/et1SEMWsiMt7lU92vAhErDR8C2jCXMiT+J67ai51LKSLZuovjntnh
A6Y8UoELxoi34u1DFuHvF9veA4IBBQACggEAbJhkqioCEvNeXBSocItf/dvWJ1WQ
RlVj/3y537p+TQROxP2ohzYROKKHo2nAmjVEcOLaf+5lwy50Jtc88xu3sGnLWWs4
/ErON4kRoj4+qqySXi2al40p+ysbZ5Tpib7y19Tg2IcAbpoakdDSKobtdkQGlVuN
x2SKs2AjtBx5VRwaXN63ifxJXs55zGKE5AgiiohBuJzsOIEs4cnC55DeTwOHbLJY
BPoI7vPjubgDLUxQkihZFXNjriy8EGbA5mGfYxifany0rsLcy4nZ84sd4WhJZGhl
Lfw6skxlUl+J0Ad/tSbDgL/m4yDZt9xCD2nQDbdzANDOqM3HurTdegUdqqCCAQww
ggEIBgkqhkiG9w0BCQ4xgfowgfcwgdUGA1UdEQSBzTCByoIIYXphaWcuZGWCCmUt
bmV4dXMuZGWCDGdlZ2VuLWFrdy5kZYITcmVsZWFzZS1tYW5hZ2VyLmNvbYILc290
YWNtcy5jb22CEXZlY3RvcnB1Ymxpc2gubmV0ggx3d3cuYXphaWcuZGWCDnd3dy5l
LW5leHVzLmRlghB3d3cuZ2VnZW4tYWt3LmRlghd3d3cucmVsZWFzZS1tYW5hZ2Vy
LmNvbYIPd3d3LnNvdGFjbXMuY29tghV3d3cudmVjdG9ycHVibGlzaC5uZXQwHQYD
VR0OBBYEFKRDhUrJQ1mUQj4c73J71MEeahPgMA0GCWCGSAFlAwQDAgUAAz8AMDwC
HGbg4f7J+0aZbuUMgVNDtt9lvPbayQ6YCsMP2k8CHFNCSZ5xhX4RVplqp8hE8J9Z
uZKuLqIh4Cl9Fek=
-----END NEW CERTIFICATE REQUEST-----

PEM

-----BEGIN CERTIFICATE REQUEST-----
MIIFFzCCBMMCAQAwaDELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVy
bGluMRMwEQYDVQQKEwpDb3JlU3RydWN0MQwwCgYDVQQLEwNDRU8xFDASBgNVBAMTC1BldGVyIFJh
ZGVyMIIDQjCCAjUGByqGSM44BAEwggIoAoIBAQCPeTXZuarpv6vtiHrPSVG28y7FnjuvNxjo6sSW
Hz79NgbnQ1GpxBgzObgJ58KuHFObp0dbhdARrbi0eYd1SYRpXKwOjxSzNggooi/6JxEKPWKpk0U0
CaD+aWxGWPhL3SCBnDcJoBBXsZWtzQAjPbpUhLYpH51kjviDRIZ3l5zsBLQ0pqwudemYXeI9sCkv
wRGMn/qdgYHnM423krcw17njSVkvaAmYchU5Feo9a4tGU8YzRY+AOzKkwuDycpAlbk4/ijsIOKHE
UOThjBopo33fXqFD3ktm/wSQPtXPFiPhWNSHxgjpfyEc2B3KI8tuOAdl+CLjQr5ITAV2OTlgHNZn
Ah0AuvaWpoV499/e5/pnyXfHhe8ysjO65YDAvNVpXQKCAQAWplxYIEhQcE51AqOXVwQNNNo6NHjB
VNTkpcAtJC7gT5bmHkvQkEq9rI837rHgnzGC0jyQQ8tkL4gAQWDt+coJsyB2p5wypifyRz6Rh5ui
xOdEvSCBVEy1W4AsNo0fqD7UielOD6BojjJCilx4xHjGjQUntxyaOrsLC+EsRGiWOefTznTbEBpl
qiuH9kxoJts+xy9LVZmDS7TtsC98kOmkltOlXVNb6/xF1PYZ9j897buHOSXC8iTgdzEpbaiH7B5H
SPh++1/et1SEMWsiMt7lU92vAhErDR8C2jCXMiT+J67ai51LKSLZuovjntnhA6Y8UoELxoi34u1D
FuHvF9veA4IBBQACggEAbJhkqioCEvNeXBSocItf/dvWJ1WQRlVj/3y537p+TQROxP2ohzYROKKH
o2nAmjVEcOLaf+5lwy50Jtc88xu3sGnLWWs4/ErON4kRoj4+qqySXi2al40p+ysbZ5Tpib7y19Tg
2IcAbpoakdDSKobtdkQGlVuNx2SKs2AjtBx5VRwaXN63ifxJXs55zGKE5AgiiohBuJzsOIEs4cnC
55DeTwOHbLJYBPoI7vPjubgDLUxQkihZFXNjriy8EGbA5mGfYxifany0rsLcy4nZ84sd4WhJZGhl
Lfw6skxlUl+J0Ad/tSbDgL/m4yDZt9xCD2nQDbdzANDOqM3HurTdegUdqqCCAQwwggEIBgkqhkiG
9w0BCQ4xgfowgfcwgdUGA1UdEQSBzTCByoIIYXphaWcuZGWCCmUtbmV4dXMuZGWCDGdlZ2VuLWFr
dy5kZYITcmVsZWFzZS1tYW5hZ2VyLmNvbYILc290YWNtcy5jb22CEXZlY3RvcnB1Ymxpc2gubmV0
ggx3d3cuYXphaWcuZGWCDnd3dy5lLW5leHVzLmRlghB3d3cuZ2VnZW4tYWt3LmRlghd3d3cucmVs
ZWFzZS1tYW5hZ2VyLmNvbYIPd3d3LnNvdGFjbXMuY29tghV3d3cudmVjdG9ycHVibGlzaC5uZXQw
HQYDVR0OBBYEFKRDhUrJQ1mUQj4c73J71MEeahPgMA0GCWCGSAFlAwQDAgUAAz8AMDwCHGbg4f7J
+0aZbuUMgVNDtt9lvPbayQ6YCsMP2k8CHFNCSZ5xhX4RVplqp8hE8J9ZuZKuLqIh4Cl9Fek=
-----END CERTIFICATE REQUEST-----

ASN1

SEQUENCE
{
    SEQUENCE
    {
        INTEGER=0
        SEQUENCE
        {
            SET
            {
                SEQUENCE
                {
                    OBJECT IDENTIFIER=CountryName (2.5.4.6)
                    PRINTABLE STRING='DE'
                }
            }
            SET
            {
                SEQUENCE
                {
                    OBJECT IDENTIFIER=StateOrProvinceName (2.5.4.8)
                    PRINTABLE STRING='Berlin'
                }
            }
            SET
            {
                SEQUENCE
                {
                    OBJECT IDENTIFIER=LocalityName (2.5.4.7)
                    PRINTABLE STRING='Berlin'
                }
            }
            SET
            {
                SEQUENCE
                {
                    OBJECT IDENTIFIER=OrganizationName (2.5.4.10)
                    PRINTABLE STRING='CoreStruct'
                }
            }
            SET
            {
                SEQUENCE
                {
                    OBJECT IDENTIFIER=OrganizationalUnitName (2.5.4.11)
                    PRINTABLE STRING='CEO'
                }
            }
            SET
            {
                SEQUENCE
                {
                    OBJECT IDENTIFIER=CommonName (2.5.4.3)
                    PRINTABLE STRING='Peter Rader'
                }
            }
        }
        SEQUENCE
        {
            SEQUENCE
            {
                OBJECT IDENTIFIER=Dsa (1.2.840.10040.4.1)
                SEQUENCE
                {
                    INTEGER=
                        00 8F 79 35 D9 B9 AA E9   ..y5Ù¹ªé
                        BF AB ED 88 7A CF 49 51   ¿«í.zÏIQ
                        B6 F3 2E C5 9E 3B AF 37   ¶ó.Å.;¯7
                        18 E8 EA C4 96 1F 3E FD   .èêÄ..>ý
                        36 06 E7 43 51 A9 C4 18   6.çCQ©Ä.
                        33 39 B8 09 E7 C2 AE 1C   39¸.ç®.
                        53 9B A7 47 5B 85 D0 11   S.§G[.Ð.
                        AD B8 B4 79 87 75 49 84   ­¸´y.uI.
                        69 5C AC 0E 8F 14 B3 36   i\¬...³6
                        08 28 A2 2F FA 27 11 0A   .(¢/ú'..
                        3D 62 A9 93 45 34 09 A0   =b©.E4. 
                        FE 69 6C 46 58 F8 4B DD   þilFXøKÝ
                        20 81 9C 37 09 A0 10 57    ..7. .W
                        B1 95 AD CD 00 23 3D BA   ±.­Í.#=º
                        54 84 B6 29 1F 9D 64 8E   T.¶)..d.
                        F8 83 44 86 77 97 9C EC   ø.D.w..ì
                        04 B4 34 A6 AC 2E 75 E9   .´4¦¬.ué
                        98 5D E2 3D B0 29 2F C1   .]â=°)/Á
                        11 8C 9F FA 9D 81 81 E7   ...ú...ç
                        33 8D B7 92 B7 30 D7 B9   3.·.·0×¹
                        E3 49 59 2F 68 09 98 72   ãIY/h..r
                        15 39 15 EA 3D 6B 8B 46   .9.ê=k.F
                        53 C6 33 45 8F 80 3B 32   SÆ3E..;2
                        A4 C2 E0 F2 72 90 25 6E   ¤Âàòr.%n
                        4E 3F 8A 3B 08 38 A1 C4   N?.;.8¡Ä
                        50 E4 E1 8C 1A 29 A3 7D   Päá..)£}
                        DF 5E A1 43 DE 4B 66 FF   ß^¡CÞKfÿ
                        04 90 3E D5 CF 16 23 E1   ..>ÕÏ.#á
                        58 D4 87 C6 08 E9 7F 21   XÔ.Æ.é.!
                        1C D8 1D CA 23 CB 6E 38   .Ø.Ê#Ën8
                        07 65 F8 22 E3 42 BE 48   .eø"ãB¾H
                        4C 05 76 39 39 60 1C D6   L.v99`.Ö
                        67                        g
                    INTEGER=
                        00 BA F6 96 A6 85 78 F7   .ºö.¦.x÷
                        DF DE E7 FA 67 C9 77 C7   ßÞçúgÉwÇ
                        85 EF 32 B2 33 BA E5 80   .ï2²3ºå.
                        C0 BC D5 69 5D            À¼Õi]
                    INTEGER=
                        16 A6 5C 58 20 48 50 70   .¦\X HPp
                        4E 75 02 A3 97 57 04 0D   Nu.£.W..
                        34 DA 3A 34 78 C1 54 D4   4Ú:4xÁTÔ
                        E4 A5 C0 2D 24 2E E0 4F   ä¥À-$.àO
                        96 E6 1E 4B D0 90 4A BD   .æ.KÐ.J½
                        AC 8F 37 EE B1 E0 9F 31   ¬.7î±à.1
                        82 D2 3C 90 43 CB 64 2F   .Ò<.CËd/
                        88 00 41 60 ED F9 CA 09   ..A`íùÊ.
                        B3 20 76 A7 9C 32 A6 27   ³ v§.2¦'
                        F2 47 3E 91 87 9B A2 C4   òG>...¢Ä
                        E7 44 BD 20 81 54 4C B5   çD½ .TLµ
                        5B 80 2C 36 8D 1F A8 3E   [.,6..¨>
                        D4 89 E9 4E 0F A0 68 8E   Ô.éN. h.
                        32 42 8A 5C 78 C4 78 C6   2B.\xÄxÆ
                        8D 05 27 B7 1C 9A 3A BB   ..'·..:»
                        0B 0B E1 2C 44 68 96 39   ..á,Dh.9
                        E7 D3 CE 74 DB 10 1A 65   çÓÎtÛ..e
                        AA 2B 87 F6 4C 68 26 DB   ª+.öLh&Û
                        3E C7 2F 4B 55 99 83 4B   >Ç/KU..K
                        B4 ED B0 2F 7C 90 E9 A4   ´í°/|.é¤
                        96 D3 A5 5D 53 5B EB FC   .Ó¥]S[ëü
                        45 D4 F6 19 F6 3F 3D ED   EÔö.ö?=í
                        BB 87 39 25 C2 F2 24 E0   ».9%Âò$à
                        77 31 29 6D A8 87 EC 1E   w1)m¨.ì.
                        47 48 F8 7E FB 5F DE B7   GHø~û_Þ·
                        54 84 31 6B 22 32 DE E5   T.1k"2Þå
                        53 DD AF 02 11 2B 0D 1F   Sݯ..+..
                        02 DA 30 97 32 24 FE 27   .Ú0.2$þ'
                        AE DA 8B 9D 4B 29 22 D9   ®Ú..K)"Ù
                        BA 8B E3 9E D9 E1 03 A6   º.ã.Ùá.¦
                        3C 52 81 0B C6 88 B7 E2   <R..Æ.·â
                        ED 43 16 E1 EF 17 DB DE   íC.áï.ÛÞ
                }
            }
            BIT STRING, encapsulates:
                INTEGER=
                    6C 98 64 AA 2A 02 12 F3   l.dª*..ó
                    5E 5C 14 A8 70 8B 5F FD   ^\.¨p._ý
                    DB D6 27 55 90 46 55 63   ÛÖ'U.FUc
                    FF 7C B9 DF BA 7E 4D 04   ÿ|¹ßº~M.
                    4E C4 FD A8 87 36 11 38   NÄý¨.6.8
                    A2 87 A3 69 C0 9A 35 44   ¢.£iÀ.5D
                    70 E2 DA 7F EE 65 C3 2E   pâÚ.îeÃ.
                    74 26 D7 3C F3 1B B7 B0   t&×<ó.·°
                    69 CB 59 6B 38 FC 4A CE   iËYk8üJÎ
                    37 89 11 A2 3E 3E AA AC   7..¢>>ª¬
                    92 5E 2D 9A 97 8D 29 FB   .^-...)û
                    2B 1B 67 94 E9 89 BE F2   +.g.é.¾ò
                    D7 D4 E0 D8 87 00 6E 9A   ×ÔàØ..n.
                    1A 91 D0 D2 2A 86 ED 76   ..ÐÒ*.ív
                    44 06 95 5B 8D C7 64 8A   D..[.Çd.
                    B3 60 23 B4 1C 79 55 1C   ³`#´.yU.
                    1A 5C DE B7 89 FC 49 5E   .\Þ·.üI^
                    CE 79 CC 62 84 E4 08 22   ÎyÌb.ä."
                    8A 88 41 B8 9C EC 38 81   ..A¸.ì8.
                    2C E1 C9 C2 E7 90 DE 4F   ,áÉÂç.ÞO
                    03 87 6C B2 58 04 FA 08   ..l²X.ú.
                    EE F3 E3 B9 B8 03 2D 4C   îó㹸.-L
                    50 92 28 59 15 73 63 AE   P.(Y.sc®
                    2C BC 10 66 C0 E6 61 9F   ,¼.fÀæa.
                    63 18 9F 6A 7C B4 AE C2   c..j|´®Â
                    DC CB 89 D9 F3 8B 1D E1   ÜË.Ùó..á
                    68 49 64 68 65 2D FC 3A   hIdhe-ü:
                    B2 4C 65 52 5F 89 D0 07   ²LeR_.Ð.
                    7F B5 26 C3 80 BF E6 E3   .µ&Ã.¿æã
                    20 D9 B7 DC 42 0F 69 D0    Ù·ÜB.iÐ
                    0D B7 73 00 D0 CE A8 CD   .·s.ÐΨÍ
                    C7 BA B4 DD 7A 05 1D AA   Ǻ´Ýz..ª

        }
        TAGGED [0]:
            SEQUENCE
            {
                OBJECT IDENTIFIER=ExtensionRequest (1.2.840.113549.1.9.14)
                SET
                {
                    SEQUENCE
                    {
                        SEQUENCE
                        {
                            OBJECT IDENTIFIER=SubjectAltName (2.5.29.17)
                            OCTET STRING, encapsulates:
                                SEQUENCE
                                {
                                    TAGGED [2] IMPLICIT :
                                        OCTET STRING=
                                            61 7A 61 69 67 2E 64 65   azaig.de
                                    TAGGED [2] IMPLICIT :
                                        OCTET STRING=
                                            65 2D 6E 65 78 75 73 2E   e-nexus.
                                            64 65                     de
                                    TAGGED [2] IMPLICIT :
                                        OCTET STRING=
                                            67 65 67 65 6E 2D 61 6B   gegen-ak
                                            77 2E 64 65               w.de
                                    TAGGED [2] IMPLICIT :
                                        OCTET STRING=
                                            72 65 6C 65 61 73 65 2D   release-
                                            6D 61 6E 61 67 65 72 2E   manager.
                                            63 6F 6D                  com
                                    TAGGED [2] IMPLICIT :
                                        OCTET STRING=
                                            73 6F 74 61 63 6D 73 2E   sotacms.
                                            63 6F 6D                  com
                                    TAGGED [2] IMPLICIT :
                                        OCTET STRING=
                                            76 65 63 74 6F 72 70 75   vectorpu
                                            62 6C 69 73 68 2E 6E 65   blish.ne
                                            74                        t
                                    TAGGED [2] IMPLICIT :
                                        OCTET STRING=
                                            77 77 77 2E 61 7A 61 69   www.azai
                                            67 2E 64 65               g.de
                                    TAGGED [2] IMPLICIT :
                                        OCTET STRING=
                                            77 77 77 2E 65 2D 6E 65   www.e-ne
                                            78 75 73 2E 64 65         xus.de
                                    TAGGED [2] IMPLICIT :
                                        OCTET STRING=
                                            77 77 77 2E 67 65 67 65   www.gege
                                            6E 2D 61 6B 77 2E 64 65   n-akw.de
                                    TAGGED [2] IMPLICIT :
                                        OCTET STRING=
                                            77 77 77 2E 72 65 6C 65   www.rele
                                            61 73 65 2D 6D 61 6E 61   ase-mana
                                            67 65 72 2E 63 6F 6D      ger.com
                                    TAGGED [2] IMPLICIT :
                                        OCTET STRING=
                                            77 77 77 2E 73 6F 74 61   www.sota
                                            63 6D 73 2E 63 6F 6D      cms.com
                                    TAGGED [2] IMPLICIT :
                                        OCTET STRING=
                                            77 77 77 2E 76 65 63 74   www.vect
                                            6F 72 70 75 62 6C 69 73   orpublis
                                            68 2E 6E 65 74            h.net
                                }

                        }
                        SEQUENCE
                        {
                            OBJECT IDENTIFIER=SubjectKeyIdentifier (2.5.29.14)
                            OCTET STRING, encapsulates:
                                OCTET STRING=
                                    A4 43 85 4A C9 43 59 94   ¤C.JÉCY.
                                    42 3E 1C EF 72 7B D4 C1   B>.ïr{ÔÁ
                                    1E 6A 13 E0               .j.à

                        }
                    }
                }
            }
    }
    SEQUENCE
    {
        OBJECT IDENTIFIER=DsaWithSha256 (2.16.840.1.101.3.4.3.2)
        NULL
    }
    BIT STRING, encapsulates:
        SEQUENCE
        {
            INTEGER=
                66 E0 E1 FE C9 FB 46 99   fàáþÉûF.
                6E E5 0C 81 53 43 B6 DF   nå..SC¶ß
                65 BC F6 DA C9 0E 98 0A   e¼öÚÉ...
                C3 0F DA 4F               Ã.ÚO
            INTEGER=
                53 42 49 9E 71 85 7E 11   SBI.q.~.
                56 99 6A A7 C8 44 F0 9F   V.j§ÈDð.
                59 B9 92 AE 2E A2 21 E0   Y¹.®.¢!à
                29 7D 15 E9               )}.é
        }

}
1 Like

Hi,

I think the issue might be your CSR’s common name section.
I believe when Let’s Encrypt and other CAs check for Domain certificates, they are expecting Common Name and SAN lists to contain only valid hostnames. You have a name in your common name, which isn’t accepted for Domain certificates. (Might be acceptable for S/MIME or other signing certificates?)

https://knowledge.digicert.com/solution/SO7239.html

TL;DR Your CSR is indeed malformed. You need to have a FQDN in your CSR CN (Common Name) section.

Thank you

Thanks.

You can’t use DSA keys with Let’s Encrypt.

You can find the acceptable public key parameters in Let’s Encrypt’s CPS: https://letsencrypt.org/documents/isrg-cps-v2.7/#dv-ssl-end-entity-certificate

e: I’ve filed https://github.com/letsencrypt/boulder/issues/4728 to improve the error message.

2 Likes

The current state

  1. Remove the domains from the blocklist [WONTFIX]
  2. Fix the maleformated-only CSR parsing [NOT_A_BUG]
  3. Do not add domains to the blocklist if no certificate is generated [REMAINS_OPEN]

Is that correct?

Furthermore I do like to add a feature-request:

  1. Improve documentation: If you check “I have CSR” a message appear telling “Make sure your CSR has all the domains specified above otherwise it will only make the SSL certificate with the domains specified in the CSR.”. This message means nothing to people who know what a CSR contains. It is good for people who have no experience with CSR like Managers and innocent people. I do like to suggest an additional phrase:

Please check the CSR to have your SubjectPublicKey matches our DV-SSL End Entity Certificate requirements.

Another problem occoured.

CSR is invalid. Make sure to disable all extensions but SAN on your CSR as any other extensions are not supported. Full error: { “type”: “urn:ietf:params:acme:error:malformed”, “detail”: “Error parsing certificate request: asn1: structure error: tags don’t match (16 vs {class:0 tag:4 length:65 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue:\u003cnil\u003e tag:\u003cnil\u003e stringType:0 timeType:0 set:false omitEmpty:false} certificateRequest @2”, “status”: 400 }

The CSR is

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIFnjCCA4YCAQAwazELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0G
A1UEBxMGQmVybGluMRMwEQYDVQQKEwplLW5leHVzLmRlMQwwCgYDVQQLEwNDVE8x
FzAVBgNVBAMTDnd3dy5lLW5leHVzLmRlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAwgVGg9DyQC3lS3/qF64zcKNi40EZnjye6wNvbJot+9QmmWgIAQWp
MzP2O6xTs8e4XRm2XyNNBRe4Q1mgtO/fVAnuQ87MFmkr3FwGNCaxDmo7s88lzaXV
K863eOFZ8x7kREyOKN3BPM+/1znOtkUgaM0t+vr2HSS72uUGN0WF+8jYz0ES8gU1
GYdpcHMSo3FnaE/H7MCmLXT/Dskp5ggklRoitexLNzpv+aZZt6UsVaEVU3FxBXLB
VKC9GyHP6+ZVqSDteGS1pmzLmzmkBkoKpocYkdIxUY2d7L3xCwDdE4DZEBVhWd4d
fUL07dYMPjrpF1+pe5JS0nRICvMr8hlfm8glEGLOmVqG1lmEmWA7TOKdtEXPX92B
yMMNXfthoHyC9exBpUvuW36tuXMG1DNySI9uXen/AeO4v85GqLxvvSB9tiC6ko/P
UOcUBcT/dhUqFXxGMwfcIuaYn+MbtMWQb8oj7B4NrVItRYcqdAp3xrvv2Scuw6yS
+QmA8TKKVi6NVlDXEMKA6yPNZNpOZ1H3OeKYmG3wqhmatVXNeBP5TT7eiHz+EojA
aFsNrQBpvlw9Mo23tiV0Km0VlHrOSj7bYKjpSg7sh3U4FRuzfIvTo93zZxlynogt
stzZh9F8V5dMxoJmPlvH4Cgza9Yl402BwOyStCaZSnOObYcXPhkkRgMCAwEAAaCB
7TCB6gYJKoZIhvcNAQkOMYHcMIHZMIG3BgNVHREEga8wgayCCGF6YWlnLmRlggpl
LW5leHVzLmRlggxnZWdlbi1ha3cuZGWCE3JlbGVhc2UtbWFuYWdlci5jb22CEXZl
Y3RvcnB1Ymxpc2gubmV0ggx3d3cuYXphaWcuZGWCDnd3dy5lLW5leHVzLmRlghB3
d3cuZ2VnZW4tYWt3LmRlghd3d3cucmVsZWFzZS1tYW5hZ2VyLmNvbYIVd3d3LnZl
Y3RvcnB1Ymxpc2gubmV0MB0GA1UdDgQWBBTpCY8dHWA+TWnR3D3YfgURcz/BTTAN
BgkqhkiG9w0BAQsFAAOCAgEAiAG+VZYVkppMUKqlMbLV5gP2AgPjCYO6tPrg+13U
tnDcVaDgESXolJ2pQd5Z0xQ4x64ZPDq2K+vpEzfAdHxbeZo1aXu6jGBNvN040ctf
dPxQ9CvwLaqHLbzwmYBii45oJ8XtEJdZTiGiFEDAwPCgUlxEtNDniJyHxDXx9CX0
m+8EhsBzVqBDHrGbJy3v6JdfIKoQXPoibkQxsaZYYQuN4+i1lrP3pjwQPjNjzoz1
YZ3dC+/6khYHKUHtCESTA+AZfhi5cbzV4W0pBpcXC2nLyQej1xBx58HQISy3TtKQ
y3KQXVKPy/KDbBcRejHsnD0fJNTTqg85cMdcoysi8xQ+8lvj+ZOz1T72LJRHg1++
zMS8pm0PAQMbFvR22ZWRYAJo1ktkFf9N9HsTqrFkyOyVMMV6LXKf2MkhQnsrUYb+
2cb0QRIRcYvY/dF8Y7YVJuZtKQaDipgC69bmpCjS0IOWeZVC0z5WrFM18aA6DIsP
pb4tItAtpntXVEAl7v0pXs81KtTNT+fMdelvpxoTYbWCvcVzCD9DZvsruA4IQPfN
CdAeLf/FWIYdZidIk5znL7/Qw2OYoZ6alVlss/kBdi7BkRHRTFtUpih0HwTwC9Af
fHCMtc9PoBpErrndixGHOrcQIMTga6IRkUIiwLDBCdkdkXIQuCBP6DhfyIRHFt1V
tRA=
-----END NEW CERTIFICATE REQUEST-----
1 Like

What’s wrong is that sslforfree doesn’t like the type label in the PEM header:

and

The word NEW should not be there, it should just be e.g.:

-----BEGIN CERTIFICATE REQUEST-----

What seems to be happening is the extra word is causing sslforfree to screw up its encoding of the JWS in the finalization step of the order.

If you get rid of NEW, everything should work.

According to https://tools.ietf.org/html/rfc7468#section-7 , all generators must use the CERTIFICATE REQUEST label, so the tool you used to create the CSR is out of spec. It also says that parsers may treat NEW CERTIFICATE REQUEST as being equivalent, so maybe you can report this as a bug to info@sslforfree.com .

4 Likes

M$ is known about breaking it via NEW CERTIFICATE REQUEST.

1 Like

_az
To citate wrong is a problem everybody should avoid. We (ietf) commented out clearly that only “CERTIFICATE REQUEST” is mandatory.

I didn’t suggest otherwise.

sslforfree could still treat and fix this as a bug, even if it’s not a mandatory requirement of a parser.

2 Likes

You mean probably in a similar manner as I did for my client near two years ago:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.