Using manual LE cert generation
certbot-auto certonly \
--server https://acme-staging.api.letsencrypt.org/directory \
--standalone --standalone-supported-challenges tls-sni-01 \
--csr=./example.com.csr.der ...
If the CSR has been generated with a separately-seeded privkey, with NO explicit params encoded in the key
openssl ecparam -name secp384r1 -param_enc explicit -outform pem -out ./params.pem
openssl ecparam -genkey -name secp384r1 -noout -in ./params.pem -out ./privkey.pem
generating a CSR as
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=NewYork, L=NewYork, O=example.com, OU=example.com, CN=example.com/emailAddress=noreply@example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
...
ASN1 OID: secp384r1
NIST CURVE: P-384
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:example.com
Signature Algorithm: ecdsa-with-SHA512
...
then the LE cert generation is successful
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/tmp/example.com/0001_chain.pem.
Your cert will expire on 2016-11-06. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you like Certbot, please consider supporting our work by:
But if the CSR has been generated with explicit parameter encoding, and self-seeding,
openssl ecparam -genkey -name secp384r1 -noout -out ./privkey.pem \
-param_enc explicit \
so that the generated CSR is
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=NewYork, L=NewYork, O=example.com, OU=example.com, CN=example.com/emailAddress=noreply@example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
...
Field Type: prime-field
Prime:
00:...
A:
00:...
B:
00:...
Generator (uncompressed):
04:...
Order:
00:...
Cofactor: 1 (0x1)
Seed:
a4:...
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:example.com
Signature Algorithm: ecdsa-with-SHA512
...
an error’s returned
An unexpected error occurred:
The request message was malformed :: Error parsing certificate request. Extensions in the CSR marked critical can cause this error: https://github.com/letsencrypt/boulder/issues/565
Please see the logfiles in /var/log/letsencrypt for more details.
where
cat /var/log/letsencrypt/letsencrypt.log
...
2016-08-08 16:33:04,568:DEBUG:acme.client:Received response <Response [400]> (headers: {'Content-Length': '217', 'Boulder-Request-Id': '4...', 'Expires': 'Wed, 08 Aug 2016 16:33:05 GMT', 'Server': 'nginx', 'Connection': 'close', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Pragma': 'no-cache', 'Boulder-Requester': '2...', 'Date': 'Wed, 10 Aug 2016 16:33:05 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': '...'}): '{\n "type": "urn:acme:error:malformed",\n "detail": "Error parsing certificate request. Extensions in the CSR marked critical can cause this error: https://github.com/letsencrypt/boulder/issues/565",\n "status": 400\n}'
2016-08-10 16:33:04,569:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
sys.exit(main())
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 744, in main
return config.func(config, plugins)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 558, in obtain_cert
_csr_obtain_cert(config, le_client)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 527, in _csr_obtain_cert
certr, chain = le_client.obtain_certificate_from_csr(config.domains, csr, typ)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/client.py", line 228, in obtain_certificate_from_csr
authzr)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 319, in request_issuance
headers={'Accept': content_type})
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 656, in post
return self._check_response(response, content_type=content_type)
File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 572, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:malformed :: The request message was malformed :: Error parsing certificate request. Extensions in the CSR marked critical can cause this error: https://github.com/letsencrypt/boulder/issues/565
The referenced bug
**_Golang errors on extensions marked critical #565_**
[https://github.com/letsencrypt/boulder/issues/565](https://github.com/letsencrypt/boulder/issues/565)
addresses parsing problems, but is Golang, not python related, and doesn’t mention the params encoding specifically.
Is there a specific reason that privkey parameter encoding is DISALLOWED in LE, or is this (still) a bug?