CSR does not specify same identifiers as Order, but I can't figure out why

I keep getting the following error from the server

{
  type: 'urn:ietf:params:acme:error:unauthorized',
  detail: 'Error finalizing order :: CSR does not specify same identifiers as Order',
  status: 403
}

I have verified that the CSR is valid with the decoder

My CSR: ASN1 Decoder my CSR

The Example One: ASN1 Decoder example CSR

My CSR matches the one I was given by @aarongable


The identifiers I provided during my order are

// When I place the order
{ "type": "dns", "value": "www.ssl.boats"}
{ "type": "dns", "value": "ssl.boats" }

// Common Name
commonName: "www.ssl.boats"

// Create SAN in CSR
["www.ssl.boats", "ssl.boats"] <-- both of these are in the SAN

This is the CSR i sent to the server:

MIIBCDCBsAIBADAYMRYwFAYDVQQDDA13d3cuc3NsLmJvYXRzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuXTsqYdGjBOAJnq5gQt2BK6n65Yt77clx0MtDuj_rQtcWExRhR8QRTZ2bKPOWkVPP9wZgMm0ys3BY6wzl9_3qaA2MDQGCSqGSIb3DQEJDjEnMCUwIwYDVR0RBBwwGqINd3d3LnNzbC5ib2F0c6IJc3NsLmJvYXRzMAoGCCqGSM49BAMCA0cAMEQCIAkzI88emVTHKe-OkcI63n_4Szdufux0glQysGxIQYWRAiA4R6hZdFtyTSr86PYoxMTZWwfoKqQ0-tUUVPkPSH_TIA

Seems like it should be working, any help is appreciated.

If you want to help you can review these files
You could also clone this repo and run start-windows.bat --letsEncrypt

function createSANExtension(sans) { //shortened for brevity
    const { dnsNames = [] } = sans;
    const generalNames = [];

    dnsNames.forEach(dns => { // Add DNS names (type 2)
        generalNames.push(encodeDERContextSpecific(2, Buffer.from(dns, 'utf8')));
    });

    return encodeDERSequence([
        encodeDERObjectIdentifier('2.5.29.17'),
        encodeDEROctetString(encodeDERSequence(generalNames))
    ]);
}

I'm wondering if there is something I need to do to the identifiers before I encode them into the SAN ?

currently I just encode them into the SAN without changing them Buffer.from(dns, 'utf8') and I'm wondering if that is wrong.

decoding asn.1 from your CSR resulted this: try load a working example there to see right struture?

https://lapo.it/asn1js/#MIIBCDCBsAIBADAYMRYwFAYDVQQDDA13d3cuc3NsLmJvYXRzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuXTsqYdGjBOAJnq5gQt2BK6n65Yt77clx0MtDuj_rQtcWExRhR8QRTZ2bKPOWkVPP9wZgMm0ys3BY6wzl9_3qaA2MDQGCSqGSIb3DQEJDjEnMCUwIwYDVR0RBBwwGqINd3d3LnNzbC5ib2F0c6IJc3NsLmJvYXRzMAoGCCqGSM49BAMCA0cAMEQCIAkzI88emVTHKe-OkcI63n_4Szdufux0glQysGxIQYWRAiA4R6hZdFtyTSr86PYoxMTZWwfoKqQ0-tUUVPkPSH_TIA

3 Likes

If you read the original post you would see I have already compared my CSR to the example one

My CSR: ASN1 Decoder my CSR

The Example One: ASN1 Decoder example CSR

Do you see any differences that would affect a lets encrypt certificate.

OCTET STRING (39 byte) 3025A023060A2B060104018237140203A0150C136164647265737340646F6D61696E2Eā€¦

    SEQUENCE (1 elem)
        [0] (2 elem)
            OBJECT IDENTIFIER 1.3.6.1.4.1.311.20.2.3 userPrincipalName (Microsoft UPN)
            [0] (1 elem)
                UTF8String address@domain.test

this internal structure doesn't show up on your csr, just outer octetstring

3 Likes

yes but your example should still see san encode in it: see this page's certificate decoded

Extension SEQUENCE (2 elem)

    extnID OBJECT IDENTIFIER 2.5.29.17 subjectAltName (X.509 extension)
    extnValue OCTET STRING (29 byte) 301B8219636F6D6D756E6974792E6C657473656E63727970742E6F7267
        SEQUENCE (1 elem)
            [2] (25 byte) community.letsencrypt.org
3 Likes

Oh I understand what you are saying now, that is very helpful thank you.

I had suspected I was still encoding it wrong.

1 Like

New CSR, the server accepts it now!

1 Like

Thanks for your help everyone, my project server-ssl can generate Lets Encrypt! certificates automatically now.

J@BUD MINGW64 ~/Desktop/server-ssl (main)
$ ./start-windows.bat --letsEncrypt --domains=["www.ssl.boats","ssl.boats"] --generateAnyway --staging
Generating Keys for Local Development
........+...+....+........+.+++++++++++++++++++++++++++++++++++++++*.+..........+.....+..........+.....+...+...+++++++++++++++++++++++++++++++++++++++*.+...+....+......+...+.....+......+..........+...+..+......+....+...+..+.+...+...............+.........+..+...+.............+...+............+........+..........+..+.......+...+..+............+.+........+....+...+..+..........+.....+...+..................+.++++++
......+...+...+........+++++++++++++++++++++++++++++++++++++++*.....................+...+......+..+...+.+...+..........................+.........+...+++++++++++++++++++++++++++++++++++++++*.......+.....+..........+.....+......+...+...............+....+........+...+......+...+.......+.....+......+...................+.....+...+.+.....+......+.+........+.......+........+............+...+.......+.........+...+......+.........+...+.........+.....+....+...............+..+....+...+............+...+..+......+...+............+.........+......+.......+...+..+......+.+......+.........+.....++++++
-----
Successfully Generated Private Key
Successfully Generated Certificate
Node.js already exists
Starting SSL Web Server
USING THE STAGING SERVER
HTTPS Server is running on port 443
HTTP Server is redirecting requests to 443
ACME Keys saved to File
Signing Keys saved to File
------
Starting Lets Encrypt Daemon!
This does not currently generate certificates.
Next Nonce jDZhkUVkXbilwrLdlKRMLMe8zUsYhB2ieIVPgt_9BcpoegCeDRU
Next Nonce jDZhkUVkUGYniolyYph5PYoOfuUWVsDdy5YeMe9hT1L1kopRQrc
Next Nonce jDZhkUVkYru8LaUO6JD7owcltUu8i2O6qH8BOkTcts9LhEh3QUY
Next Nonce FW9SwLSLe9G1hdAt2UqPF8wM-HyWyj7r1Mf-356mPhU4f8l4-Lg {
  answer: {
    get: {
      type: 'http-01',
      url: 'https://acme-staging-v02.api.letsencrypt.org/acme/chall/172971744/15063525884/-ro1FA',
      status: 'pending',
      token: 'Zr5hOIDuJgfECeKOwGyg15aqIW8_tgw9OCq_rO-0q2c'
    },
    location: 'https://acme-staging-v02.api.letsencrypt.org/acme/chall/172971744/15063525884/-ro1FA'
  },
  nonce: 'FW9SwLSLe9G1hdAt2UqPF8wM-HyWyj7r1Mf-356mPhU4f8l4-Lg'
}
Next Nonce jDZhkUVkOwDcuxJVrlC8zIma1tMxLgEUW6ejHPQUvj-qRLtcebc {
  answer: {
    get: {
      type: 'http-01',
      url: 'https://acme-staging-v02.api.letsencrypt.org/acme/chall/172971744/15063525894/fG1TOw',
      status: 'pending',
      token: '4ZYAKkH-DoFZ_Qua71BH61H0Jt5LQwIVhCRULjG39XY'
    },
    location: 'https://acme-staging-v02.api.letsencrypt.org/acme/chall/172971744/15063525894/fG1TOw'
  },
  nonce: 'jDZhkUVkOwDcuxJVrlC8zIma1tMxLgEUW6ejHPQUvj-qRLtcebc'
}
HTTP-01 ACME Challenge
token Zr5hOIDuJgfECeKOwGyg15aqIW8_tgw9OCq_rO-0q2c
HTTP-01 ACME Challenge Answered Zr5hOIDuJgfECeKOwGyg15aqIW8_tgw9OCq_rO-0q2c.Ar2gQQ_9DPnGbH_Vd9GfO4Da46YH5F3ayKYIVJ9uYKo
HTTP-01 ACME Challenge
token 4ZYAKkH-DoFZ_Qua71BH61H0Jt5LQwIVhCRULjG39XY
HTTP-01 ACME Challenge Answered 4ZYAKkH-DoFZ_Qua71BH61H0Jt5LQwIVhCRULjG39XY.Ar2gQQ_9DPnGbH_Vd9GfO4Da46YH5F3ayKYIVJ9uYKo
HTTP-01 ACME Challenge
token Zr5hOIDuJgfECeKOwGyg15aqIW8_tgw9OCq_rO-0q2c
HTTP-01 ACME Challenge Answered Zr5hOIDuJgfECeKOwGyg15aqIW8_tgw9OCq_rO-0q2c.Ar2gQQ_9DPnGbH_Vd9GfO4Da46YH5F3ayKYIVJ9uYKo
HTTP-01 ACME Challenge
token 4ZYAKkH-DoFZ_Qua71BH61H0Jt5LQwIVhCRULjG39XY
HTTP-01 ACME Challenge Answered 4ZYAKkH-DoFZ_Qua71BH61H0Jt5LQwIVhCRULjG39XY.Ar2gQQ_9DPnGbH_Vd9GfO4Da46YH5F3ayKYIVJ9uYKo
HTTP-01 ACME Challenge
token Zr5hOIDuJgfECeKOwGyg15aqIW8_tgw9OCq_rO-0q2c
HTTP-01 ACME Challenge Answered Zr5hOIDuJgfECeKOwGyg15aqIW8_tgw9OCq_rO-0q2c.Ar2gQQ_9DPnGbH_Vd9GfO4Da46YH5F3ayKYIVJ9uYKo
HTTP-01 ACME Challenge
token 4ZYAKkH-DoFZ_Qua71BH61H0Jt5LQwIVhCRULjG39XY
HTTP-01 ACME Challenge Answered 4ZYAKkH-DoFZ_Qua71BH61H0Jt5LQwIVhCRULjG39XY.Ar2gQQ_9DPnGbH_Vd9GfO4Da46YH5F3ayKYIVJ9uYKo
HTTP-01 ACME Challenge
token Zr5hOIDuJgfECeKOwGyg15aqIW8_tgw9OCq_rO-0q2c
HTTP-01 ACME Challenge Answered Zr5hOIDuJgfECeKOwGyg15aqIW8_tgw9OCq_rO-0q2c.Ar2gQQ_9DPnGbH_Vd9GfO4Da46YH5F3ayKYIVJ9uYKo
HTTP-01 ACME Challenge
token Zr5hOIDuJgfECeKOwGyg15aqIW8_tgw9OCq_rO-0q2c
HTTP-01 ACME Challenge Answered Zr5hOIDuJgfECeKOwGyg15aqIW8_tgw9OCq_rO-0q2c.Ar2gQQ_9DPnGbH_Vd9GfO4Da46YH5F3ayKYIVJ9uYKo
HTTP-01 ACME Challenge
token 4ZYAKkH-DoFZ_Qua71BH61H0Jt5LQwIVhCRULjG39XY
HTTP-01 ACME Challenge Answered 4ZYAKkH-DoFZ_Qua71BH61H0Jt5LQwIVhCRULjG39XY.Ar2gQQ_9DPnGbH_Vd9GfO4Da46YH5F3ayKYIVJ9uYKo
HTTP-01 ACME Challenge
token 4ZYAKkH-DoFZ_Qua71BH61H0Jt5LQwIVhCRULjG39XY
HTTP-01 ACME Challenge Answered 4ZYAKkH-DoFZ_Qua71BH61H0Jt5LQwIVhCRULjG39XY.Ar2gQQ_9DPnGbH_Vd9GfO4Da46YH5F3ayKYIVJ9uYKo
{
  answer: {
    order: {
      status: 'ready',
      expires: '2024-12-01T12:19:35Z',
      identifiers: [Array],
      authorizations: [Array],
      finalize: 'https://acme-staging-v02.api.letsencrypt.org/acme/finalize/172971744/20752839194'
    },
    location: 'https://acme-staging-v02.api.letsencrypt.org/acme/order/172971744/20752839194'
  },
  nonce: 'FW9SwLSL-zEjbBVbU_eGCa0lo5FdDkpM8EqTPfuuOaEKawBZMGA'
}
Ready to Finalize [ 'www.ssl.boats', 'ssl.boats' ]
MIIBCjCBsAIBADAYMRYwFAYDVQQDDA13d3cuc3NsLmJvYXRzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAETs28bb8NKLVHgTV42ZHasXmJ_kQfZorlLVFror3bH3I6qJGjH24BZKq0-Czaq-3wBz2Wt0KteBjmn0lEaDehAaA2MDQGCSqGSIb3DQEJDjEnMCUwIwYDVR0RBBwwGoINd3d3LnNzbC5ib2F0c4IJc3NsLmJvYXRzMAoGCCqGSM49BAMCA0kAMEYCIQCm4GsDtn3yZO9qkm-8kH7vjg4Ekt3mJXo_vU6_amotIgIhAKuC1XfRURd9jNjvWxkqP5AxiyaFeLXMeWKLMPyqKLhd
Waiting for Certificate to be Ready for Download
Next Nonce FW9SwLSLM3Lqzxglc4sRN0vRfl5u2d64Rt6OytqmwHFJsJ8A-Iw
Certificate Ready for Download
Certificate URL: https://acme-staging-v02.api.letsencrypt.org/acme/cert/2bb2ca9735eb23ccf6e2c37620b07a9ea1db
Next Nonce jDZhkUVkCb_0GiSzMNMT5KdRJlGmjzRwNhENUrfrN5XwSkPWz8g
Saved Certificate to file (certificate.pem) - Restart the Server
Saved private key to file (private-key.pem) - Restart the Server

I also made a new project called csr.js that generates Certificate Signing Requests since that was so much fun.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.