CSR is invalid. Make sure to disable all extensions but SAN on your CSR as any other extensions are not supported


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: http://exhibitoremanual.com/

I ran this command: I am generating SSL using CSR

It produced this output:
CSR is invalid. Make sure to disable all extensions but SAN on your CSR as any other extensions are not supported. Full error: { “type”: “urn:ietf:params:acme:error:malformed”, “detail”: “Error parsing certificate request: asn1: syntax error: sequence truncated”, “status”: 400 }

My web server is (include version): Windows

The operating system my web server runs on is (include version): Windows Server 2008 R2

My hosting provider, if applicable, is: CTRLs

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


#2

CSR Is

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEZjCCA04CAQAwajELMAkGA1UEBhMCSU4xDjAMBgNVBAgMBURlbGhpMQ4wDAYD
VQQHDAVEZWxoaTEPMA0GA1UECgwGTHV4eGlzMQswCQYDVQQLDAJJVDEdMBsGA1UE
AwwUZXhoaWJpdG9yZW1hbnVhbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDT1qQumSWsufJmLdWr4W6TGH0ngQmzGsR+5cFlqmMpVpY/rVoRawsG
LFOJUErK9BbUrTUdOGaR7batccL4/As/XSdLgrY80HMgc0xoHILEXFab675ApUNw
8Jc0N8rV2bnN+3nOzSUBsjcSZkHey5ipWYXMO5JiKHwhNh48RBfSCi94ESf7r+F0
tLBI2SQflhh5mwUid+tR20uO0sLPdPgVrEr3O1/bCAoee4sexck2UBya0mFJAGkm
jD0zx4657jmcDwylBW1GJutOE0LQV0Brw7vi7KJNdmwrfw70vdF1o2eo0nBL9j8i
s3K+LEyNZLeHuUM6D0BCEdgvq+8nGu6TAgMBAAGgggG1MBoGCisGAQQBgjcNAgMx
DBYKNi4yLjkyMDAuMjBRBgkrBgEEAYI3FRQxRDBCAgEFDBFXSU4tTHV4eGlzX0Mw
MzY3MgwdV0lOLUxVWFhJU19DMDM2XEFkbWluaXN0cmF0b3IMC0luZXRNZ3IuZXhl
MHIGCisGAQQBgjcNAgIxZDBiAgEBHloATQBpAGMAcgBvAHMAbwBmAHQAIABSAFMA
QQAgAFMAQwBoAGEAbgBuAGUAbAAgAEMAcgB5AHAAdABvAGcAcgBhAHAAaABpAGMA
IABQAHIAbwB2AGkAZABlAHIDAQAwgc8GCSqGSIb3DQEJDjGBwTCBvjAOBgNVHQ8B
Af8EBAMCBPAwEwYDVR0lBAwwCgYIKwYBBQUHAwEweAYJKoZIhvcNAQkPBGswaTAO
BggqhkiG9w0DAgICAIAwDgYIKoZIhvcNAwQCAgCAMAsGCWCGSAFlAwQBKjALBglg
hkgBZQMEAS0wCwYJYIZIAWUDBAECMAsGCWCGSAFlAwQBBTAHBgUrDgMCBzAKBggq
hkiG9w0DBzAdBgNVHQ4EFgQUwICMOrNuvQtQhbBJ9pZbO22u2sAwDQYJKoZIhvcN
AQEFBQADggEBAFW/PTcl7rzxyg6AUXQxkTpfikAmxMEFW0MWDORU5ReGi2q5pSq7
6de1zKk653zSN1j6/AuJRmCKTvUaIRAB0Ut1u5MczkZr0FLdRHyTS/aL6YFn6Nac
+cKTeHrVX1NxlPniNBcgXt2ui9YNO5MLAszUqNiAJDcrZUVniFYDoD6509WYmMg+
GaJcSzleqbLrfD8C+DrUG0ox/V/9HYzzpZ2oBiJ0NcblL2ZfceKgdZbszE16QO3e
vMCqy4akKJVz5xU7Sc6eCHawdeed3MQkW3n0fl3T7Rl/FMFfmQggxZssX6O/hb/Y
tEld/3at4dUqXYkwZtbVgr7vkk2IBfZcpBA=
-----END NEW CERTIFICATE REQUEST-----


#3

Your CSR contains all kinds of information that a) Let’s Encrypt doesn’t use at all and b) could generate this kind of error:

Certificate Request:
Data:
    Version: 0 (0x0)
    Subject:
        commonName                = exhibitoremanual.com
        organizationalUnitName    = IT
        organizationName          = Luxxis
        localityName              = Delhi
        stateOrProvinceName       = Delhi
        countryName               = IN
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                00:d3:d6:a4:2e:99:25:ac:b9:f2:66:2d:d5:ab:e1:
                6e:93:18:7d:27:81:09:b3:1a:c4:7e:e5:c1:65:aa:
                63:29:56:96:3f:ad:5a:11:6b:0b:06:2c:53:89:50:
                4a:ca:f4:16:d4:ad:35:1d:38:66:91:ed:b6:ad:71:
                c2:f8:fc:0b:3f:5d:27:4b:82:b6:3c:d0:73:20:73:
                4c:68:1c:82:c4:5c:56:9b:eb:be:40:a5:43:70:f0:
                97:34:37:ca:d5:d9:b9:cd:fb:79:ce:cd:25:01:b2:
                37:12:66:41:de:cb:98:a9:59:85:cc:3b:92:62:28:
                7c:21:36:1e:3c:44:17:d2:0a:2f:78:11:27:fb:af:
                e1:74:b4:b0:48:d9:24:1f:96:18:79:9b:05:22:77:
                eb:51:db:4b:8e:d2:c2:cf:74:f8:15:ac:4a:f7:3b:
                5f:db:08:0a:1e:7b:8b:1e:c5:c9:36:50:1c:9a:d2:
                61:49:00:69:26:8c:3d:33:c7:8e:b9:ee:39:9c:0f:
                0c:a5:05:6d:46:26:eb:4e:13:42:d0:57:40:6b:c3:
                bb:e2:ec:a2:4d:76:6c:2b:7f:0e:f4:bd:d1:75:a3:
                67:a8:d2:70:4b:f6:3f:22:b3:72:be:2c:4c:8d:64:
                b7:87:b9:43:3a:0f:40:42:11:d8:2f:ab:ef:27:1a:
                ee:93
            Exponent: 65537 (0x10001)
    Attributes:
        1.3.6.1.4.1.311.13.2.3   :6.2.9200.2
        1.3.6.1.4.1.311.21.20    :unable to print attribute
        1.3.6.1.4.1.311.13.2.2   :unable to print attribute
    Requested Extensions:
        X509v3 Key Usage: critical
            Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication
        S/MIME Capabilities: 
            0i0...*.H..
......0...*.H..
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
..
        X509v3 Subject Key Identifier: 
            C0:80:8C:3A:B3:6E:BD:0B:50:85:B0:49:F6:96:5B:3B:6D:AE:DA:C0
Signature Algorithm: sha1WithRSAEncryption
     55:bf:3d:37:25:ee:bc:f1:ca:0e:80:51:74:31:91:3a:5f:8a:
     40:26:c4:c1:05:5b:43:16:0c:e4:54:e5:17:86:8b:6a:b9:a5:
     2a:bb:e9:d7:b5:cc:a9:3a:e7:7c:d2:37:58:fa:fc:0b:89:46:
     60:8a:4e:f5:1a:21:10:01:d1:4b:75:bb:93:1c:ce:46:6b:d0:
     52:dd:44:7c:93:4b:f6:8b:e9:81:67:e8:d6:9c:f9:c2:93:78:
     7a:d5:5f:53:71:94:f9:e2:34:17:20:5e:dd:ae:8b:d6:0d:3b:
     93:0b:02:cc:d4:a8:d8:80:24:37:2b:65:45:67:88:56:03:a0:
     3e:b9:d3:d5:98:98:c8:3e:19:a2:5c:4b:39:5e:a9:b2:eb:7c:
     3f:02:f8:3a:d4:1b:4a:31:fd:5f:fd:1d:8c:f3:a5:9d:a8:06:
     22:74:35:c6:e5:2f:66:5f:71:e2:a0:75:96:ec:cc:4d:7a:40:
     ed:de:bc:c0:aa:cb:86:a4:28:95:73:e7:15:3b:49:ce:9e:08:
     76:b0:75:e7:9d:dc:c4:24:5b:79:f4:7e:5d:d3:ed:19:7f:14:
     c1:5f:99:08:20:c5:9b:2c:5f:a3:bf:85:bf:d8:b4:49:5d:ff:
     76:ad:e1:d5:2a:5d:89:30:66:d6:d5:82:be:ef:92:4d:88:05:
     f6:5c:a4:10
  • those “attributes” won’t be used and even confuse the OpenSSL parser. Pretty good chance the Let’s Encrypt parser would generate an error on them
  • the only used “key usage” is “Digital Signature”
  • the only used “extended key usage” are “TLS Web Server Authentication” and “TLS Web Client Authentication”
  • “S/MIME Capabilities” isn’t used at all and could very well result in an error.

Please fix the above by either deleting or changing the properties.


#4

Thanks but I found the solution by removing “NEW” from starting and ending.