"Enrollment failed" error during certificate generation

Help
1

Hello

I used the following certbot command to generate the initial certificates using ACME client:

~$ sudo certbot certonly --apache --server https://xxx.yyy.zz/ \
    --preferred-challenges http \
    --key-type rsa \
    --rsa-key-size 4096 \
    --csr ~/files/server.csr \
    --cert-path ~/certbot/certs/ssl.pem \
    --fullchain-path ~/certbot/certs/ssl_fullchain.pem \
    --chain-path ~/certbot/certs/ssl_chain.pem \
    -v

The command fails with "enrollment failed" error. Below is the console log:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Requesting a certificate for <domain.name>
Performing the following challenges:
http-01 challenge for <domain.name>
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
enrollment failed
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

On checking the log file (logfile /var/log/letsencrypt/letsencrypt.log), I can see the following:

2025-08-28 11:22:48,690:DEBUG:urllib3.connectionpool:https://xxx.yyy.zz:443 "POST /acme/order/r8upOO20ywlo/finalize HTTP/1.1" 400 91
2025-08-28 11:22:48,690:DEBUG:acme.client:Received response:
HTTP 400
Date: Thu, 28 Aug 2025 11:22:48 GMT
Server: Apache
Content-Length: 91
Replay-Nonce: e0cfaf44470848af846cd6f7e1ef4e77
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Connection: close
Content-Type: application/problem+json

{"status": 400, "type": "urn:ietf:params:acme:error:badCSR", "detail": "enrollment failed"}
2025-08-28 11:22:48,690:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/4892/bin/certbot", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/snap/certbot/4892/lib/python3.12/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4892/lib/python3.12/site-packages/certbot/_internal/main.py", line 1877, in main
    return config.func(config, plugins)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4892/lib/python3.12/site-packages/certbot/_internal/main.py", line 1570, in certonly
    cert_path, chain_path, fullchain_path = _csr_get_and_save_cert(config, le_client)
                                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4892/lib/python3.12/site-packages/certbot/_internal/main.py", line 1501, in _csr_get_and_save_cert
    cert, chain = le_client.obtain_certificate_from_csr(csr)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4892/lib/python3.12/site-packages/certbot/_internal/client.py", line 343, in obtain_certificate_from_csr
    orderr = self.acme.finalize_order(
             ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4892/lib/python3.12/site-packages/acme/client.py", line 313, in finalize_order
    raise e
  File "/snap/certbot/4892/lib/python3.12/site-packages/acme/client.py", line 310, in finalize_order
    self.begin_finalization(orderr)
  File "/snap/certbot/4892/lib/python3.12/site-packages/acme/client.py", line 236, in begin_finalization
    res = self._post(orderr.body.finalize, wrapped_csr)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4892/lib/python3.12/site-packages/acme/client.py", line 470, in _post
    return self.net.post(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4892/lib/python3.12/site-packages/acme/client.py", line 821, in post
    return self._post_once(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4892/lib/python3.12/site-packages/acme/client.py", line 836, in _post_once
    response = self._check_response(response, content_type=content_type)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/snap/certbot/4892/lib/python3.12/site-packages/acme/client.py", line 708, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:badCSR :: The CSR is unacceptable (e.g., due to a short key) :: enrollment failed
2025-08-28 11:22:48,694:ERROR:certbot._internal.log:An unexpected error occurred:
2025-08-28 11:22:48,694:ERROR:certbot._internal.log:enrollment failed

The error says:

acme.messages.Error: urn:ietf:params:acme:error:badCSR :: The CSR is unacceptable (e.g., due to a short key) :: enrollment failed

I tried the following to get around the error:

  • Re-generated new CSR using "openssh"
  • Checked the CSR file contents in case of any inconsistencies, nothing found, all OK
  • Updated Apache version
  • Created new more secure private key of length 4096 (existing was 2048)

But nothing seems to have worked and I keep getting the enrollment failed error.

Below are some info about my env:

  • Ubuntu 22.04 OS
  • domain is hosted on AWS
  • certbot v4.2.0
  • Apache/2.4.52 (Ubuntu)

Please advise.

Thanks!

2
  1. Certbot can generate a suitable CSR itself (just remove the argument --csr ~/files/server.csr).
  2. If you want to use openssl (I presume that openssh was a typo) to generate the CSR, we need the command and options used to generate the CSR.
1 Like
3

If you're using that parameter, you're telling certbot to get the cert from somewhere other than Let's Encrypt. And in that case, notwithstanding the fact that certbot sends you here, you'd likely be better off heading to that other CA's support channels.

4 Likes
4

This combinations of options give me the idea you have no clue what you're doing to be honest.

What is it exactly what you're attempting to do?

1 Like
5
  1. Certbot can generate a suitable CSR itself (just remove the argument --csr ~/files/server.csr).

Thanks, wasn't aware of that bit. Then, is there option to specify the path where the csr will be saved in the certbot command?

  1. If you want to use openssl (I presume that openssh was a typo) to generate the CSR, we need the command and options used to generate the CSR.

Yes openssh was a typo, I meant openssl. I used the below command to generate the csr and key files:

$ openssl req -new -newkey rsa:4096 -keyout priv.key -out server.csr
6

This combinations of options give me the idea you have no clue what you're doing to be honest.

Sorry for the confusion, but I imagined the key type and key size was something I had to specify in the certbot command for the certificate generation.

What is it exactly what you're attempting to do?

I want to generate SSL certificates for a new website using the ACME client.

  • first, I generated the private key and csr files
  • then, using the generated csr file I tried to generate the certificates using the certbot command
7

How would that work if you also have your own CSR, which was generated with its own private key?

Just let Certbot do all the CSR creation internally.

3 Likes
8

Incidentally I'm seeing this issue with a different client, without a custom CSR, when using Actalis as the CA.

I suspect (but haven't yet tested) it's because I'm try to get a cert for subdomain, but their ACME service only supports the apex domain (+www).

[edit: also tried with apex domain and still failed, think the issue is my account predated their ACME service going live officially and that affects something on their side, don't know]

2 Likes
9

I updated my command to let Certbot do the CSR generation and the "enrollment error" was not seen again. Thank you for the suggestion.

But now it fails with "timeout error" the reason for which is not related to this I suppose.

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.