Error: CSR contains one or more email address fields

danielcugler · January 12, 2021, 9:24am

Hello everyone!

A third party company will host a web page in our behalf. This company created and sent to me a .CSR file. I want to create a SSL certificate manually to send to them (this is just a test by now, so no concerns about renewing the cert at this moment).

I ran the command below locally in my machine:

sudo certbot --csr /home/myuser/secure.pay.ovoenergy.csr certonly --manual --preferred-challenges dns

Then, I get this error:

An unexpected error occurred: The CSR is unacceptable (e.g., due to a short key) :: Error finalizing order :: CSR contains one or more email address fields

Checking the CSR, there is only one email provided, and it seems to be ok.

Any ideas about what am I getting this error?

Thanks.

My domain is:
secure.pay.ovoenergy.com

The operating system version:
Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I am using certbot 1.11.0

rg305 · January 12, 2021, 9:57am

Hi Daniel, and welcome to the LE community forum

CSRs can be considered "public" / "non-private" information; They contain no key(s).
If you care to share the CSR, we might be better able to assist/troubleshoot.

_az · January 12, 2021, 10:02am

Let's Encrypt won't sign a CSR that contains a Distinguished Name (DN) or Subject Alternative Name (SAN) of these types:

IP address
Email address

I think this is probably an idiosyncrasy of Let's Encrypt's server software, but the idea behind it appears to be that since Let's Encrypt is not willing to vouch for your email address, you shouldn't be including it on the CSR.

tl;dr; don't include any emails on the CSR.

rg305 · January 12, 2021, 10:07am

@_az, looking at it in that light:

I can now see how that may be the case.
Even one is too many!

danielcugler · January 12, 2021, 10:45am

Hi @rg305,

sure, I could share the CSR, but as @_az provided the solution for this problem, it is not needed anymore.

Thanks for your help!

danielcugler · January 12, 2021, 10:48am

Thank you so much for providing this insight, @_az!!

I'll ask the third party company to create another CSR without email information.

By the way, I thought that it was mandatory having an email address in the CSR.

Osiris · January 12, 2021, 11:30am

Why? I'm not familiar with such a rule.

system · February 11, 2021, 11:30am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.