Error: CSR contains one or more email address fields

Hello everyone!

A third party company will host a web page in our behalf. This company created and sent to me a .CSR file. I want to create a SSL certificate manually to send to them (this is just a test by now, so no concerns about renewing the cert at this moment).

I ran the command below locally in my machine:

sudo certbot --csr /home/myuser/secure.pay.ovoenergy.csr certonly --manual --preferred-challenges dns

Then, I get this error:

An unexpected error occurred: The CSR is unacceptable (e.g., due to a short key) :: Error finalizing order :: CSR contains one or more email address fields

Checking the CSR, there is only one email provided, and it seems to be ok.

Any ideas about what am I getting this error?

Thanks.

My domain is:
secure.pay.ovoenergy.com

The operating system version:
Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I am using certbot 1.11.0

Hi Daniel, and welcome to the LE community forum :slight_smile:

CSRs can be considered "public" / "non-private" information; They contain no key(s).
If you care to share the CSR, we might be better able to assist/troubleshoot.

Let's Encrypt won't sign a CSR that contains a Distinguished Name (DN) or Subject Alternative Name (SAN) of these types:

  • IP address
  • Email address

I think this is probably an idiosyncrasy of Let's Encrypt's server software, but the idea behind it appears to be that since Let's Encrypt is not willing to vouch for your email address, you shouldn't be including it on the CSR.

tl;dr; don't include any emails on the CSR.

@_az, looking at it in that light:

I can now see how that may be the case.
Even one is too many!

Hi @rg305,

sure, I could share the CSR, but as @_az provided the solution for this problem, it is not needed anymore.

Thanks for your help!

Thank you so much for providing this insight, @_az!!

I'll ask the third party company to create another CSR without email information.

By the way, I thought that it was mandatory having an email address in the CSR.

Why? I'm not familiar with such a rule.