Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output:
{
u'detail': u'Error unmarshaling finalize order request',
u'status': 400,
u'type': u'urn:ietf:params:acme:error:malformed'
}
My web server is (include version): dont know, godaddy. i can find out
The operating system my web server runs on is (include version):linux i think
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): dont know
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes cpanel
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
i am writing code to access the staging server. everything seems to work until i get to finalize and submit the csr. i Base64UrlEncoder.Encode the below contents. i do not know if something is wrong with csr line - i don tknow if csr contents have to have something specific. i put up a dev public site to test against (the chibichu.com) but it is hosted by GoDaddy if that is a problem. i would appreciate any help. thank you in advance.
hi yes, i realize i didnt send the actual encoded value.
{"payload":"eyJjc3IiIDogIk1JSURmakNDQWVzQ0FRQXdSREVMTUFrR0ExVUVCaE1DVlZNeEN6QUpCZ05WQkFnTUFrUkRNUkV3RHdZRFZRUUtEQWhEYUdsaWFVTm9kVEVWTUJNR0ExVUVBd3dNWTJocFltbGphSFV1WTI5dE1JSUJuREFOQmdrcWhraUc5dzBCQVFFRkFBT0NBWWtBTUlJQmhBS0NBWHNFdkVJWlVkUFhGbmRyOUpqM0l4WGMwTG5vNm1ZdDdNMG9PQmxjckp4aDM2MnVCRklWUTFZTUlwSVcvQy83ZHo4bkhRQ2ZyWkIxRE84UW55Ti9FNUE4cldvTHk1YmN4MWg2VDBJMkxmYWhSSFdaVEJsRGdoSlU0bzNoblEwRVJoZWk3RjBESGVXTGI4a0MrL1ArajZoNncrSUFUODJjM0UxaHVKc05xM3l6Q3JxaVMwYy9MYUZ2bkVMbE9RaEx1VGRmdUtFdlVpeURSRzBTNzdRREdPbTNvall3YjR4MlduT2JPSWFhMlVuSkV5U09DMzgzd080K1gxZFdvK3BsNXM1aW1nK29iTDhDdVlmY3RyY3dRUTZSdTEzUEhHdzIyT0Nxc2kxN1NvaFoxZkhKR0FNNjJzWnoxVnlPWnhWMi94b1Uvd1RjNSthWm40ZmVDLzVYRTFEOUxsZC82TFhzMFFFYlJiZFRackczYXYzRnhGRW9EaVNQdGs2OHhiN21kaE1LSE4rZmo3Q2RGRTErYy9TUWw4bW5tbGhCUmpjeUNaU290SlFLVlpML2JyMTBHeEJVV2hVWFVhSmRaUjNQUnZ5MXY5MHBZOHZrakYwc1NxS1hIUHpPZDJkQ05jTFhiSGIvVFA0amhPWndvUlVrdDlZbkpZdnl4cVpUQWdNQkFBR2dBREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBWHdBQXFXRUlLVXBrWG1oVkY1Ym9RbitBaFVScUNTTVQ4L1RlVElzdDBzREhkRDQzd3JnUlhqNGtKRXdaRkl4UlF0OENOQUNYbVR2SXM2MndwcWFqdVEzS2pQS283c3c1anNBS3BEeHhHQUFTaHZVamNKb0h0L1pJRGRJNkRvZVBOcnZ5Tm5jdzc2b3V3d0JDWVIzdm8wNnRzZWdueHlWczgvRHFHcHhPV1JNZURzbDlJNnVTVmlxcnhsV084MnRWZURjSkU1WWtwZGdqeDA5UHNlQ01Wdnp0VW1PNlVWR1NWN0RMdnZtazFpRFJhbXZZQjJsQmN6NE10bU1hZjNxK2ZrSjhaWjNSaFJiOVFxM0dGMllUV0V0cnBaTDJ6OEdFK3VLOXJHSVVub2tRam1DQUovQlFUODY3TlBOWG1lRVg1cTNiNitzNXVkdjE0RXNXUm5UbzlVUkdGdXZUbDJCc1F3VGIxMVRTT0VkQUlSbTVJcTNmd3h3UmtWc1pnVzlNQXZ5Zks4QUx4MndnS3duSWJwR3A4eERsc3FoYVg5SWxGYUhLR3IyZ2lERUtnQmxIVWw0TFVwZnVHVTZFR05GZkJVSUZKMW0xaU93dDM2Mnl5WXJvaFFvQ3drZ3NGeFcrZW41d2FtTGtEYmdmWTFmaldWRC93WjdlVDdNVHc9PSJ9","protected":"eyJhbGciOiAiUlMyNTYiLCAibm9uY2UiOiAiMDAwMWgtMVhMOVhjUFhBVjQ5cEZ6eVNyelJReUxrc2lpYXc0TGJqUHV2WWNZaTgiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvZmluYWxpemUvMzEwNzQ0NjgvODM2MjUyMzQ4Iiwia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8zMTA3NDQ2OCJ9","signature":"BGB5h9iyNN25bS0WWdLAFmCR3_vHWZoJVfwU4Stdl4ZmPVjn9IgG_lEU3gllR9QijwOviMERbaAMyNOe583f77PsELc8HlyW0NaLrsczEtgwjnGEcT8yvti5FoG9Jv1TE5kxsRrxfLdNA-yNr8u9TZMeG74Rp7MI1IVGUdKjJsag0JJhr7Q6jzj72XMZFnz1r68cM0_gAu3aOiQE4MzJ2nyHQlt2pl4P-JRrdO4nm_ScIMkHC8McdsK9ULCWM2vJD_xsg016Am099czVeUaq5VNNn5cRrYTqOYSy6PoSM-uX_09kQJv-3w4uB_mkj27Ja1af8xQ7QrF5ZMrZT8lhayX9fA1Txd6WUnCydXE1GzhoUSGgneCvZWrY5V5P87DDKk6Bd3AGrwarFA6kPwXwfEGwgfE_Pxuw6yYQ6p1mut8YLaBC6LZmolhFzNByZTNdoSKn1UL6k_dNaEW61Y0J7IK9oZv_kuc1upo1FBoNSo94Ng4OnSk0yzGzkD2fTlvR"}
i can send more details if needed. nothing here will be used for 'real'.. keys and certs etc... and the site is just for this dev purpose and i am not uploading the cert once i get it to the site
so alot of the problem (is me :P) is i dont know much about csrs, keys, signing, etc... to create the csr i just went into openssl and tried to create one with the cn of the website (identifier). i submitted the request as i did all the previous requests (new-order, get authorizations, challenges, etc) using the account keypair. was i supposed to do something different with the csr request? i saw this in the how it works page.. "To obtain a certificate for the domain, the agent constructs a PKCS#10 Certificate Signing Request that asks the Let’s Encrypt CA to issue a certificate for example.com with a specified public key.
As usual, the CSR includes a signature by the private key corresponding to the public key in the CSR.
The agent also signs the whole CSR with the authorized key for example.com so that the Let’s Encrypt CA knows it’s authorized." didnt know what was meant by the signature by the private key corresponding to the public key n the csr... is that done automatically? or is that a step i am missing i didnt have a specific public key , i just assumed anything required was rolled up inside the csr. sorry i am being so dumb on this. i tried your suggestion and it complained about the public key length being wrong. so i am still futzing with it.
When you generate a CSR, you either need to pass in a private key or have one generated for you. It cannot be the same private key as your ACME account. That private key will be the private key for the resulting certificate (meaning that the CSR and certificate use the same private key). The error is almost certainly that the private key was of an unacceptable length/strength (number of bits). For RSA, this is the length of the modulus, which is part of both the public and private keys. A typical modulus length is 2048 bits. A stronger, but less common and slower, modulus length is 4096 bits. Check your settings for OpenSSL regarding the private key generation.
THANK YOU ! that did it. i did not realize i needed to 'cleanse' the csr itself prior to the encoding of the whole payload ... and then i didnt realize i had fat fingered my csr creation command in openssl and had said 3027 instead of 3072.... derrrrrrrrrrr... (the other kind of der) . everyone on this site has been so helpful you made my weekend ! thanks again
i am great at misinterpreting 
thanks!
i didnt have a specific public key , i just assumed anything required was rolled up inside the csr. sorry i am being so dumb on this. i tried your suggestion and it complained about the public key length being wrong. so i am still futzing with it.
that did it. i did not realize i needed to 'cleanse' the csr itself prior to the encoding of the whole payload ... and then i didnt realize i had fat fingered my csr creation command in openssl and had said 3027 instead of 3072.... derrrrrrrrrrr... (the other kind of der) . everyone on this site has been so helpful 
