Error unmarshaling certificate request

Client dev
1

Hi.

We are developing a custom client for our CMS system, and got everything working up to new-cert. We are getting a “Error unmarshaling certificate request” error message.

My understanding of when boulder is returning this error that is because of:

  1. Unable to parse the JSON of the payload, or
  2. x509.ParseCertificateRequest fails to parse the certificate.

I have validated CSR from different online parsers, returning no errors and are currently at a loss for why it does not accept my request.

Payload:

{
“resource”:“new-cert”,
“csr”:“MIICszCCAZ0CAQAwcjELMAkGA1UEBhMCTk8xHjAcBgkqhkiG9w0BCQEWD2RhbmllbEBkZXN0aS5ubzETMBEGA1UECgwKRGVzdGlubyBBUzEQMA4GA1UEBwwHU2FuZG5lczEcMBoGA1UEAwwTd3d3LmRlc3RpbmV0ZGVtby5ubzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQchKHvAEvsAuAkVnbqy2xDWjImt9URnq8JZDHtSZTSOZ1kbdfz9YaWWLQm041bN9wBYTZYvVKLPJsg00YJ3ktMXosT_E52rKsTqdF9vt2FMWZ6DQWHFg93qqkT-427ZHZAXtYrMm1Jtqz7dDk8R80d_407KGCuy6n6hifa2fz6_KesKe-Q6ZOR4RtAbRLt16PXwyXFOivWvKF9ZgVHoaxrkm06QOJUoh-K5x8TNqY1XXB7cVvzHspxUApmUYuLLc8CESf6rgH080eq6uw519iffhP2AFyJ6UhJbPL_sMHI2tFb9xZJ8ZP7cFNE54XiV8b5huXXXoXIK2aY7larX6kCAwEAATALBgkqhkiG9w0BAQsDggEBAG2QBxs8OxWMxyo_EAKjX6Hzg-YqLn1mjs2dexjS6JcfAeMhsOGbSYWjMxsXD_cQftbx3gUz8VewfSB0GIp6pmMzcYyc-8r3-6_EwnTBCBE00HTvPN4iLx_b2hl9f3SIiivWjiDC8MNzPQPn2snZy3-xPphoYHbFX_40TIyQkcdjrHe3aZjdxj0rdKB7O3kU7XDSzA2ldjaq4RReKeyzaW9opjfxLnFY6HBeT93l83Ys8QE8ggRmULnthhJPsm0GAj-fWLz6wDxv_m_KiWemrZnf8P-TFKZLYRGS8dsc_yMPZfuBuzHB2u2ukf5CJArDyri4KhusvQOzAB1f3l8iKVA”
}

Certificate Request in PEM format:

-----BEGIN CERTIFICATE REQUEST-----
MIICszCCAZ0CAQAwcjELMAkGA1UEBhMCTk8xHjAcBgkqhkiG9w0BCQEWD2Rhbmll
bEBkZXN0aS5ubzETMBEGA1UECgwKRGVzdGlubyBBUzEQMA4GA1UEBwwHU2FuZG5l
czEcMBoGA1UEAwwTd3d3LmRlc3RpbmV0ZGVtby5ubzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAKQchKHvAEvsAuAkVnbqy2xDWjImt9URnq8JZDHtSZTS
OZ1kbdfz9YaWWLQm041bN9wBYTZYvVKLPJsg00YJ3ktMXosT/E52rKsTqdF9vt2F
MWZ6DQWHFg93qqkT+427ZHZAXtYrMm1Jtqz7dDk8R80d/407KGCuy6n6hifa2fz6
/KesKe+Q6ZOR4RtAbRLt16PXwyXFOivWvKF9ZgVHoaxrkm06QOJUoh+K5x8TNqY1
XXB7cVvzHspxUApmUYuLLc8CESf6rgH080eq6uw519iffhP2AFyJ6UhJbPL/sMHI
2tFb9xZJ8ZP7cFNE54XiV8b5huXXXoXIK2aY7larX6kCAwEAATALBgkqhkiG9w0B
AQsDggEBAG2QBxs8OxWMxyo/EAKjX6Hzg+YqLn1mjs2dexjS6JcfAeMhsOGbSYWj
MxsXD/cQftbx3gUz8VewfSB0GIp6pmMzcYyc+8r3+6/EwnTBCBE00HTvPN4iLx/b
2hl9f3SIiivWjiDC8MNzPQPn2snZy3+xPphoYHbFX/40TIyQkcdjrHe3aZjdxj0r
dKB7O3kU7XDSzA2ldjaq4RReKeyzaW9opjfxLnFY6HBeT93l83Ys8QE8ggRmULnt
hhJPsm0GAj+fWLz6wDxv/m/KiWemrZnf8P+TFKZLYRGS8dsc/yMPZfuBuzHB2u2u
kf5CJArDyri4KhusvQOzAB1f3l8iKVA=
-----END CERTIFICATE REQUEST-----

Thanks,

Daniel Storjordet
Destino AS

3

Should there be an = at the end there?

4

Hi gustavf.

No, the base64encoding used by Lets Encrypt uses a different algorithm. The PEM version is just included for testing purposes.

Thanks,

Daniel Storjordet
Destino AS

5

If I’m looking in the Boulder code, it seems to me it’s really the JSON part which is throwing this error. How do you generate the JSON?

6

Hi.

I found the problem.

It helps using the more updated documentation :slight_smile:
https://tools.ietf.org/html/draft-barnes-acme-02#section-5.6
grin:

It states that the “The CSR MUST contain at least one extensionRequest attribute”. My CSR did not have any, therefor causing this error.

It would be nice for the future that the error message actually telling this, instead of returning a general error message.

Thanks,

Daniel Storjordet