Error when attempting to finalize order

Bob.Gunn · June 27, 2022, 5:29pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: quadient.com

I ran this command: Submit-OrderFinalize -debug -verbose

It produced this output:
VERBOSE: Using the provided certificate request.
DEBUG: ACME Header:
{
"url": "https://acme-v02.api.letsencrypt.org/acme/finalize/347508360/100142418026",
"alg": "ES256",
"nonce": "0002VCsuxONXmDPTZ2Dk7TFMqcrZ7iEa9DWHOFJrrtAO_vg",
"kid": "https://acme-v02.api.letsencrypt.org/acme/acct/347508360"
}
DEBUG: ACME Payload:
{"csr":"MIICbDCCAVQCAQAwKTELMAkGA1UEBhMCVVMxGjAYBgNVBAMMEW1haWwucXVhZGllbnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAueBuMQEmoyHkUqo7WtFEqDOHYlSizqhpsyRpVe9gdkt4X2QonPcK93gJ7aHIZc9yVgGSucw86_BCCsKMjLB9QUJ2dXYmVGZ85av_pbIJKWM7ZHh10ZviYTvktlvvZ-pYrkzypLvUrRJvKUsnntj0kMzG1e_mORHB0NfXhtM5X9CLBT2923_7cszAIjcWIwNWY7repw6FeA6TYSB7Hs4kLQx7PUQeBnG4J4vK6zyEV7SNXPqbz3eB_BzoHUFUkOyleWq1mql7mRv0rAEURUiJ9mS_v4-X7o-d4CcEXceVp1dDC_D7MmGBf2osqNr4NIzK4Axui6qX8PSipOykF60QeQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCwnple-QXFF6P5YZSxh-k7ghJcSlL4vCX0Zq6nkH1MszItJ6-qcPXe-qpVa_LH10nCyKV_ZmOuQwWrXlaUtDhFUo7ZQpP4lmBGG-HOxblzCvN06zRktwhWA0UB2R477EyaxA3TH988SqlxCeuFz7kpBrkFVIuiWP0UybiFSDR2f7EVBNbVuDa-V7x8NOsirIDfKBJxKXeuC0h2AWx7OuZc1011yFBYU1tXD8G9o1Twcesr6VrcN0Doqid6baIiT3hYFZ3bEQP9rHkPWY4keyLDBIuF8Qo2QmmgvOfgTHGROp15-lnmLj4s_XbEs02CICNUgM-S8rml4vuax-KZwBC_"}
DEBUG: Signing message using EC with SHA256
DEBUG: POST https://acme-v02.api.letsencrypt.org/acme/finalize/347508360/100142418026
{"payload":"eyJjc3IiOiJNSUlDYkRDQ0FWUUNBUUF3S1RFTE1Ba0dBMVVFQmhNQ1ZWTXhHakFZQmdOVkJBTU1FVzFoYVd3dWNYVmhaR2xsYm5RdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXVlQnVNUUVtb3lIa1VxbzdXdEZFcURPSFlsU2l6cWhwc3lScFZlOWdka3Q0WDJRb25QY0s5M2dKN2FISVpjOXlWZ0dTdWN3ODZfQkNDc0tNakxCOVFVSjJkWFltVkdaODVhdl9wYklKS1dNN1pIaDEwWnZpWVR2a3RsdnZaLXBZcmt6eXBMdlVyUkp2S1Vzbm50ajBrTXpHMWVfbU9SSEIwTmZYaHRNNVg5Q0xCVDI5MjNfN2NzekFJamNXSXdOV1k3cmVwdzZGZUE2VFlTQjdIczRrTFF4N1BVUWVCbkc0SjR2SzZ6eUVWN1NOWFBxYnozZUJfQnpvSFVGVWtPeWxlV3ExbXFsN21SdjByQUVVUlVpSjltU192NC1YN28tZDRDY0VYY2VWcDFkRENfRDdNbUdCZjJvc3FOcjROSXpLNEF4dWk2cVg4UFNpcE95a0Y2MFFlUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ3ducGxlLVFYRkY2UDVZWlN4aC1rN2doSmNTbEw0dkNYMFpxNm5rSDFNc3pJdEo2LXFjUFhlLXFwVmFfTEgxMG5DeUtWX1ptT3VRd1dyWGxhVXREaEZVbzdaUXBQNGxtQkdHLUhPeGJsekN2TjA2elJrdHdoV0EwVUIyUjQ3N0V5YXhBM1RIOTg4U3FseENldUZ6N2twQnJrRlZJdWlXUDBVeWJpRlNEUjJmN0VWQk5iVnVEYS1WN3g4Tk9zaXJJRGZLQkp4S1hldUMwaDJBV3g3T3VaYzEwMTF5RkJZVTF0WEQ4RzlvMVR3Y2VzcjZWcmNOMERvcWlkNmJhSWlUM2hZRlozYkVRUDlySGtQV1k0a2V5TERCSXVGOFFvMlFtbWd2T2ZnVEhHUk9wMTUtbG5tTGo0c19YYkVzMDJDSUNOVWdNLVM4cm1sNHZ1YXgtS1p3QkNfIn0","protected":"eyJ1cmwiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9maW5hbGl6ZS8zNDc1MDgzNjAvMTAwMTQyNDE4MDI2IiwiYWxnIjoiRVMyNTYiLCJub25jZSI6IjAwMDJWQ3N1eE9OWG1EUFRaMkRrN1RGTXFjclo3aUVhOURXSE9GSnJydEFPX3ZnIiwia2lkIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8zNDc1MDgzNjAifQ","signature":"U-4M6zWFF-IITRSUXQFeoPbeb6Lb7NRXbtRcr_5RWZcPOw3sdQRqXrjSDkoplIS_qZRG1P2BYKvH_7ZNxqRylA"}
DEBUG: Updated nonce from error response: 0102JZxhGA-d1A2mI37FwIc-ZH-8QOzLZsRkgA38KEXew6g
DEBUG: Response Code 400, Body:
{
"type": "urn:ietf:params:acme:error:badNonce",
"detail": "JWS has an invalid anti-replay nonce: "0002VCsuxONXmDPTZ2Dk7TFMqcrZ7iEa9DWHOFJrrtAO_vg"",
"status": 400
}
VERBOSE: Nonce rejected by ACME server. Retrying with updated nonce.
DEBUG: ACME Header:
{
"url": "https://acme-v02.api.letsencrypt.org/acme/finalize/347508360/100142418026",
"alg": "ES256",
"nonce": "0102JZxhGA-d1A2mI37FwIc-ZH-8QOzLZsRkgA38KEXew6g",
"kid": "https://acme-v02.api.letsencrypt.org/acme/acct/347508360"
}
DEBUG: ACME Payload:
{"csr":"MIICbDCCAVQCAQAwKTELMAkGA1UEBhMCVVMxGjAYBgNVBAMMEW1haWwucXVhZGllbnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAueBuMQEmoyHkUqo7WtFEqDOHYlSizqhpsyRpVe9gdkt4X2QonPcK93gJ7aHIZc9yVgGSucw86_BCCsKMjLB9QUJ2dXYmVGZ85av_pbIJKWM7ZHh10ZviYTvktlvvZ-pYrkzypLvUrRJvKUsnntj0kMzG1e_mORHB0NfXhtM5X9CLBT2923_7cszAIjcWIwNWY7repw6FeA6TYSB7Hs4kLQx7PUQeBnG4J4vK6zyEV7SNXPqbz3eB_BzoHUFUkOyleWq1mql7mRv0rAEURUiJ9mS_v4-X7o-d4CcEXceVp1dDC_D7MmGBf2osqNr4NIzK4Axui6qX8PSipOykF60QeQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCwnple-QXFF6P5YZSxh-k7ghJcSlL4vCX0Zq6nkH1MszItJ6-qcPXe-qpVa_LH10nCyKV_ZmOuQwWrXlaUtDhFUo7ZQpP4lmBGG-HOxblzCvN06zRktwhWA0UB2R477EyaxA3TH988SqlxCeuFz7kpBrkFVIuiWP0UybiFSDR2f7EVBNbVuDa-V7x8NOsirIDfKBJxKXeuC0h2AWx7OuZc1011yFBYU1tXD8G9o1Twcesr6VrcN0Doqid6baIiT3hYFZ3bEQP9rHkPWY4keyLDBIuF8Qo2QmmgvOfgTHGROp15-lnmLj4s_XbEs02CICNUgM-S8rml4vuax-KZwBC_"}
DEBUG: Signing message using EC with SHA256
DEBUG: POST https://acme-v02.api.letsencrypt.org/acme/finalize/347508360/100142418026
{"payload":"eyJjc3IiOiJNSUlDYkRDQ0FWUUNBUUF3S1RFTE1Ba0dBMVVFQmhNQ1ZWTXhHakFZQmdOVkJBTU1FVzFoYVd3dWNYVmhaR2xsYm5RdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXVlQnVNUUVtb3lIa1VxbzdXdEZFcURPSFlsU2l6cWhwc3lScFZlOWdka3Q0WDJRb25QY0s5M2dKN2FISVpjOXlWZ0dTdWN3ODZfQkNDc0tNakxCOVFVSjJkWFltVkdaODVhdl9wYklKS1dNN1pIaDEwWnZpWVR2a3RsdnZaLXBZcmt6eXBMdlVyUkp2S1Vzbm50ajBrTXpHMWVfbU9SSEIwTmZYaHRNNVg5Q0xCVDI5MjNfN2NzekFJamNXSXdOV1k3cmVwdzZGZUE2VFlTQjdIczRrTFF4N1BVUWVCbkc0SjR2SzZ6eUVWN1NOWFBxYnozZUJfQnpvSFVGVWtPeWxlV3ExbXFsN21SdjByQUVVUlVpSjltU192NC1YN28tZDRDY0VYY2VWcDFkRENfRDdNbUdCZjJvc3FOcjROSXpLNEF4dWk2cVg4UFNpcE95a0Y2MFFlUUlEQVFBQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ3ducGxlLVFYRkY2UDVZWlN4aC1rN2doSmNTbEw0dkNYMFpxNm5rSDFNc3pJdEo2LXFjUFhlLXFwVmFfTEgxMG5DeUtWX1ptT3VRd1dyWGxhVXREaEZVbzdaUXBQNGxtQkdHLUhPeGJsekN2TjA2elJrdHdoV0EwVUIyUjQ3N0V5YXhBM1RIOTg4U3FseENldUZ6N2twQnJrRlZJdWlXUDBVeWJpRlNEUjJmN0VWQk5iVnVEYS1WN3g4Tk9zaXJJRGZLQkp4S1hldUMwaDJBV3g3T3VaYzEwMTF5RkJZVTF0WEQ4RzlvMVR3Y2VzcjZWcmNOMERvcWlkNmJhSWlUM2hZRlozYkVRUDlySGtQV1k0a2V5TERCSXVGOFFvMlFtbWd2T2ZnVEhHUk9wMTUtbG5tTGo0c19YYkVzMDJDSUNOVWdNLVM4cm1sNHZ1YXgtS1p3QkNfIn0","protected":"eyJ1cmwiOiJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9maW5hbGl6ZS8zNDc1MDgzNjAvMTAwMTQyNDE4MDI2IiwiYWxnIjoiRVMyNTYiLCJub25jZSI6IjAxMDJKWnhoR0EtZDFBMm1JMzdGd0ljLVpILThRT3pMWnNSa2dBMzhLRVhldzZnIiwia2lkIjoiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8zNDc1MDgzNjAifQ","signature":"6phtCENO1cYCBao6dejn1-JU_Ccex6IWSBLuGyMjO9KqZOn_WFy5cyC83n_72_KMpDWy0RgPpU6bKe-4CWFcbQ"}
DEBUG: Updated nonce from error response: 0001wDKUs9OVQbvVP4npv2PTnlnHg5kZW3NtcwNCl7JPq7w
DEBUG: Response Code 400, Body:
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Error parsing certificate request: asn1: syntax error: sequence truncated",
"status": 400
}
OperationStopped: C:..\PowerShell\Modules\Posh-ACME\4.14.0\Private\Invoke-ACME.ps1:174
Line |
174 | throw [AcmeException]::new($acmeError.detail,$acmeError)
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Error parsing certificate request: asn1: syntax error: sequence truncated

My web server is (include version): Eloqua Hosted Microsite (I am providing cert to internal user)

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: Eloqua/Oracle

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Posh-ACME 4.14.0

Bob.Gunn · June 27, 2022, 8:37pm

@rmbolger Any thoughts on this? Not sure if the error is Posh-ACME related or CSR related. I was able to submit the same CSR with zerossl and it was accepted no problem, but we do not use ZeroSSL in my org, we only use LE or Paid certs from CSC when absolutely necessary and I would prefer not to do that in this situation.

rmbolger · June 27, 2022, 9:29pm

Hi @Bob.Gunn. Thanks for including the debug output. It looks like LE's Boulder ACME server is rejecting the CSR for some reason. I manually converted it to Base64 from Base64URL added the CSR header/footer sent it through openssl which parses it as this:

>openssl req -in test.csr -noout -text
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = US, CN = <redacted>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:b9:e0:6e:31:01:26:a3:21:e4:52:aa:3b:5a:d1:
                    44:a8:33:87:62:54:a2:ce:a8:69:b3:24:69:55:ef:
                    60:76:4b:78:5f:64:28:9c:f7:0a:f7:78:09:ed:a1:
                    c8:65:cf:72:56:01:92:b9:cc:3c:eb:f0:42:0a:c2:
                    8c:8c:b0:7d:41:42:76:75:76:26:54:66:7c:e5:ab:
                    ff:a5:b2:09:29:63:3b:64:78:75:d1:9b:e2:61:3b:
                    e4:b6:5b:ef:67:ea:58:ae:4c:f2:a4:bb:d4:ad:12:
                    6f:29:4b:27:9e:d8:f4:90:cc:c6:d5:ef:e6:39:11:
                    c1:d0:d7:d7:86:d3:39:5f:d0:8b:05:3d:bd:db:7f:
                    fb:72:cc:c0:22:37:16:23:03:56:63:ba:de:a7:0e:
                    85:78:0e:93:61:20:7b:1e:ce:24:2d:0c:7b:3d:44:
                    1e:06:71:b8:27:8b:ca:eb:3c:84:57:b4:8d:5c:fa:
                    9b:cf:77:81:fc:1c:e8:1d:41:54:90:ec:a5:79:6a:
                    b5:9a:a9:7b:99:1b:f4:ac:01:14:45:48:89:f6:64:
                    bf:bf:8f:97:ee:8f:9d:e0:27:04:5d:c7:95:a7:57:
                    43:0b:f0:fb:32:61:81:7f:6a:2c:a8:da:f8:34:8c:
                    ca:e0:0c:6e:8b:aa:97:f0:f4:a2:a4:ec:a4:17:ad:
                    10:79
                Exponent: 65537 (0x10001)
        Attributes:
    Signature Algorithm: sha256WithRSAEncryption
         b0:9e:99:5e:f9:05:c5:17:a3:f9:61:94:b1:87:e9:3b:82:12:
         5c:4a:52:f8:bc:25:f4:66:ae:a7:90:7d:4c:b3:32:2d:27:af:
         aa:70:f5:de:fa:aa:55:6b:f2:c7:d7:49:c2:c8:a5:7f:66:63:
         ae:43:05:ab:5e:56:94:b4:38:45:52:8e:d9:42:93:f8:96:60:
         46:1b:e1:ce:c5:b9:73:0a:f3:74:eb:34:64:b7:08:56:03:45:
         01:d9:1e:3b:ec:4c:9a:c4:0d:d3:1f:df:3c:4a:a9:71:09:eb:
         85:cf:b9:29:06:b9:05:54:8b:a2:58:fd:14:c9:b8:85:48:34:
         76:7f:b1:15:04:d6:d5:b8:36:be:57:bc:7c:34:eb:22:ac:80:
         df:28:12:71:29:77:ae:0b:48:76:01:6c:7b:3a:e6:5c:d7:4d:
         75:c8:50:58:53:5b:57:0f:c1:bd:a3:54:f0:71:eb:2b:e9:5a:
         dc:37:40:e8:aa:27:7a:6d:a2:22:4f:78:58:15:9d:db:11:03:
         fd:ac:79:0f:59:8e:24:7b:22:c3:04:8b:85:f1:0a:36:42:69:
         a0:bc:e7:e0:4c:71:91:3a:9d:79:fa:59:e6:2e:3e:2c:fd:76:
         c4:b3:4d:82:20:23:54:80:cf:92:f2:b9:a5:e2:fb:9a:c7:e2:
         99:c0:10:bf

The only thing I notice that's atypical is that it doesn't have any SAN extension and the Attributes field is empty. Not sure why that would trigger an ASN parsing error on the LE side though.

Anyone else have ideas why this CSR might be getting rejected by Boulder?

Here's the converted version I tested against:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIICbDCCAVQCAQAwKTELMAkGA1UEBhMCVVMxGjAYBgNVBAMMEW1haWwucXVhZGll
bnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAueBuMQEmoyHk
Uqo7WtFEqDOHYlSizqhpsyRpVe9gdkt4X2QonPcK93gJ7aHIZc9yVgGSucw86/BC
CsKMjLB9QUJ2dXYmVGZ85av/pbIJKWM7ZHh10ZviYTvktlvvZ+pYrkzypLvUrRJv
KUsnntj0kMzG1e/mORHB0NfXhtM5X9CLBT2923/7cszAIjcWIwNWY7repw6FeA6T
YSB7Hs4kLQx7PUQeBnG4J4vK6zyEV7SNXPqbz3eB/BzoHUFUkOyleWq1mql7mRv0
rAEURUiJ9mS/v4+X7o+d4CcEXceVp1dDC/D7MmGBf2osqNr4NIzK4Axui6qX8PSi
pOykF60QeQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCwnple+QXFF6P5YZSxh+k7
ghJcSlL4vCX0Zq6nkH1MszItJ6+qcPXe+qpVa/LH10nCyKV/ZmOuQwWrXlaUtDhF
Uo7ZQpP4lmBGG+HOxblzCvN06zRktwhWA0UB2R477EyaxA3TH988SqlxCeuFz7kp
BrkFVIuiWP0UybiFSDR2f7EVBNbVuDa+V7x8NOsirIDfKBJxKXeuC0h2AWx7OuZc
1011yFBYU1tXD8G9o1Twcesr6VrcN0Doqid6baIiT3hYFZ3bEQP9rHkPWY4keyLD
BIuF8Qo2QmmgvOfgTHGROp15+lnmLj4s/XbEs02CICNUgM+S8rml4vuax+KZwBC/
-----END NEW CERTIFICATE REQUEST-----

Nummer378 · June 27, 2022, 10:12pm

I don't think the Attributes field is empty. Rather it seems to be missing entirely from the CSR, looking at the raw ASN.1:

  0 620: SEQUENCE {
  4 340:   SEQUENCE {
  8   1:     INTEGER 0
 11  41:     SEQUENCE {
 13  11:       SET {
 15   9:         SEQUENCE {
 17   3:           OBJECT IDENTIFIER countryName (2 5 4 6)
 22   2:           PrintableString 'US'
       :           }
       :         }
 26  26:       SET {
 28  24:         SEQUENCE {
 30   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
 35  17:           UTF8String 'mail.quadient.com'
       :           }
       :         }
       :       }
 54 290:     SEQUENCE {
 58  13:       SEQUENCE {
 60   9:         OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
 71   0:         NULL
       :         }
 73 271:       BIT STRING, encapsulates {
 78 266:         SEQUENCE {
 82 257:           INTEGER
       :             00 B9 E0 6E 31 01 26 A3 21 E4 52 AA 3B 5A D1 44
       :             A8 33 87 62 54 A2 CE A8 69 B3 24 69 55 EF 60 76
       :             4B 78 5F 64 28 9C F7 0A F7 78 09 ED A1 C8 65 CF
       :             72 56 01 92 B9 CC 3C EB F0 42 0A C2 8C 8C B0 7D
       :             41 42 76 75 76 26 54 66 7C E5 AB FF A5 B2 09 29
       :             63 3B 64 78 75 D1 9B E2 61 3B E4 B6 5B EF 67 EA
       :             58 AE 4C F2 A4 BB D4 AD 12 6F 29 4B 27 9E D8 F4
       :             90 CC C6 D5 EF E6 39 11 C1 D0 D7 D7 86 D3 39 5F
       :                     [ Another 129 bytes skipped ]
343   3:           INTEGER 65537
       :           }
       :         }
       :       }
       :     }
348  13:   SEQUENCE {
350   9:     OBJECT IDENTIFIER sha256WithRSAEncryption (1 2 840 113549 1 1 11)
361   0:     NULL
       :     }
363 257:   BIT STRING
       :     B0 9E 99 5E F9 05 C5 17 A3 F9 61 94 B1 87 E9 3B
       :     82 12 5C 4A 52 F8 BC 25 F4 66 AE A7 90 7D 4C B3
       :     32 2D 27 AF AA 70 F5 DE FA AA 55 6B F2 C7 D7 49
       :     C2 C8 A5 7F 66 63 AE 43 05 AB 5E 56 94 B4 38 45
       :     52 8E D9 42 93 F8 96 60 46 1B E1 CE C5 B9 73 0A
       :     F3 74 EB 34 64 B7 08 56 03 45 01 D9 1E 3B EC 4C
       :     9A C4 0D D3 1F DF 3C 4A A9 71 09 EB 85 CF B9 29
       :     06 B9 05 54 8B A2 58 FD 14 C9 B8 85 48 34 76 7F
       :             [ Another 128 bytes skipped ]
       :   }

Quickly glancing over RFC2986, I'm not sure if it's allowed to omit the attributes sequence completly, rather than providing something empty. That may be what the Go CSR parser is stumbling over, even though most other parsers seem to not complain.

rmbolger · June 27, 2022, 10:22pm

Good catch. Out of curiosity, what software/device generated the CSR, @Bob.Gunn?

Bob.Gunn · June 27, 2022, 10:37pm

@rmbolger the CSR was generated in Oracle/Eloqua for hosting of a microsite. I believe this particular CSR was generated as an EV REquest. We tried the same with a SAN request with the same result. I was curious if the absence of anything under attributes was the cause. As an aside, generating the PAOrder throws a warning that there are no attributes but we believed it to be a red herring.

_az · June 27, 2022, 11:15pm

Previously: ECDSA certificate letsencrypt from csr HSM Luna Client - #8 by _az

system · July 27, 2022, 11:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Server response (403) on Finalize order Help	4	830	August 14, 2024
Order's status (\"invalid\") is not acceptable for finalization Help	3	1127	June 8, 2021
Error on finalize csr submission Client dev	13	1282	November 22, 2021
Error finalizing order Help	7	1173	December 17, 2019
403: Order's status ("invalid") is not acceptable for finalization Help	7	810	August 9, 2023

Error when attempting to finalize order

Related topics