Failed to parse CSR file

HI there, unfortunately I'm receiving an error from CertBot, which I'm having issues resolving.

I'm trying to manually a certificate using a CSR generated from Azure.

My domain is: yuzedata.com

I ran this command: certbot certonly --manual --csr .\test.csr

It produced this output: Failed to parse CSR file: test.csr

The operating system my web server runs on is (include version):
Windows

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.24.0

I received the following error in the log file.

2022-07-12 16:50:14,287:DEBUG:certbot._internal.main:certbot version: 1.24.0
2022-07-12 16:50:14,287:DEBUG:certbot._internal.main:Location of certbot entry point: C:\Program Files (x86)\Certbot\bin\certbot.exe
2022-07-12 16:50:14,287:DEBUG:certbot._internal.main:Arguments: ['-v', '--preferred-challenges', 'dns', '--manual', '--csr', './star-yuzecase-com.csr', '--preconfigured-renewal']
2022-07-12 16:50:14,287:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-07-12 16:50:14,316:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "C:\Program Files (x86)\Certbot\pkgs\certbot\crypto_util.py", line 256, in import_csr_file
csr = load(crypto.FILETYPE_ASN1, data)
File "C:\Program Files (x86)\Certbot\pkgs\OpenSSL\crypto.py", line 2984, in load_certificate_request
_openssl_assert(req != _ffi.NULL)
File "C:\Program Files (x86)\Certbot\pkgs\OpenSSL_util.py", line 69, in openssl_assert
exception_from_error_queue(error)
File "C:\Program Files (x86)\Certbot\pkgs\OpenSSL_util.py", line 55, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('asn1 encoding routines', 'asn1_check_tlen', 'wrong tag'), ('asn1 encoding routines', 'asn1_item_embed_d2i', 'nested asn1 error')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "C:\Program Files (x86)\Certbot\pkgs\certbot\crypto_util.py", line 259, in import_csr_file
csr = load(PEM, data)
File "C:\Program Files (x86)\Certbot\pkgs\OpenSSL\crypto.py", line 2984, in load_certificate_request
_openssl_assert(req != _ffi.NULL)
File "C:\Program Files (x86)\Certbot\pkgs\OpenSSL_util.py", line 69, in openssl_assert
exception_from_error_queue(error)
File "C:\Program Files (x86)\Certbot\pkgs\OpenSSL_util.py", line 55, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.crypto.Error: [('PEM routines', 'get_name', 'no start line')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "runpy.py", line 197, in run_module_as_main
File "runpy.py", line 87, in run_code
File "C:\Program Files (x86)\Certbot\bin\certbot.exe_main
.py", line 29, in
sys.exit(main())
File "C:\Program Files (x86)\Certbot\pkgs\certbot\main.py", line 19, in main
return internal_main.main(cli_args)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\main.py", line 1651, in main
args = cli.prepare_and_parse_args(plugins, cli_args)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\cli_init
.py", line 454, in prepare_and_parse_args
return helpful.parse_args()
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\cli\helpful.py", line 213, in parse_args
self.handle_csr(parsed_args)
File "C:\Program Files (x86)\Certbot\pkgs\certbot_internal\cli\helpful.py", line 276, in handle_csr
typ, csr, domains = crypto_util.import_csr_file(csrfile, contents)
File "C:\Program Files (x86)\Certbot\pkgs\certbot\crypto_util.py", line 261, in import_csr_file
raise errors.Error("Failed to parse CSR file: {0}".format(csrfile))
certbot.errors.Error: Failed to parse CSR file: D:\yuzedata\Tesseract\scripts\certificates\star-yuzecase-com.csr
2022-07-12 16:50:14,316:ERROR:certbot._internal.log:Failed to parse CSR file: D:\yuzedata\Tesseract\scripts\certificates\star-yuzecase-com.csr

Really hope you can help. Thanks a lot in advance.
With kind regards,
Erwin

Hi @Erwinvandervalk and welcome to the LE community forum :slight_smile:

Might it be possible for you to share your CSR (.pem format would be nice but not required, as it is ASCII and pastes in and out of replies easily)?

Actually think about it, it would be best to just attach the exact file .\test.csr incase the issue is a file format issue that certbot didn't like.

Also you may or may not know that CSR do not contain the private key so they are safe to share from that perspective.

3 Likes

What generated that CSR in the first place? Is it really necessary to use a CSR? The Certbot --csr option is reaaaaally not that sophisticated and lacks many regular Certbot features. E.g., when using --csr, the issued certificate is not stored in the Certbot certificate repository, it's only outputted to the current working directory with some incremental file names which are quite hard to predict. In essence, it's a manual process and manual processes are not recommended to begin with.

So my first advice would be: can you forgo with the CSR and use a regular method where Certbot generates the CSR for you?

7 Likes

Curious as to why the CSR generated from Azure.

2 Likes

Ah, sorry, missed that. Although I'm not familiar with Azure, so no clue what that means exactly and if it's absolutely necessary.

5 Likes

Does the CSR start with one of these two lines?

  -----BEGIN CERTIFICATE REQUEST-----
  -----BEGIN NEW CERTIFICATE REQUEST-----

I've seen some Microsoft tools in particular use "NEW" in there, which is "in widespread use" according to RFC 7468: Textual Encodings of PKIX, PKCS, and CMS Structures but isn't the standard version.

I'm guessing this is a possible issue based on the traceback, though I haven't gone into read the relevant certbot code yet.

7 Likes

A quick test makes it seem that Certbot does support both formats of CSRs, so that's actually not likely the scenario.

Can you say which Azure feature you used to produce the CSR? I can make my own to test in that situation.

6 Likes

Hi bruce, Thanks so much for your reply. Here's the csr contents. I've opened it with a tool and it seems ok. Do you see anything weird.

-----BEGIN CERTIFICATE REQUEST-----
MIIDXzCCAkcCAQAwdTEhMB8GA1UEAxMYYXBwLXNhbmRib3gueXV6ZWRhdGEuY29tMREwDwYDVQQLEwhZdXplRGF0YTERMA8GA1UEChMIWXV6ZURhdGExEDAOBgNVBAcTB1JlZG1vbmQxCzAJBgNVBAgTAldBMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMk1oMgkAyefhhSHwqTO8EyyAIOLYkLlg2sFHzcyTYzTVvIbnm5vleIFNsa3LnQ7yi0pkuyuCllmimPGd+5CqOIDRNlf6QWPJ92Wl7stCsgfCDLj8K08iGSIBQ0buz3pXF5qIa8q2qHbXZ3WoeSN2wWmmEbAe0h+cDHNMniC6vNHR23AoI9zs16xuiVOtC8c+B7m+Kx9HOOs67/WnMW+3jjHQGUcN/RCRXsw7tSZ+gpTIg833Qo+LhAQ+hLNyz0Ji7bj9IyUHmnUUh69eu5u2CAefThRATZHKnWhRCYNPoFl7RlTYA7ELS2VDLElydBzALvmo+/jAX44HNLJqwhUrgUCAwEAAaCBpDCBoQYJKoZIhvcNAQkOMYGTMIGQMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATBeBgNVHREEVzBVgR1lcndpbi52YW5kZXJ2YWxrQHl1emVkYXRhLmNvbYIYYXBwLXNhbmRib3gueXV6ZWRhdGEuY29tghoqLmFwcC1zYW5kYm94Lnl1emVkYXRhLmNvbTAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQBFaDQEkifuKhFNXJgTpjaXp3Sdjb5I7Xs5uumMfNeh8AuKWagLR9J1KarGbheO+cP96nDF6BSUvjadyR+01dMEUhO7hQlITITXC9AEuKkb5Npe/SvHvtgzbVtSFJcTP4JWB8sAFh7Oj0SXsgydVfbYZN4K1FXK+rI2RdHd9Ssf7lTNwDtKXg2oqm7TXk3e4Cy3pPJK7yV/zQSS/ERm9uNhCmwyqIE+7+qCqCNFYOLRWr7HvtscXg/fezCi3K82h1EE+56pD2tlaXmebc5nTNv3TG6IlCmpLFOVkO+KrZYZpc7opDH5X+lyh7vMhYGIJU6jRKcgaMewnGb7QZNSSmW3
-----END CERTIFICATE REQUEST-----

4 Likes

Hi mcpherrinm, Thanks so much for your reply.

It might be that i'm going at things the wrong way. I'm trying to create certificates to be used in azure (cloud based) services. Azure can generate regular certificates for me, but I need a wildcard cert, hence i'm trying to use letsencrypt.

Certbot really seems to want to run on a webserver, but that's not really an option for me unfortunately.

Here's the process. I have a request file:

{
  "issuerParameters": {
    "name": "Unknown"
  },
  "x509CertificateProperties": {
    "ekus": [
      "1.3.6.1.5.5.7.3.1"
    ],
    "subject": "C=US, ST=WA, L=Redmond, O=YuzeData, OU=YuzeData, CN=#url#",
    "subjectAlternativeNames": {
      "dnsNames": [
        "#url#",
        "*.#url#"
      ],
      "emails": [
        "me@me.com"
      ]
    }
  }
}

I replace '#url#' with the actual url and save it as 'csr.json'. Then I use the following (powershell) script:

az keyvault certificate create --vault-name $keyvault -n $certname --policy `@csr.json

with this script, I retrieve the CSR

$cert = az keyvault certificate pending show `
        --vault-name $keyvault `
        --name $certname `
        --query csr
$request -replace "`"", "" | out-file "$certname.csr"
get-content "$certname.csr" | write-host

and then I request the cert.

certbot certonly -v `
    --preferred-challenges dns `
    --manual `
    --csr "./$certname.csr"

Hope this makes sense.

4 Likes

Weird, if I put that CSR in a file and feed it to Certbot, it does not complain about it?

5 Likes

are you using the same version of certbot, also on windows?

4 Likes

No, I'm running Linux which certainly could make the difference. E.g., that entire file OpenSSL_util.py which seems to be generaring the error is nowhere to be found on my system.

5 Likes