Hello @radap,
To check if created CSR is using SHA1 or SHA256 algorithm, check your CSR file node01.csr (sorry but I don’t know how to perform this task using keytool so I’ll use openssl):
openssl req -in node01.csr -text -noout
And you’ll see the details of your cert, pay attention to Signature Algorithm that should something like this:
Signature Algorithm: sha256WithRSAEncryption
Well, if you are able to see the details of your csr using the above openssl command then your csr was created in PEM format and that won’t work with Let’s Encrypt, the CSR should be in DER format.
To convert your CSR to DER format using openssl:
openssl req -outform der -in node01.csr -out node01.der
Now if you use the first openssl command to check your new converted CSR you should get this error:
openssl req -in node01.der -text -noout
unable to load X509 request
3332:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:701:Expecting: CERTIFICATE REQUEST
So, how your csr is in DER format now, you should check it using this command:
openssl req -inform der -in node01.der -text -noout
Now you should try again to issue your certificate with letsencrypt-auto but pointing to node01.der file instead of node01.csr
Note: Just a comment, your are creating your csr using -ext san=dns:sample.com,ip:11.11.11.11 but Let’s Encrypt only accepts DNS: not IP: so I don’t know if Let’s Encrypt will remove IP: option from CERT, will ignore them or will fail to accept your signing request, keep this in mind.
Cheers,
sahsanu