Failed to sign csr ERROR

radap · February 21, 2016, 9:26pm

I`m trying to sign csr file and use it with Elasticsearch Shield.

Creating the csr file:

cd CONFIG_DIR/shield
keytool -importcert -keystore node01.jks -file letsencrypt_public.pem -alias letsencrypt
keytool -genkey -alias node01 -keystore node01.jks -keyalg RSA -keysize 2048 -validity 712 -ext san=dns:mydomain.com,ip:11.11.11.11
keytool -certreq -alias node01 -keystore node01.jks -file node01.csr -keyalg rsa -ext san=dns:mydomain.com,ip:11.11.11.11

Using letsencrypt official client:

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help
sudo ./letsencrypt-auto auth --csr /etc/elasticsearch/shield/node01.csr

The output:

 etc/elasticsearch/shield/node01.csr
 Checking for new version...
 Requesting root privileges to run letsencrypt...
 /home/usera/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade auth --csr /etc/elasticsearch/shield/node01.csr
 No handlers could be found for logger "letsencrypt.crypto_util"
 An unexpected error occurred:
 The server experienced an internal error :: Error creating new cert
 Please see the logfiles in /var/log/letsencrypt for more details.

The error log:

usera@ip-11-11-11-11:~$ sudo cat /var/log/letsencrypt/letsencrypt.log | grep error
raise errors.NoInstallationError
2016-02-21 12:24:30,042:DEBUG:letsencrypt.plugins.disco:Other error:   (PluginEntryPoint#webroot): Missing parts of webroot configuration; please   set either --webroot-path and --domains, or --webroot-map. Run with  -- help webroot for examples.
2016-02-21 12:24:34,354:DEBUG:root:Received <Response [500]>. Headers: {'Content-Length': '88', 'Expires': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 21 Feb 2016       12:24:33 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'ldZn123451Bb5D1234godjteu1VLjZ5o7esrty49olv'}. Content: '{"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","status":500}'
2016-02-21 12:24:34,354:DEBUG:acme.client:Received response <Response [500]> (headers: {'Content-Length': '88', 'Expires': 'Sun, 21 Feb 2016   12:24:33 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 21   Feb 2016 12:24:33 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'ldZn123451Bb5D1234godjteu1VLjZ5o7esrty49olv'}):  '{"type":"urn:acme:error:serverInternal","detail":"Error creating new  cert","status":500}'
Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Error creating new cert

I suppose I will shut down nginx when I got Shield to work, so what is the problem here? Why cant I sign the csr file?

Osiris · February 22, 2016, 2:06am

Does the CSR use SHA1 or SHA256? Let’s Encrypt needs the latter.

radap · February 22, 2016, 9:04am

I don`t understand you…
How do I check if the csr uses sha1 or sha256?
what letter?

sahsanu · February 22, 2016, 10:21am

Hello @radap,

To check if created CSR is using SHA1 or SHA256 algorithm, check your CSR file node01.csr (sorry but I don’t know how to perform this task using keytool so I’ll use openssl):

openssl req -in node01.csr -text -noout

And you’ll see the details of your cert, pay attention to Signature Algorithm that should something like this:

Signature Algorithm: sha256WithRSAEncryption

Well, if you are able to see the details of your csr using the above openssl command then your csr was created in PEM format and that won’t work with Let’s Encrypt, the CSR should be in DER format.

To convert your CSR to DER format using openssl:

openssl req -outform der -in node01.csr -out node01.der

Now if you use the first openssl command to check your new converted CSR you should get this error:

openssl req -in node01.der -text -noout
unable to load X509 request
3332:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:701:Expecting: CERTIFICATE REQUEST

So, how your csr is in DER format now, you should check it using this command:

openssl req -inform der -in node01.der -text -noout

Now you should try again to issue your certificate with letsencrypt-auto but pointing to node01.der file instead of node01.csr

Note: Just a comment, your are creating your csr using -ext san=dns:sample.com,ip:11.11.11.11 but Let’s Encrypt only accepts DNS: not IP: so I don’t know if Let’s Encrypt will remove IP: option from CERT, will ignore them or will fail to accept your signing request, keep this in mind.

Cheers,
sahsanu

radap · February 22, 2016, 10:58am

Hello @sahsanu,

I did evrything you said, create new csr, made sure it is in der format and also didnt add the ip to the request:

`./letsencrypt-auto auth --csr /etc/elasticsearch/shield/node01.der`

the output is:

`Checking for new version...
Requesting root privileges to run letsencrypt...
/home/ubuntu/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade auth --csr /etc/elasticsearch/shield/node01.der
An unexpected error occurred:
The client lacks sufficient authorization :: Error creating new cert :: Authorizations for these names not found or     expired: mydomain.com
Please see the logfiles in /var/log/letsencrypt for more details.

and the log:

raise messages.Error.from_json(jobj)
Error: urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error creating new cert :: Authorizations for these names not found or expired: mydomain.com

Why cant I get it right?

cool110 · February 22, 2016, 11:17am

You forget to specify an authentication method, the command should include -w /path/to/webroot

radap · February 22, 2016, 11:29am

Yes, it worked!
The problem was all what @sahsanu told and also the csr creation:
In the first try I didnt pay attention to the CN and OU fields and after I put there the whole DNS address it worked.

./letsencrypt-auto auth --csr /etc/elasticsearch/shield/node01.der
Checking for new version...
Requesting root privileges to run letsencrypt...
   sudo /home/ubuntu/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade auth --csr /etc/elasticsearch/shield/node01.der

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /home/ubuntu/letsencrypt/0001_chain.pem. Your cert will expire on
   2016-05-22. To obtain a new version of the certificate in the
   future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Thank you!