Gethttpsforfree - WildCard Domain in CSR SAN Causes Errors


#1

Please fill out the fields below so we can help you better.

My domain is:www.liorun.com

I ran this command:*

It produced this output:*

My operating system is (include version):Linux version 2.6.32-673.26.1.lve1.4.25.el6.x86_64 (mockbuild@build.cloudlinux.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) ) #1 SMP Wed Apr 5 16:33:01 EDT 2017

My web server is (include version):Linux sg2plcpnl0065.prod.sin2.secureserver.net 2.6.32-673.26.1.lve1.4.25.el6.x86_64 #1 SMP Wed Apr 5 16:33:01 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:GoDaddy
I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):cpanel 11.62.0.20


#2

Hi @496988685,

The actual error appears to be “Invalid character in DNS name”. Which name or names are you trying to get a certificate for here?

If you have an internationalized domain name (IDN), the certificate authority currently requires that you submit the request using the A-label (“xn–”) form rather than Unicode form—for example xn--lt0a.com instead of 美.com. I think the gethttpsforfree service may not have implemented any warnings about this issue.


#3

thank you for so much concern. i want to give “liorun.com” a certificate.
well…:),i understand what is the xn form ,and… what i could do ,plz give me some suggest
^-^ ^-^ ^-^


#4

Hi @496988685,

If you do have root shell access on your server, why did you choose to use gethttpsforfree.com instead of installing a Let’s Encrypt client application on the server?

Can you show exactly how you gave gethttpsforfree.com the list of domains for which you wanted to request a certificate?


#5

i use putty to control my GoDaddy linux os, :frowning: ,maybe …im not root…


#6

Hmmm, I’m not sure why you got the error about the domain name. You can feel free to paste the CSR here too and we can take a look at it.

If you’re not able to install client software as root on your machine, I might suggest using https://zerossl.com/ instead of https://gethttpsforfree.com/. ZeroSSL does more of the tasks for you automatically inside of your browser, although it is otherwise similar in concept.


#7

this csr made in my GODADDY account.


#8

yes.yes .i get her…


but hmmmmmmmm. https No display.:joy:


#9

@496988685

Please paste as in pate the text (not an image) of your CSR so we can use tools to verify it is in fact correct.

As we do not have the private key there is very little we can do with the CSR.

My suspicion is that GoDaddy is adding extra bits that LetsEncrypt doesn’t like

Andrei


#10

-----BEGIN CERTIFICATE REQUEST-----
MIIDXTCCAkUCAQAwgbcxEzARBgNVBAMMCmxpb3J1bi5jb20xCzAJBgNVBAYTAkNO
MR8wHQYJKoZIhvcNAQkBFhA0OTY5ODg2ODVAcXEuY29tMRIwEAYDVQQLDAnluILl
nLrpg6gxDzANBgNVBAgMBuays+WMlzE8MDoGA1UECgwz6YKv6YO45biC5rC45bm0
5Yy66Zu36bil54S2572R57uc56eR5oqA5pyJ6ZmQ5YWs5Y+4MQ8wDQYDVQQHDAZI
YW5EYW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDxRorbVX7Qf2ZN
xz3yvgSogJA8Hh9JrEbZ2/6uGFY59XPpeoxmgswtLQ/ESRPOriF9JaiYDLxz4fTj
FuyiGtgvEHs6OJ87qwhju1sLiCoZwHGNTyx1ywQ6s6T37tet8B+ek9xtUdF0uuZA
U+bRfYi1jkUZznhGgGL/Y8PchHBj3xpciH4jJY5yMshuBkaWhoT5DA3Vla+c6O63
xmqcWh9UxpcMi41PaVxhVX/nl4MOZ4YYAhFSMLAi9j9AcS1n9QV1fhD/5NfAjYzr
gJiDYrTXUCUb1mZs3b6mIm9/vKem5VfXLi9wXiO/5XSuNcIpsfWOiMw8YiXGAcll
MMWCCfyTAgMBAAGgYDAYBgkqhkiG9w0BCQcxCwwJc3NsbGlvcnVuMEQGCSqGSIb3
DQEJDjE3MDUwMwYDVR0RBCwwKoIKbGlvcnVuLmNvbYIOd3d3Lmxpb3J1bi5jb22C
DCoubGlvcnVuLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA2Vbw/4MtFXGM+BMvpL9J
AxvJmeA676Ttm6O9FINFtrl4cNZQbJc2DY9SsRiqQm+2UlN+QzUCiDS+o+sKQiYc
mH0eDX/6N9XzYOOmDajd5V+x4+D4LQ8nlebC/CxOG1OlH9TaHlGTpma7Otp8XvY9
iQg/MiBFrs3KtY8PIUl5ES7MIGW7fo2Bcv+ikxC+NRCSk4p/zI/SyEx3u06gTYZk
ecMgVndhrDwfayjP2E8T9quqvQNQ9YW96+6WC4OtpgeMKJw1KLsruK6UyHYwGXwu
gi7sr4k0UBPtjpv+zLKdaNrLbTdDVO3c3krHP55yR/N8sytkCszNE/2TE/tX3OR8
4A==
-----END CERTIFICATE REQUEST-----


#11

this is displayed https because of i have add some code to .htaccess



#12

hi @496988685

if you run you CSR through a checker: https://www.sslshopper.com/csr-decoder.html

The issue is with the fact you are trying to get a Wildcard Certificate which LetsEncrypt doesn’t allow.

If you remove the *.liorun.com from your CSR you will be able to get certificates issued.

Andrei


#13

@diafygi

I don’t believe HTTPSforFree Currently excludes wildcards during ASN1 parsing.

Might be something to think about.

Not teaching you how to suck eggs - just spent a lot of time learning from your code base.

Andrei


#14

:咧嘴笑::咧嘴笑:
This is a very pertinent suggestion,i am willing to acciept and do ti. actually,i have learnning Javascript now,this issue is a part of my learnning programme. Thanks again.


#15

GoDaddy maybe ready refuse letsencrypt ssl?


#16

how did you manage to solve this?

Can you share so that others may learn please

Andrei


#17

I think the Certificate Authority Bundle mentioned will be the chain provided by Let’s Encrypt. The Certbot tool provides this in a file named chain.pem other software may name it differently.

The purpose of this data is to create a chain of trust showing the Let’s Encrypt Authority X3 which signed the certificate has in turn another certificate signed by a CA, for some certificates there can be three or four steps, but it’s the same idea.


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.