Getssl error after update from 2.28 to 2.29 - Getssl-bug Spaces in SANS causes failure to generate CSR

My domain is: fullbore.co.uk

I ran this command: /usr/local/bin/getssl -u -a -w /etc/getssl

It produced this output:
Check all certificates
creating domain csr - /etc/getssl/holtain.net/holtain.net.csr
Error Loading request extension section SAN
24181:error:2206D06D:X509 V3 routines:X509V3_parse_list:invalid null value:v3_utl.c:299:
24181:error:22097069:X509 V3 routines:DO_EXT_NCONF:invalid extension string:v3_conf.c:139:name=subjectAltName,section=DNS:holtain.net,DNS:www.holtain.net,DNS:update.holtain.net,DNS:nitrogen.huntingdon.holtain.net,DNS:nitrogen2.huntingdon.holtain.net,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:fullbore.co.uk,DNS:www.fullbore.co.uk,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:test.holtain.co.uk,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:photos.niamh.org.uk,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:photos.fullbore.com
24181:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:v3_conf.c:93:name=subjectAltName, value=DNS:holtain.net,DNS:www.holtain.net,DNS:update.holtain.net,DNS:nitrogen.huntingdon.holtain.net,DNS:nitrogen2.huntingdon.holtain.net,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:fullbore.co.uk,DNS:www.fullbore.co.uk,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:test.holtain.co.uk,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:photos.niamh.org.uk,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:,DNS:photos.fullbore.com
Registering account
Verify each domain
Verifying holtain.net
holtain.net is already validated
Verifying www.holtain.net
www.holtain.net is already validated
Verifying update.holtain.net
update.holtain.net is already validated
Verifying nitrogen.huntingdon.holtain.net
nitrogen.huntingdon.holtain.net is already validated
Verifying nitrogen2.huntingdon.holtain.net
nitrogen2.huntingdon.holtain.net is already validated
Verifying fullbore.co.uk
fullbore.co.uk is already validated
Verifying www.fullbore.co.uk
www.fullbore.co.uk is already validated
Verifying test.holtain.co.uk
test.holtain.co.uk is already validated
Verifying photos.niamh.org.uk
photos.niamh.org.uk is already validated
Verifying photos.fullbore.com
photos.fullbore.com is already validated
Verification completed, obtaining certificate.
unable to load X509 request
25283:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: CERTIFICATE REQUEST
Requesting Finalize Link
getssl: ACME server returned error: 400: “detail”: “Error parsing certificate request: asn1: syntax error: sequence truncated”,

My web server is (include version):Apache/2.2.3

The operating system my web server runs on is (include version):CentOS 5 (yes I know it’s being retired)

My hosting provider, if applicable, is: wizards.co.uk

I can login to a root shell on my machine (yes or no, or I don’t know):Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): getssl 2.29

Hi @Niamh

I’ve never used Getssl.

But that

looks buggy, like a wrong created Certificate Signing request with a lot of empty domain names.

Please share that CSR.

Or check, if GetSSL has an update.

PS: Checking the Issues there is your bug:

And there is a fix.

1 Like

Thanks, Google failed to find that on github.

Annoying thing is getssl.cfg hasn’t changed for years

1 Like

Hi @Niamh

Sorry for the delay in responding, I’ve been on holiday without internet access for the last two weeks

Apologies for the problem you’ve had with getssl it was caused by a recent change to allow space separated SANS entries in getssl.cfg which then breaks if anyone used spaces and commas to separate entries!

I’m just about to push the fix to master and will release a new version with the fix in a day or two

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.