Help with getting a CSR to work


#1

I get this if I run ./letsencrypt-auto --csr CSR.der

If I select my domain that is in the csr it gets a cert but the client generates a new csr and key not using mt csr that I gave it.
Here is my CSR in pem and the der format that I had to convert from the pem csr;
-----BEGIN CERTIFICATE REQUEST-----
MIICmzCCAYMCAQAwVjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEPMA0GA1UEAwwGenlm
LnB3MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu+ovx153SQesXFNn
LHNsf+nbVms2KeLgCW0zzh5vIe6z70NUmDbkH6fp6c17HsqRVxI2RfdoUtl7SMnL
Njj8n2PJOTzp06uQSEXYLgDn8PxSODAUtRu1UkKz6jDrDwApM2c1PlUZPqQrDIDT
6cbP5SI2KKmdGdqE3sh7vdhB+khrG+Sq8dp+Y6bbUHcwMhvKgdiHgIQd3FTQ57to
Ax7PNx88b86brcS8YUcNVHiTw/hYpQhognwILTb0bPtaXOVCGqUwD+OLw7miBpTv
zMwijT8OByuGD72mNBjk3FHKfCQoQEEFMaym1b9gUhhHScnjpZuMRBsqUc8BpxEh
UaTLwwIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAE9zTI+1ru3IFGMDzGIKsqRs
ej47E7cEDXp4q4byaLaH72ZBLwIb8IhBrLpdu/7I2IMZ7GaVzanVvI9MI3HRoeiy
wv+U6sW58sRIx9AXqy1VRwakZHY3QvWTXdrpnTH2NiFVJroNM6CRLvu4AQ3avaj6
Ng6OMtApX1zbzY1QecDN4TbsGOKT+8C2E/F9JZiUNqBMtwwj6cPCPQ9YgP2eB4PR
baCEWXQ0vU5a7rUjbNWZ+WlKnhpbPdxAdiyhgp2D7BSRvHqBNdsNPsIg2zUohZ8A
c91G2VMGOBFrITF5V8Q6/RB4UMiMsAcLWUF7AhkYwsBf9ViJL+mt7Q42GJ9dMTo=
-----END CERTIFICATE REQUEST-----
I converted it over to der using this command:
openssl req -outform der -in CSR.csr -out CSR.der
and here is current config file for the client to use for a cron job
http://pastebin.com/kBN6Yx43 upped as a paste due some formatting oddites when posted here
Also I get the same issue if I use a csr that was generated by the le client.
I noticed it is in the pem format not der so i had to convert it via the same command.
Also if I try the pem unconverted it does the same.
Am I doing something wrong?


#3

See https://github.com/letsencrypt/letsencrypt/issues/2206

By just passing the --csr switch, the client will run in automated mode, for example, the Apache plugin. Because of that, it ignores the --csr (according to the Issue above).

You should use a plugin like --webroot for --csr to work.

Is there a reason you want to use your own CSR? Is it because of the attributes you put in there? B/c those ‘custom’ attributes are probably ignored anyway by Boulder.


#4

My reason for using a csr is tlsa records more so to keep me from changing the record every month or so


#5

Ah ok, makes sense I guess… I don’t know very much about DANE/TLS, but if you want to make sure the public/private keypair is always the same, it makes sense indeed. I actually don’t know if the official LE client re-uses the CSR (and keypair) for renewal, but --csr is always an option. Just use the --webroot plugin for that… Unfortunately, you won’t get all the automated Apache stuff.


#6

Enh, it allows me to code some scripts.