Invalid signature on CSR?


#1

Hi, i try to get SAN requests running but on the final step when requesting the certificate i am stuck.
Can someone help me where the error in this request is?

Request:
{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “ryk8jl3yUqu3nAZtuVBDIPVV2Lg5PZIJ9OngkfjAasuPomNWimSNviRpF0zdC9hG8LbJHoaEV4bJWObEsQv83H_9UoG-ubgfRZvvdFPWAcgm0IieSY-RUAEqbq8EdwV4MuA7iwMqD_5QpMzxzJWnDlME0-zrC8w6P7EOHTkKKwNWQ8E_735zLf9pgSVDjSDY7abSCQq7LkDbEfAQoNu8FXeaywhWturWCXi_TGFHVRVRg4admxuAKKDaubByKUBd3NvFdivfeMAEtQWESZ08hl6Rmjo7-sUccweSFsTUcCq-Guq-Nhy1w6MzU0CH4mQpIbQn9_KiXAHPf2pmtXX5BQ”}}, “protected”: “eyJub25jZSI6ICJnMk5SYmRHS0VJS2hYUEdCVG9BWnFMbGpsYmptQ1FxN21pS1Rwd2lNb0Z3In0”, “payload”: “eyJyZXNvdXJjZSI6ICJuZXctY2VydCIsICJjc3IiOiAiTUlJRGp6Q0NBWGNDQVFBd0ZERVNNQkFHQTFVRUF4TUpjM1ZqYUdVdWIzSm5NSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXdZN3JOVmlGa2lDVmRyZ0pJRE5XcXFpcG90SlhmWlpjOVdtQjdhZFlYQjlTZVdJZV94b2k3UWtqeW5Tb3NOa3dZTExreEp1OEZYcW5fRlF5dVZWX1ktbURJcHAwSXJwRndlc29VcEkxU0NDOHY2elBrbFhHc0lKWUlCeFV4YVdKb3VnQ2xWcjdnaE04OV9SU2J1SFF0aXc3Y2tPVDkyMUc2U25hVm83cGZQaXJabExVWncteE9mZHNtaUdmMVZBeG93SXpHaFpYSWVtU2xodGpyX3BSb2RHNjRxbExLMjFuaUdWdUUxbkk1QjdxSlUyN1JsWHdFLWh0TDlEMHZOdEsxYmRfb3lyN090SlJEMk4yX2NrZ1JNcU43d2RaZHBGM3NLZ0E3dnI0WWdQYnlSQUc4NFZNVG5LTVg3dGpuNVZVTmx1UjJvbTA3cDNLNVZJLVhsWjlDUUlEQVFBQm9EWXdOQVlKS29aSWh2Y05BUWtPTVNjd0pUQWpCZ05WSFJFRUhEQWFnZ2x6ZFdOb1pTNXZjbWVDRFhkM2R5NXpkV05vWlM1dmNtY3dEUVlKS29aSWh2Y05BUUVMQlFBRGdnSUJBQTA5XzZtc2w1blZ5a0JmVHVXeWMwbjFSOVBybGNKRVFENmxCblZadlljZHpfNkdJR3d6aXFDdV95RERBeDNzcnlrT083Z3ljX3BvVUlwdEtEdGFHMjZnTm9yYThWMThwUTIzaDBTeFZqSDFjS0gtaEdlZnFJN29ONGpuTkVsS3N4NjYzYS1ZWTdXdFh6TEVnVkxFbkwyZFdIcnRPVVZaQ1VYV0tCRjZxZXZrWmRCM1FMNTZlbWhBTlRLYnhMdXZoVXlOODdDdDVuZXZyd2xEVG14Y0RUWWppYm51TGwwNk9mM2puQUtPNE95d3RTSXpNUF9yMDItaWNsaGh5aVI5LWdJLXBadmxBaFFHVk14aUhxaDBHQU9PLWRrZDJwWWJPbEVWLUJkMWVRQjNvTWk2b05DeTdPUlpzeEllYXpQUmVjWmdoekFoM2F5ZlI0UC1FRlFuWF9tVzNTbFdlTGhyMmlaVjVCc3V1cHpOU0FVSmNSS3lfek96VERpeVl0U2VmdF90X3pRMFlSSFRYM3NXTlV2TURWZmFaRXZxRjZKNk12Q0FVd21sT2Fpc043YXoySHQ3Q1RGRWpLYVFuaWg2SG9Jc04zZ2dJX0FMRGJvNkdDMzhET243Umg3aVMybVhBdFJYVDNSSmxzX3REeVVoRUFncGp0RFF3ZFpJT1JjMFQtZXB3Y2FIaFBNbW5RZ0hIUEM5N1hXQkRYTUpzaUxtV1p5MHlKSXAyX00tUHlHOGhIQmJMdm9DSDR4NkNaRVR1VlhzMkVUNEFMV0d6U3JiSTAzZnp1aGtqSEdVM2hsWVFkRkFzZFZiTmJNYnFqZXBKZ3FBSkpkMkRnUkRyN0JXS2s3WHpxVlZHcEZQVng5OGhXQjRTRFJLdUlhWEw3bHBGRlYxNm40eVFxS3MifQ”, “signature”: “T5jTFWkN0gQzSMR0kgfY3juEraFHwlHnMsckfGfaiXUYqPYg55TbsllhFqDJxHYuU1nAzsqtC4vXb16apVAWhKF4tCOhZfhHfmYUioNRHBOpHBt0ag_oMzMLP6Z0QEupmlK3PG390fkm67VbCGUmO6K5126Y3PlcTonD66DOYxcQJEc-KqpJqd65xkalJjtIkvMQo-Waw4F4dSVolNx-gJ4uTDWWahB7bU7MjrXN7sKWr_RLKwjw0eM6FJPzTXN_LKiVcuzT8upBelDWhFdRaHZM44_F_k6_OlCF4zbD1gvY5pzc68w3cVV0i1VW6KdVnqGjcj7OP8EyYk8mef80EQ”}

Response: {“type”:“urn:acme:error:unauthorized”,“detail”:“Error creating new cert :: Invalid signature on CSR”}


#2

Your CSR is indeed invalid - it contains a RSA-2048 public key and the RSA signature length is 512 bytes (it should be 256 bytes).

Most likely you used the wrong private key to sign the CSR, and it was a RSA-4096 private key.

Here is the output of “openssl req -text -verify”:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=suche.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c1:8e:eb:35:58:85:92:20:95:76:b8:09:20:33:
                    56:aa:a8:a9:a2:d2:57:7d:96:5c:f5:69:81:ed:a7:
                    58:5c:1f:52:79:62:1e:ff:1a:22:ed:09:23:ca:74:
                    a8:b0:d9:30:60:b2:e4:c4:9b:bc:15:7a:a7:fc:54:
                    32:b9:55:7f:63:e9:83:22:9a:74:22:ba:45:c1:eb:
                    28:52:92:35:48:20:bc:bf:ac:cf:92:55:c6:b0:82:
                    58:20:1c:54:c5:a5:89:a2:e8:02:95:5a:fb:82:13:
                    3c:f7:f4:52:6e:e1:d0:b6:2c:3b:72:43:93:f7:6d:
                    46:e9:29:da:56:8e:e9:7c:f8:ab:66:52:d4:67:0f:
                    b1:39:f7:6c:9a:21:9f:d5:50:31:a3:02:33:1a:16:
                    57:21:e9:92:96:1b:63:af:fa:51:a1:d1:ba:e2:a9:
                    4b:2b:6d:67:88:65:6e:13:59:c8:e4:1e:ea:25:4d:
                    bb:46:55:f0:13:e8:6d:2f:d0:f4:bc:db:4a:d5:b7:
                    7f:a3:2a:fb:3a:d2:51:0f:63:76:fd:c9:20:44:ca:
                    8d:ef:07:59:76:91:77:b0:a8:00:ee:fa:f8:62:03:
                    db:c9:10:06:f3:85:4c:4e:72:8c:5f:bb:63:9f:95:
                    54:36:5b:91:da:89:b4:ee:9d:ca:e5:52:3e:5e:56:
                    7d:09
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:suche.org, DNS:www.suche.org
    Signature Algorithm: sha256WithRSAEncryption
         0d:3d:ff:a9:ac:97:99:d5:ca:40:5f:4e:e5:b2:73:49:f5:47:
         d3:eb:95:c2:44:40:3e:a5:06:75:59:bd:87:1d:cf:fe:86:20:
         6c:33:8a:a0:ae:ff:20:c3:03:1d:ec:af:29:0e:3b:b8:32:73:
         fa:68:50:8a:6d:28:3b:5a:1b:6e:a0:36:8a:da:f1:5d:7c:a5:
         0d:b7:87:44:b1:56:31:f5:70:a1:fe:84:67:9f:a8:8e:e8:37:
         88:e7:34:49:4a:b3:1e:ba:dd:af:98:63:b5:ad:5f:32:c4:81:
         52:c4:9c:bd:9d:58:7a:ed:39:45:59:09:45:d6:28:11:7a:a9:
         eb:e4:65:d0:77:40:be:7a:7a:68:40:35:32:9b:c4:bb:af:85:
         4c:8d:f3:b0:ad:e6:77:af:af:09:43:4e:6c:5c:0d:36:23:89:
         b9:ee:2e:5d:3a:39:fd:e3:9c:02:8e:e0:ec:b0:b5:22:33:30:
         ff:eb:d3:6f:a2:72:58:61:ca:24:7d:fa:02:3e:a5:9b:e5:02:
         14:06:54:cc:62:1e:a8:74:18:03:8e:f9:d9:1d:da:96:1b:3a:
         51:15:f8:17:75:79:00:77:a0:c8:ba:a0:d0:b2:ec:e4:59:b3:
         12:1e:6b:33:d1:79:c6:60:87:30:21:dd:ac:9f:47:83:fe:10:
         54:27:5f:f9:96:dd:29:56:78:b8:6b:da:26:55:e4:1b:2e:ba:
         9c:cd:48:05:09:71:12:b2:ff:33:b3:4c:38:b2:62:d4:9e:7e:
         df:ed:ff:34:34:61:11:d3:5f:7b:16:35:4b:cc:0d:57:da:64:
         4b:ea:17:a2:7a:32:f0:80:53:09:a5:39:a8:ac:37:b6:b3:d8:
         7b:7b:09:31:44:8c:a6:90:9e:28:7a:1e:82:2c:37:78:20:23:
         f0:0b:0d:ba:3a:18:2d:fc:0c:e9:fb:46:1e:e2:4b:69:97:02:
         d4:57:4f:74:49:96:cf:ed:0f:25:21:10:08:29:8e:d0:d0:c1:
         d6:48:39:17:34:4f:e7:a9:c1:c6:87:84:f3:26:9d:08:07:1c:
         f0:bd:ed:75:81:0d:73:09:b2:22:e6:59:9c:b4:c8:92:29:db:
         f3:3e:3f:21:bc:84:70:5b:2e:fa:02:1f:8c:7a:09:91:13:b9:
         55:ec:d8:44:f8:00:b5:86:cd:2a:db:23:4d:df:ce:e8:64:8c:
         71:94:de:19:58:41:d1:40:b1:d5:5b:35:b3:1b:aa:37:a9:26:
         0a:80:24:97:76:0e:04:43:af:b0:56:2a:4e:d7:ce:a5:55:1a:
         91:4f:57:1f:7c:85:60:78:48:34:4a:b8:86:97:2f:b9:69:14:
         55:75:ea:7e:32:42:a2:ac
-----BEGIN CERTIFICATE REQUEST-----
MIIDjzCCAXcCAQAwFDESMBAGA1UEAxMJc3VjaGUub3JnMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAwY7rNViFkiCVdrgJIDNWqqipotJXfZZc9WmB7adY
XB9SeWIe/xoi7QkjynSosNkwYLLkxJu8FXqn/FQyuVV/Y+mDIpp0IrpFwesoUpI1
SCC8v6zPklXGsIJYIBxUxaWJougClVr7ghM89/RSbuHQtiw7ckOT921G6SnaVo7p
fPirZlLUZw+xOfdsmiGf1VAxowIzGhZXIemSlhtjr/pRodG64qlLK21niGVuE1nI
5B7qJU27RlXwE+htL9D0vNtK1bd/oyr7OtJRD2N2/ckgRMqN7wdZdpF3sKgA7vr4
YgPbyRAG84VMTnKMX7tjn5VUNluR2om07p3K5VI+XlZ9CQIDAQABoDYwNAYJKoZI
hvcNAQkOMScwJTAjBgNVHREEHDAagglzdWNoZS5vcmeCDXd3dy5zdWNoZS5vcmcw
DQYJKoZIhvcNAQELBQADggIBAA09/6msl5nVykBfTuWyc0n1R9PrlcJEQD6lBnVZ
vYcdz/6GIGwziqCu/yDDAx3srykOO7gyc/poUIptKDtaG26gNora8V18pQ23h0Sx
VjH1cKH+hGefqI7oN4jnNElKsx663a+YY7WtXzLEgVLEnL2dWHrtOUVZCUXWKBF6
qevkZdB3QL56emhANTKbxLuvhUyN87Ct5nevrwlDTmxcDTYjibnuLl06Of3jnAKO
4OywtSIzMP/r02+iclhhyiR9+gI+pZvlAhQGVMxiHqh0GAOO+dkd2pYbOlEV+Bd1
eQB3oMi6oNCy7ORZsxIeazPRecZghzAh3ayfR4P+EFQnX/mW3SlWeLhr2iZV5Bsu
upzNSAUJcRKy/zOzTDiyYtSeft/t/zQ0YRHTX3sWNUvMDVfaZEvqF6J6MvCAUwml
OaisN7az2Ht7CTFEjKaQnih6HoIsN3ggI/ALDbo6GC38DOn7Rh7iS2mXAtRXT3RJ
ls/tDyUhEAgpjtDQwdZIORc0T+epwcaHhPMmnQgHHPC97XWBDXMJsiLmWZy0yJIp
2/M+PyG8hHBbLvoCH4x6CZETuVXs2ET4ALWGzSrbI03fzuhkjHGU3hlYQdFAsdVb
NbMbqjepJgqAJJd2DgRDr7BWKk7XzqVVGpFPVx98hWB4SDRKuIaXL7lpFFV16n4y
QqKs
-----END CERTIFICATE REQUEST-----
verify failure
8480:error:04091077:rsa routines:INT_RSA_VERIFY:wrong signature length:.\crypto\rsa\rsa_sign.c:186:
8480:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:.\crypto\asn1\a_verify.c:218:

#3

Thanks that was the cause. I had an issue with my keystore in the directory where i run the tests :frowning: