Monthly auto renew failed, CSR no longer accepted - resolved


#1

Good afternoon, I have a request that was originally signed 2016-06-24 and renewed ~every 30 days since then. It was last successfully submitted and re-signed 2017-02-02 18:00:03. The keys and content of CSR have not changed since the original signing.
As of today the CSR is no longer being accepted and I am trying to understand why. I have a copy of the CSR below:

-----BEGIN CERTIFICATE REQUEST-----
MIIC7TCCAdcCAQAwHDEaMBgGA1UEAwwRc2VjdXJlb2JzY3VyZS5jb20wggEgMAsG
CSqGSIb3DQEBAQOCAQ8AMIIBCgKCAQEAoEhxQ/5ijNW1Eu50fWQj2Z4qoVx9uwJA
v6bfIluG0BWih0UgZRESZbmlpSalzia0RjGQerOIgxkCZ496ybWNbu/+7I1gMzik
ii+1PfkDNzMCMx+/rJMInV+2twnBzUyWDcsJAwNXOyaMPJ13qwXIyD/ZDRnFf2So
wgavcZ3INIy5AURNNaA3+jWH9/OOYalBDt7jzZCNrZnDp3E3bz1kryGpV/stjfRC
Dmead4H+Vf8YjLRfTpqYu833eCf/yEVdq7XfK0m7ThdjGTyVD87oDEAK5nchl5x1
0skTNd1aFqrkNn/KT8mQxFq5rLKj6tIU0zNuXg+OJvGRRAVcxz9EGQIDAQABoIGP
MIGMBgkqhkiG9w0BCQ4xfzB9MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMGMGA1Ud
EQRcMFqCEXNlY3VyZW9ic2N1cmUuY29tghV3d3cuc2VjdXJlb2JzY3VyZS5jb22C
FmlwdjQuc2VjdXJlb2JzY3VyZS5jb22CFmlwdjYuc2VjdXJlb2JzY3VyZS5jb20w
CwYJKoZIhvcNAQELA4IBAQBOeQmZueO28cvpr4A9pJ1NOQwNajHmhGRNAPFfV238
S2QdBJnR7itJl0vx0OKw/pMyteSr5BFT74GWV8PdCNJ2XWGS+sNlju97ikU+on+Q
j0QJT6LixSS2XK+ESvmU+Ub0xHA5eyBvY3OKmEGhDv++1kHpqbSRxoxC040eVBpt
jsMrmM9CP/zF2ghWx/BLkfGeK+2mZ41Mcb1LcLuUUXzDSls7H79/Q7qh/k8nziJ0
fewhXomGkxeLWNj8tnSSz+98R364ulRz+8YzBk+f9VmTy72NmNY9BbInf4PGT55+
8PKPlGIJic5Wj9nBlwQ9GNeZZnrGE4CYoOf66rfSIUzT
-----END CERTIFICATE REQUEST-----

In OpenSSL parsing the CSR, i do not see any critical attributes:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=secureobscure.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a0:48:71:43:fe:62:8c:d5:b5:12:ee:74:7d:64:
                    23:d9:9e:2a:a1:5c:7d:bb:02:40:bf:a6:df:22:5b:
                    86:d0:15:a2:87:45:20:65:11:12:65:b9:a5:a5:26:
                    a5:ce:26:b4:46:31:90:7a:b3:88:83:19:02:67:8f:
                    7a:c9:b5:8d:6e:ef:fe:ec:8d:60:33:38:a4:8a:2f:
                    b5:3d:f9:03:37:33:02:33:1f:bf:ac:93:08:9d:5f:
                    b6:b7:09:c1:cd:4c:96:0d:cb:09:03:03:57:3b:26:
                    8c:3c:9d:77:ab:05:c8:c8:3f:d9:0d:19:c5:7f:64:
                    a8:c2:06:af:71:9d:c8:34:8c:b9:01:44:4d:35:a0:
                    37:fa:35:87:f7:f3:8e:61:a9:41:0e:de:e3:cd:90:
                    8d:ad:99:c3:a7:71:37:6f:3d:64:af:21:a9:57:fb:
                    2d:8d:f4:42:0e:67:9a:77:81:fe:55:ff:18:8c:b4:
                    5f:4e:9a:98:bb:cd:f7:78:27:ff:c8:45:5d:ab:b5:
                    df:2b:49:bb:4e:17:63:19:3c:95:0f:ce:e8:0c:40:
                    0a:e6:77:21:97:9c:75:d2:c9:13:35:dd:5a:16:aa:
                    e4:36:7f:ca:4f:c9:90:c4:5a:b9:ac:b2:a3:ea:d2:
                    14:d3:33:6e:5e:0f:8e:26:f1:91:44:05:5c:c7:3f:
                    44:19
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:secureobscure.com, DNS:www.secureobscure.com, DNS:ipv4.secureobscure.com, DNS:ipv6.secureobscure.com
    Signature Algorithm: sha256WithRSAEncryption
         4e:79:09:99:b9:e3:b6:f1:cb:e9:af:80:3d:a4:9d:4d:39:0c:
         0d:6a:31:e6:84:64:4d:00:f1:5f:57:6d:fc:4b:64:1d:04:99:
         d1:ee:2b:49:97:4b:f1:d0:e2:b0:fe:93:32:b5:e4:ab:e4:11:
         53:ef:81:96:57:c3:dd:08:d2:76:5d:61:92:fa:c3:65:8e:ef:
         7b:8a:45:3e:a2:7f:90:8f:44:09:4f:a2:e2:c5:24:b6:5c:af:
         84:4a:f9:94:f9:46:f4:c4:70:39:7b:20:6f:63:73:8a:98:41:
         a1:0e:ff:be:d6:41:e9:a9:b4:91:c6:8c:42:d3:8d:1e:54:1a:
         6d:8e:c3:2b:98:cf:42:3f:fc:c5:da:08:56:c7:f0:4b:91:f1:
         9e:2b:ed:a6:67:8d:4c:71:bd:4b:70:bb:94:51:7c:c3:4a:5b:
         3b:1f:bf:7f:43:ba:a1:fe:4f:27:ce:22:74:7d:ec:21:5e:89:
         86:93:17:8b:58:d8:fc:b6:74:92:cf:ef:7c:47:7e:b8:ba:54:
         73:fb:c6:33:06:4f:9f:f5:59:93:cb:bd:8d:98:d6:3d:05:b2:
         27:7f:83:c6:4f:9e:7e:f0:f2:8f:94:62:09:89:ce:56:8f:d9:
         c1:97:04:3d:18:d7:99:66:7a:c6:13:80:98:a0:e7:fa:ea:b7:
         d2:21:4c:d3

In the most recent transactions with Boulder, I am now getting an error directing me to this issue thread:

    [method] => POST
    [url] => /acme/new-cert
    [headers] => Array
        (
            [0] => Accept: application/json
            [1] => Content-Type: application/json
        )

    [data] => {"header":{"alg":"RS256","jwk":{"e":"AQAB","kty":"RSA","n":"yd8vjJsRdsHO5Xuif-AXP_XybEvFd82EgVnB0X3OLb8mbjmylK4t7T4IF_hADCGmEBTqc4x8uUyqbRJOtN-yidn9PnbuECVrDfv4v5tONj4lSF-uzn4x_ZeVup3rWUtKD0LNBfurDGJ6TD9UIgfCX1CTl7oKXsYs6vhw-q2rTyy3lZ1DdIA4DSGZcV_GlXuRNBZUbml0MF9Hg5iIwLMEHRrHZhoKCCS1nFaihRVFKNmYR9_RLdZszDaPxL3tampv6h1LcBG9O6zAWqKNkH2Ey-Md2Snw5vshJf3yrjFGCIGRWlWtiHd-e7dIRQwPBLTPQ4R-Yu97FWjd9zorJlxaKBVv6siOnsesXK_Il3Congb8j02GznvLoa-z7bYbas2M51byTRrEdTgXjKkw8EoObGPOrp5gdmo-36KdZZ4FXTYk0LdihKcqrmodzJrIxPNs1zJ2nml1pWS4odVEcIQZ7iKnsdiFbjWV7Cje5iloXaV-1Jg1WFGV5iqys2J_2gLEYkx5LFSAF3IQarUoMpcJawYEw77VPLAMNZVjiurx91S8zQ2SeJvAsNpKiO7z0Q7H3gt1rTlvSqZKCVErEFnaqY87fjUHpT8p6uRPqg4YapByJVvyQ1OMaS60_3PYeXpnwjxZVHmZiChVtCCxzVwBakk8DrJGmxPbWwpYxAqkJ2U"}},"protected":"eyJhbGciOiJSUzI1NiIsImp3ayI6eyJlIjoiQVFBQiIsImt0eSI6IlJTQSIsIm4iOiJ5ZDh2akpzUmRzSE81WHVpZi1BWFBfWHliRXZGZDgyRWdWbkIwWDNPTGI4bWJqbXlsSzR0N1Q0SUZfaEFEQ0dtRUJUcWM0eDh1VXlxYlJKT3ROLXlpZG45UG5idUVDVnJEZnY0djV0T05qNGxTRi11em40eF9aZVZ1cDNyV1V0S0QwTE5CZnVyREdKNlREOVVJZ2ZDWDFDVGw3b0tYc1lzNnZody1xMnJUeXkzbFoxRGRJQTREU0daY1ZfR2xYdVJOQlpVYm1sME1GOUhnNWlJd0xNRUhSckhaaG9LQ0NTMW5GYWloUlZGS05tWVI5X1JMZFpzekRhUHhMM3RhbXB2NmgxTGNCRzlPNnpBV3FLTmtIMkV5LU1kMlNudzV2c2hKZjN5cmpGR0NJR1JXbFd0aUhkLWU3ZElSUXdQQkxUUFE0Ui1ZdTk3RldqZDl6b3JKbHhhS0JWdjZzaU9uc2VzWEtfSWwzQ29uZ2I4ajAyR3pudkxvYS16N2JZYmFzMk01MWJ5VFJyRWRUZ1hqS2t3OEVvT2JHUE9ycDVnZG1vLTM2S2RaWjRGWFRZazBMZGloS2Nxcm1vZHpKckl4UE5zMXpKMm5tbDFwV1M0b2RWRWNJUVo3aUtuc2RpRmJqV1Y3Q2plNWlsb1hhVi0xSmcxV0ZHVjVpcXlzMkpfMmdMRVlreDVMRlNBRjNJUWFyVW9NcGNKYXdZRXc3N1ZQTEFNTlpWaml1cng5MVM4elEyU2VKdkFzTnBLaU83ejBRN0gzZ3QxclRsdlNxWktDVkVyRUZuYXFZODdmalVIcFQ4cDZ1UlBxZzRZYXBCeUpWdnlRMU9NYVM2MF8zUFllWHBud2p4WlZIbVppQ2hWdENDeHpWd0Jha2s4RHJKR214UGJXd3BZeEFxa0oyVSJ9LCJub25jZSI6IlNxb19JOVNyaUF2SGk4VVJ0OU1oQ2ozVk5nbm1Fakh1WFU5cDkwRll6RkUifQ","payload":"eyJyZXNvdXJjZSI6Im5ldy1jZXJ0IiwiY3NyIjoiTUlJQzdUQ0NBZGNDQVFBd0hERWFNQmdHQTFVRUF3d1JjMlZqZFhKbGIySnpZM1Z5WlM1amIyMHdnZ0VnTUFzR0NTcUdTSWIzRFFFQkFRT0NBUThBTUlJQkNnS0NBUUVBb0VoeFFfNWlqTlcxRXU1MGZXUWoyWjRxb1Z4OXV3SkF2NmJmSWx1RzBCV2loMFVnWlJFU1pibWxwU2FsemlhMFJqR1Flck9JZ3hrQ1o0OTZ5YldOYnVfLTdJMWdNemlraWktMVBma0ROek1DTXgtX3JKTUluVi0ydHduQnpVeVdEY3NKQXdOWE95YU1QSjEzcXdYSXlEX1pEUm5GZjJTb3dnYXZjWjNJTkl5NUFVUk5OYUEzLWpXSDlfT09ZYWxCRHQ3anpaQ05yWm5EcDNFM2J6MWtyeUdwVl9zdGpmUkNEbWVhZDRILVZmOFlqTFJmVHBxWXU4MzNlQ2ZfeUVWZHE3WGZLMG03VGhkakdUeVZEODdvREVBSzVuY2hsNXgxMHNrVE5kMWFGcXJrTm5fS1Q4bVF4RnE1ckxLajZ0SVUwek51WGctT0p2R1JSQVZjeHo5RUdRSURBUUFCb0lHUE1JR01CZ2txaGtpRzl3MEJDUTR4ZnpCOU1Ba0dBMVVkRXdRQ01BQXdDd1lEVlIwUEJBUURBZ1hnTUdNR0ExVWRFUVJjTUZxQ0VYTmxZM1Z5Wlc5aWMyTjFjbVV1WTI5dGdoVjNkM2N1YzJWamRYSmxiMkp6WTNWeVpTNWpiMjJDRm1sd2RqUXVjMlZqZFhKbGIySnpZM1Z5WlM1amIyMkNGbWx3ZGpZdWMyVmpkWEpsYjJKelkzVnlaUzVqYjIwd0N3WUpLb1pJaHZjTkFRRUxBNElCQVFCT2VRbVp1ZU8yOGN2cHI0QTlwSjFOT1F3TmFqSG1oR1JOQVBGZlYyMzhTMlFkQkpuUjdpdEpsMHZ4ME9Ld19wTXl0ZVNyNUJGVDc0R1dWOFBkQ05KMlhXR1Mtc05sanU5N2lrVS1vbi1RajBRSlQ2TGl4U1MyWEstRVN2bVUtVWIweEhBNWV5QnZZM09LbUVHaER2LS0xa0hwcWJTUnhveEMwNDBlVkJwdGpzTXJtTTlDUF96RjJnaFd4X0JMa2ZHZUstMm1aNDFNY2IxTGNMdVVVWHpEU2xzN0g3OV9RN3FoX2s4bnppSjBmZXdoWG9tR2t4ZUxXTmo4dG5TU3otOThSMzY0dWxSei04WXpCay1mOVZtVHk3Mk5tTlk5QmJJbmY0UEdUNTUtOFBLUGxHSUppYzVXajluQmx3UTlHTmVaWm5yR0U0Q1lvT2Y2NnJmU0lVelQifQ","signature":"B6w5Ba9v61Ac4VqDuD0EGlEGRyX04fLanZXlrP7rWaZDP5A-8sueR8IBhzD4qG8QUvsG-8nns4Emct2S-ODX6-M1t5nJRLhAP4umvZVP3s4p2PEFntWzUiA2DxtP-jpsSjpGhRoL7D1KVwHxnxPIIlsrFvNgRKTYXPKUvVwGKNt14JbKeTG7YsKU6oOfEAFfH3b5FRB4389lLRUaGZWxunlZMzcTQ0s-N78p1KEOQ0Y-xd56blaTTUTIqTRZAS10Efn_XPuH8E3UJMKLZLvCKz8YxmTRfEaFvBgwwlddvBSCSg2qF92EQCNWlqmTL9avZ35139W2g8k-vTwUfWrYtUPmjPmw2P7lXqW6mUksZPH2Ez8yOq1bK4osU7zq2OfRe9jXon3OATZtn3_LUvco7GV3-lRhJdxOlWebBkToQzNcJ0_TI3nHsyThz_2FIwAZh-0xBcxixjyF-rjHk9cN0qzYyGBxQHwbFbVFA4fmQzoQD1mydgnpKLwsP3C8FtgO14ZoYxCtcev9yeYhF_uhbEcJTrTBuSibpDk2dT8svyIgdOzpJv4Fgj6ZB7s2SwXQ87kS_O-6EDE43MJNebrKp5uRaErliimnRPLgLItZqRRJKgx1lTmnuQxRQcGVEcZliybWv6b1GgZ2aFxoLzllJuKvDqoNDhwk6SjzycYrowc"}
    [response] => HTTP/1.1 100 Continue
Expires: Sat, 04 Mar 2017 18:49:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 217
Boulder-Request-Id: 0qFnZzceftJjbBA8Xb5T839tk0IGMSCs_r7Wy1vF0rY
Boulder-Requester: 2267141
Replay-Nonce: DFq-POrQ8bU2PAYOFGwrHmxk7B6p1YgFbRnwLzzpc9I
Expires: Sat, 04 Mar 2017 18:49:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 04 Mar 2017 18:49:56 GMT
Connection: close

{
  "type": "urn:acme:error:malformed",
  "detail": "Error parsing certificate request. Extensions in the CSR marked critical can cause this error: https://github.com/letsencrypt/boulder/issues/565",
  "status": 400
}

In parsing the payload sent to the CA, It appears the CSR is correctly included and identical to prior renew requests.

Is there some change in encoding that needs to take place? Currently I am stripping off —begin— and —end— blocks, base64 decoding the CSR, doing a URL safe base64 encode and performing the ACME JWS dance.

I created a parallel post on Github at https://github.com/letsencrypt/boulder/issues/2593 referencing the original closed issue, trying to understand where the issue is coming from. Going through the code changes in Boulder does not appear to be the cause, rather the underlying Go language crypto/x509 is chucking the error back up to the CA.

Does anybody have access to the log file and can see what specific exception GO’s x509 implementation is having with this cert?


#2

Per the github issue, there was a bug in an earlier version of phpseclib 2.x that omitted the mandatory optional null after RSA key. The reason this popped up now is that the version of Go used now forces mandatory null-after-rsa-key.


#3

Thanks for following up with the solution for folks that don’t see the Github issue!

Glad you’re all sorted :trophy:!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.