No data available in policyQualifiers

I was able to “successfully” generate certs, but I haven’t been able to get a dropwizard instance to start up with it. When I inspect my cert.pem (or fullchain.pem) using java keytool, I see the following in extension #8, which looks suspicious to me:

#8: ObjectId: 2.5.29.32 Criticality=false Unparseable CertificatePolicies extension due to java.io.IOException: No data available in policyQualifiers

Has anyone run into this? This was in the cert given to me after running the client in standalone mode, without any exceptions being thrown.

That’s an interesting exception. I believe Java is in error here, and no policyQualifiers are required in a CertificatePolicy. However, I could be wrong.

LE contain under 2.5.29.32 their policy “http://cps.letsencrypt.org” and "This Certificate may only be relied upon by…"
So it is not empty and i use java too and have no problem with the cert for https://suche.org

FWIW, there’s a hex block that follows the error, and it does contain the url provided above, as well as a bit of non-ascii hex and the following statement:

“This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/”

This is different than what I see for 2.5.29.32 when I print out chain.pem:

CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier:
0000: 16 22 68 74 74 70 3A 2F 2F 63 70 73 2E 72 6F 6F ."http://cps.roo
0010: 74 2D 78 31 2E 6C 65 74 73 65 6E 63 72 79 70 74 t-x1.letsencrypt
0020: 2E 6F 72 67 .org

]] ]
]

This tells me that I’m able to parse a 2.5.29.32 object in at least some form.

Since this implies that there was something different (and maybe malformed) about my cert, I went ahead and regenerated it (just in case I had somehow corrupted it), but the new certs show exactly the same thing.

At this point I have no idea how to continue troubleshooting this issue. What are other steps I can take?

Hi first you can start with telling us what java version you are using.
And maybe post the stacktrace if you get any. Maybe you can
tell the serial number of the certificate than i can check it what i see.

I’m running Java 1.8. Serial number: 1990e790ad354af18d9cdda5c3bcc1208ec

There was no stacktrace beyond the error I pasted, although here is the hex block that followed the exception:

#8: ObjectId: 2.5.29.32 Criticality=false
Unparseable CertificatePolicies extension due to
java.io.IOException: No data available in policyQualifiers

0000: 30 81 F5 30 0A 06 06 67 81 0C 01 02 01 30 00 30 0…0…g…0.0
0010: 81 E6 06 0B 2B 06 01 04 01 82 DF 13 01 01 01 30 …+…0
0020: 81 D6 30 26 06 08 2B 06 01 05 05 07 02 01 16 1A …0&…+…
0030: 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 73 65 http://cps.letse
0040: 6E 63 72 79 70 74 2E 6F 72 67 30 81 AB 06 08 2B ncrypt.org0…+
0050: 06 01 05 05 07 02 02 30 81 9E 0C 81 9B 54 68 69 …0…Thi
0060: 73 20 43 65 72 74 69 66 69 63 61 74 65 20 6D 61 s Certificate ma
0070: 79 20 6F 6E 6C 79 20 62 65 20 72 65 6C 69 65 64 y only be relied
0080: 20 75 70 6F 6E 20 62 79 20 52 65 6C 79 69 6E 67 upon by Relying
0090: 20 50 61 72 74 69 65 73 20 61 6E 64 20 6F 6E 6C Parties and onl
00A0: 79 20 69 6E 20 61 63 63 6F 72 64 61 6E 63 65 20 y in accordance
00B0: 77 69 74 68 20 74 68 65 20 43 65 72 74 69 66 69 with the Certifi
00C0: 63 61 74 65 20 50 6F 6C 69 63 79 20 66 6F 75 6E cate Policy foun
00D0: 64 20 61 74 20 68 74 74 70 73 3A 2F 2F 6C 65 74 d at https://let
00E0: 73 65 6E 63 72 79 70 74 2E 6F 72 67 2F 72 65 70 sencrypt.org/rep
00F0: 6F 73 69 74 6F 72 79 2F ository/

So this is not an java error. This is an custom error from the application. Maybe you should contact their support.

When you say “the application” and “their support”, I assume you are talking about LE? I thought this forum WAS the way I get LE support?

No you have some java based software where you try to import the certificate.
These software have an problem with an valid certificate. So their support can help you.

Can you provide the exact Java command you are running? Or if it’s part of a larger application you are building, can you provide a minimal case to reproduce?

It’s possible Java doesn’t understand the UserNotice PolicyQualifier described at https://tools.ietf.org/html/rfc5280#page-34, which might explain why it gets as far as the CPS URL but fails on the next chunk.

tlussnig, I’m not trying to import the cert at all (at least, in the scenario I’m describing), I’m just using java keytool to inspect it. https://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

jsha, it’s a pretty simple command I’m running:
keytool -v -printcert -file cert.pem

I see the same error at the end of the chain when I do:
keytool -v -printcert -file fullchain.pem

Thanks. I was able to track this down: It looks like we insert an empty SEQUENCE after the 2.23.140.1.2.1 CertificatePolicy. I’ll work on fixing it. Thanks for reporting!

Thanks, jsha. Are there mitigation steps I can take in the meantime?

I’m afraid not, sorry. We’ve merged the fix, however, so the next release should work for you. That will probably come in the next week or two.

Is there any place with an list of what changes will come with each release ?

Visit https://letsencrypt.status.io/ and go to the history page (linked at the bottom): https://letsencrypt.status.io/

Hi if you use pastebin for “documentation” then please select “forever” since many links to the changelogs are broken.
And contain an empty pastebin

Good point, thanks for pointing this out. I’ve raised it with our ops team, and we’ll try to come up with a better plan for changelogs.

What about commiting the changelog under https://github.com/letsencrypt/boulder ?
Two Options

1. An always growing changelog that tell when and what was gone to production.
2. And Changelog replaced always with the last deployment info that can be accessed via commit history.

The fix for this issue is now live. Thanks very much for reporting it!