Not able to create a certificate using my own CSR


#1

Certificate signature failed. If you supplied your own CSR make sure the domains on it match what you put on SSLForFree. If there is a rate limiting error at the end of this paragraph certificates per Domain is currently 5 per 7 days. Try asking Lets Encrypt to increase the limit or wait 7 days. Rate limits should increase in the near future. { “type”: “urn:ietf:params:acme:error:malformed”, “detail”: “Error finalizing order :: policy forbids issuing for: “vpxsslqualys.citrix.com;mpxsslqualys.citrix.com””, “status”: 400 }


#2

That’s weird, at least one of those names have been issued fairly recently on Let’s Encrypt.

You can mail security@letsencrypt.org about this.


#3

I’m not positive whether you can get multiple domains in an error like this. It may actually be a flaw in the original CSR, which might literally contain the semicolon. Could you post the CSR here so we could examine it? (A CSR doesn’t contain any more sensitive information than the resulting certificate will, so it doesn’t have to be kept secret the way a private key does.)


#4

It also struck me as odd, but turns out it’s there:


I'm told I need an exception
#5

That’s , rather than ; as the delimiter, though, which confirms that the CSR was literally asking for the single invalid name vpxsslqualys.citrix.com;mpxsslqualys.citrix.com rather than for a certificate covering both SANs.


#6

Well-noticed! Perhaps the problem is then that Boulder gives a confusing error message (usually it would be Invalid character in DNS name)! :smiley:


#7

CSR will be encoded properly otherwise the creation of CSR would have failed initially.


#8

Its not about encoding, its about the content of CN/SubjAltName. You cannot get a certificate for a malformed dns name.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.