Occasional corrupt cert: asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:147:

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
math.ubc.ca

I ran this command:
openssl x509 -in bad-wdp.crt -noout -text

It produced this output:
4277976124:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:asn1_lib.c:147:

4277976124:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1185:

4277976124:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:374:Type=X509

4277976124:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

My web server is (include version):
N/A

The operating system my web server runs on is (include version):
N/A

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
dehydrated-0.7.1

More details:

Occasionally, a renewal of a cert causes a corrupt (at least by my version of openssl) cert to be issued. I've tested this with other more versions of OpenSSL with the same results. I re-run the certbot and this usually produces a valid cert. Scanning the help section shows some people included \r\n in the CSR or other things, but this doesn't explain why it only fails some of the. time. I ran

openssl asn1parse -inform pem -in bad-wdp.crt

and assuming this utility parses bytes in order and the first error halts at the point of corruption, the tail end of the output is

763:d=4 hl=2 l= 76 cons: SEQUENCE
765:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies
770:d=5 hl=2 l= 69 prim: OCTET STRING [HEX DUMP]:30433008060667810C0102013037060B2B0601040182DF130101013028302606082B06010505070201161A687474703A2F2F6370732E6C657473656E63727970742E6F7267
841:d=4 hl=4 l= 260 cons: SEQUENCE
845:d=5 hl=2 l= 10 prim: OBJECT :CT Precertificate SCTs
857:d=5 hl=3 l= 245 prim: OCTET STRING [HEX DUMP]:0481F200F000760041C8CAB1DF22464A10C6A13A0942875E4E318B1B03EBEB4BC768F090629606F600000181046FB414000004030047304502210096F88840725369E0ABCE99531F023D7B61EF6F43C485658A19EF72F53E97D81D0220615819743D1C5FBEFD49B885ABF2FC70FE6D4700000181046FB412000004030047304502210095B06A22FA85A026380B33287A665D629C05CDE79531EE0EE91015A98CB67AB802201DFD21816FE3F2CCBBB0B2DD4D783D8F58989155CE1C014EED3AC1853F5DFD21300D06092A864886F70D01010B05000382010100ABFD59117EBABBC28A15043DD65318C2561ABC99D9F48C65436F967F
Error in encoding
4277976124:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:157:

2

If you could post the PEM of an entire problematic certificate, that may be helpful in understanding what’s going on

3 Likes
3

And the version of OpenSSL.

3 Likes
4

I looked up your certificate by its Nimbus 2022 SCT timestamp, and here's the same output from your certificate on OpenSSL 1.1.1n:

765:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies
770:d=5 hl=2 l= 69 prim: OCTET STRING [HEX DUMP]:30433008060667810C0102013037060B2B0601040182DF130101013028302606082B06010505070201161A687474703A2F2F6370732E6C657473656E63727970742E6F7267
841:d=4 hl=4 l= 260 cons: SEQUENCE
845:d=5 hl=2 l= 10 prim: OBJECT :CT Precertificate SCTs
857:d=5 hl=3 l= 245 prim: OCTET STRING [HEX DUMP]:0481F200F000760041C8CAB1DF22464A10C6A13A0942875E4E318B1B03EBEB4BC768F090629606F600000181046FB414000004030047304502210096F88840725369E0ABCE99531F023D7B61EF6F43C485658A19EF72F53E97D81D0220615819743D1C5FFB9B8BE7E5DE77ACE0C5C13864E8627083C3029F915D8FDAAF00760046A555EB75FA912030B5A28969F4F37D112C4174BEFD49B885ABF2FC70FE6D4700000181046FB412000004030047304502210095B06A22FA85A026380B33287A665D629C05CDE79531EE0EE91015A98CB67AB802201DFD21816FE3F2CCBBB0B2DD4D783D8F58989155CE1C014EED3AC1853F5DFD21
1105:d=1 hl=2 l= 13 cons: SEQUENCE
1107:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
1118:d=2 hl=2 l= 0 prim: NULL
1120:d=1 hl=4 l= 257 prim: BIT STRING
(END)

I think ... you maybe have corruption of the file when you download it?

This whole sequence:

is the beginning of the next part of the file:

1105:d=1  hl=2 l=  13 cons: SEQUENCE

not part of SCTs octet string.

It's like some of the bytes in your certificate file got jumbled around ...

3 Likes
5

This is the section that goes wrong:

-----BEGIN CERTIFICATE-----
MIIFYTCCBEmgAwIBAgISBLWFycu04zoa/RIuReIRGW5cMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA1MjcwNjMzNThaFw0yMjA4MjUwNjMzNTdaMBoxGDAWBgNVBAMT
D3dkcC5tYXRoLnViYy5jYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKsO6a5ddp7saLf80+4j35cYX4iQ1GfgPwdLirIxYKb10BVVADtmb0PMXgxXT9lW
NQXfVxGL4TPfQW27gQprGpT8Gy5TYTWBP6QxLw1r33/wzqkJ7xYpJFclnjOvINgh
zRDGUMMhtO3zkqkbolQhlxktZVoGHCp9bQ0AP3u/y3zXg6XAKVQvEUWvf6j2GhBj
VE7u0oC6KIaqkL4XNmrQtezN4t+3nqciewfSLFUBlZeidZTz0voKRLBnU6dBbMYm
h396L76nx2xUehYccWxj9/aOoARQjbr0YOV3AVVce81mQOmW5fqdZzqLwVeHA951
CCm5P9K6so7w9yqLZFl9ICsCAwEAAaOCAocwggKDMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQUYPg+/wyrSe5cCSqkvkckhlzyZUswHwYDVR0jBBgwFoAUFC6zF7dYVsuu
UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v
cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y
Zy8wVwYDVR0RBFAwToITd2RwLWRldi5tYXRoLnViYy5jYYIPd2RwLm1hdGgudWJj
LmNhghV3ZWJkcnVwYWwubWF0aC51YmMuY2GCD3d3dy5tYXRoLnViYy5jYTBMBgNV
HSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpo
dHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA
8AB2AEHIyrHfIkZKEMahOglCh15OMYsbA+vrS8do8JBilgb2AAABgQRvtBQAAAQD
AEcwRQIhAJb4iEByU2ngq86ZUx8CPXth729DxIVlihnvcvU+l9gdAiBhWBl0PRxf
vv1JuIWr8vxw/m1HAAABgQRvtBIAAAQDAEcwRQIhAJWwaiL6haAmOAszKHpmXWKc
Bc3nlTHuDukQFamMtnq4AiAd/SGBb+PyzLuwst1NeD2PWJiRVc4cAU7tOsGFP139
ITANBgkqhkiG9w0BAQsFAAOCAQEAq/1ZEX66u8KKFQQ91lMYwlYavJnZ9IxlQ2+W
f2LR25lETILvTTZP8LLiIOTBL01XPH1Vv42xqdwbw+7co8qpbYg33BNjx0ePA02e
bVmlMLs0BHDD9PvVneUnmacYgi2zWtJ26XtUEYG6ZlFI6eYvkkshtCgIhJQ/VpQL
kj/0+Sk+yxhpq/DuUsnRMSzT5tWd1QlGJl5kQFbDuKg6h8mIOQlx7KZwLtlwwocy
v4mSFydLuP+JclRlF0K3O24nmRTZHH+M7fFVksSFGOWEqNb4ggRhS3DMvtjVfnig
/cquQX0AYMFYAIMOm55worXGeLF5WuDQ2HNxmwNuCeqgQ9a4gg==
-----END CERTIFICATE-----
6

Tested against OpenSSL v1.0.2h and v. 1.1.1k with the same results

openssl x509 -in bad.crt -noout -text

unable to load certificate

140333967902528:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:crypto/asn1/asn1_lib.c:91:

140333967902528:error:0D068066:asn1 encoding routines:asn1_check_tlen:bad object header:crypto/asn1/tasn_dec.c:1137:

140333967902528:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=X509

140333967902528:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto/pem/pem_oth.c:33:

7

Where does bad.crt actually originate from?

2 Likes
8

OK, that's what I suspected. However, I do no post-processing of this cert -- this file is straight from the certbot (dehydrated). I'm not sure where the error crept in -- is there some sort of transparency log out there I can compare/check the cert I got vs what LE issued, so I can tell which side of the fence to look at?

9

... However, I do no post-processing of this cert

Egad, that's not true. I grep out /^($|#/+)/ from the cert. Why the hell did I kill lines with a valid base64 '+'? No doubt this caused it. Slinking away in embarrassment.

6 Likes