Problem CSR certificate

Dmytri · December 1, 2020, 9:10pm

Hi. While developing the client (python) acme v.2 protocol faced certificate signing problem. Domain ownership check for http-01 succeeded. Subsequent request for signature - undefined error (400). I ask for help. Exchange information below.

https://acme-staging-v02.api.letsencrypt.org/acme/order/16848143/193537084 {"signature": "gj0Bd-aD40l6tolDfVoynOmk8vhHt3wwZNc121__V8TivpINkjT71PqPEwXisMHxSR9DTYAaX7r-vkwyNY5k8-G1435WL8bkBRBvIgjFW36Lk1S7SHD1MjwqEZeqGkre", "payload": "", "protected": "eyJhbGciOiAiRVMzODQiLCAibm9uY2UiOiAiMDAwM3NBRkdpVTlCRG1FZHdDUWdUcmFqZnFuR01lb1BfSEYxYVFHcFpRTDVyd2MiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNjg0ODE0MyIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9vcmRlci8xNjg0ODE0My8xOTM1MzcwODQifQ"}
200 {'expires': '2020-12-05T23:55:40Z', 'status': 'ready', 'identifiers': [{'type': 'dns', 'value': 'dimon49.ml'}, {'type': 'dns', 'value': 'www.dimon49.ml'}], 'finalize': 'https://acme-staging-v02.api.letsencrypt.org/acme/finalize/16848143/193537084', 'authorizations': ['https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/163922494', 'https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/163922495']} Server: nginx
Date: Sun, 29 Nov 2020 16:56:59 GMT
Content-Type: application/json
Content-Length: 484
Connection: close
Cache-Control: public, max-age=0, no-cache
Link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0004uDV47T3HxH-Os4USGKCSFPCP0xkwKTdppJkav1OO2as
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{'csr': 'MIIEkjCCAnoCAQAwFTETMBEGA1UEAwwKZGltb240OS5tbDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALwPAWwyZKO1Qy1GDQt5kjHqzwyGtaHYhddmwWTljuQZa4WOLYdJf_bU6jQoWwNsf1A3SPXoWgO-cIW07k6XfDH2l7eVkd95RqWxxNUSwWRE7bss2sShhHMgt4Upy5sR41e-kEXqYKkyc5BAXT6QzH7LqI55a95SdrUEUR_7pXqFdPFriIpa5sLIQHC9aIEP2CotgMp31sn9z1-U5jIKh1u40oX-yUFDiBJ4N1uAzgKF3rD1kmVSCkkL89-g0mx1-_kyQWgwh6il3qxt9UgHVETFKqUDIYkZWBhpFxSup1pTOxU9JLeoEjgn1y--yOyCzC2vOi554lomSbHdg7wzZI5cLkWdI3lzZoofj0krIFyOTT4tAIixn6Gg05OwC_3YWNfgSC19zH7F6kR_K8AvQEqEFjDT1OFR0KDcc_34JqZrWmSivuVacuDDJeg4OZWul9yf9rGsbKLbmbsBIVbRBllUZ2zo08AiAC8R85c0rKZRBGzA5VqUhOGyB9Zd2fc2WNOqvBozKkfyx68VZitRfdYTet1B2sZuzDPbuOT4bDL1b1M-2YoeHW3xEPV8f2jJqz5v-JtQ2lUDXkFjHcKFc7cXsS7lWCEM4cqcbRy6nNLO-Wta0gXQHdllDlFKKMEmGpM7VFcRuKzHKJpd1ycJqrllI8hrhxTcfc4ZaB4oOKHRAgMBAAGgODA2BgkqhkiG9w0BCQ4xKTAnMCUGA1UdEQQeMByCCmRpbW9uNDkubWyCDnd3dy5kaW1vbjQ5Lm1sMA0GCSqGSIb3DQEBCwUAA4ICAQBz30MNz_kz1DLb4IKT-Nci4de69mgE312Uvepmqm6nb43BOJJfC09LkzHeROBo_J37AA5P3ryoIuqCBSyoGyLhpVhCN3SgIWF06m8ifvCmJ1oUAAdv2H1JXQWNwvAC6QcS2c0NJ82MSB_g07Kb0_s-4rr_FN_uxv57SENQITPi4eUZ96aArB6PvSjvhPnOWbklX2lb66bQDphstgg5U7e8K8H1mfzHGXZSbf5iEGlVp06Nc8xDGAjYwKwFmlXy6cY0swT5bKGBoXGucBs0UmYyVbQqGDwhXuAxjiDWa71cMhbexeGwqwzTXxTjmAdGNgQ8m4Fsu8ZgtUQ10PJgdAPIpqI48F6sXZvspwjTMR5FKbxURe7ebvC-EcDLGxYr63PWPGy_nzpjVWn-3nUKRwLxr7ekV0doO1RDAb6Dar76tFApWSwBSZJ5DBSKXtJbWa67rBZKV9rNEoHUA7DQQMtQw6tTDFpbWWo4chw7qoJCwAwzAKNN5qus-SWLhF3bhFBC0DgT5P7-s1FBf4U9D9mpLlvZx3Qx0rY5ULkLelbUu9zizpBFDx7AWFN6L4n33zt-A8x-0QXHbQcZ3fWQnt7c5qf_sxWVwk4vmvnp87SHZg1ldA5xSRU_BY5p8FszR6CroXgICliCQropvUZs44ePtOQeG0yBjdxc7wRng-ouaA'}
signature I_8myZwDBZ_fo1cEZB-Fi3j4499Tr0Uk89YqrfrbLN_3MmASaMTT2Qol0deILTS-kgb_OzE0_B6jf6f7RoJQky6Ln69c6YoG7UIxbY5EVicLqoEiIpNSIATK2uQJ1aNw
https://acme-staging-v02.api.letsencrypt.org/acme/order/16848143/193537084 {"payload": "eyJjc3IiOiAiTUlJRWtqQ0NBbm9DQVFBd0ZURVRNQkVHQTFVRUF3d0taR2x0YjI0ME9TNXRiRENDQWlJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dJUEFEQ0NBZ29DZ2dJQkFMd1BBV3d5WktPMVF5MUdEUXQ1a2pIcXp3eUd0YUhZaGRkbXdXVGxqdVFaYTRXT0xZZEpmX2JVNmpRb1d3TnNmMUEzU1BYb1dnTy1jSVcwN2s2WGZESDJsN2VWa2Q5NVJxV3h4TlVTd1dSRTdic3Myc1NoaEhNZ3Q0VXB5NXNSNDFlLWtFWHFZS2t5YzVCQVhUNlF6SDdMcUk1NWE5NVNkclVFVVJfN3BYcUZkUEZyaUlwYTVzTElRSEM5YUlFUDJDb3RnTXAzMXNuOXoxLVU1aklLaDF1NDBvWC15VUZEaUJKNE4xdUF6Z0tGM3JEMWttVlNDa2tMODktZzBteDEtX2t5UVdnd2g2aWwzcXh0OVVnSFZFVEZLcVVESVlrWldCaHBGeFN1cDFwVE94VTlKTGVvRWpnbjF5LS15T3lDekMydk9pNTU0bG9tU2JIZGc3d3paSTVjTGtXZEkzbHpab29majBrcklGeU9UVDR0QUlpeG42R2cwNU93Q18zWVdOZmdTQzE5ekg3RjZrUl9LOEF2UUVxRUZqRFQxT0ZSMEtEY2NfMzRKcVpyV21TaXZ1VmFjdURESmVnNE9aV3VsOXlmOXJHc2JLTGJtYnNCSVZiUkJsbFVaMnpvMDhBaUFDOFI4NWMwcktaUkJHekE1VnFVaE9HeUI5WmQyZmMyV05PcXZCb3pLa2Z5eDY4VlppdFJmZFlUZXQxQjJzWnV6RFBidU9UNGJETDFiMU0tMllvZUhXM3hFUFY4ZjJqSnF6NXYtSnRRMmxVRFhrRmpIY0tGYzdjWHNTN2xXQ0VNNGNxY2JSeTZuTkxPLVd0YTBnWFFIZGxsRGxGS0tNRW1HcE03VkZjUnVLekhLSnBkMXljSnFybGxJOGhyaHhUY2ZjNFphQjRvT0tIUkFnTUJBQUdnT0RBMkJna3Foa2lHOXcwQkNRNHhLVEFuTUNVR0ExVWRFUVFlTUJ5Q0NtUnBiVzl1TkRrdWJXeUNEbmQzZHk1a2FXMXZialE1TG0xc01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQnozME1Oel9rejFETGI0SUtULU5jaTRkZTY5bWdFMzEyVXZlcG1xbTZuYjQzQk9KSmZDMDlMa3pIZVJPQm9fSjM3QUE1UDNyeW9JdXFDQlN5b0d5TGhwVmhDTjNTZ0lXRjA2bThpZnZDbUoxb1VBQWR2MkgxSlhRV053dkFDNlFjUzJjME5KODJNU0JfZzA3S2IwX3MtNHJyX0ZOX3V4djU3U0VOUUlUUGk0ZVVaOTZhQXJCNlB2U2p2aFBuT1dia2xYMmxiNjZiUURwaHN0Z2c1VTdlOEs4SDFtZnpIR1haU2JmNWlFR2xWcDA2TmM4eERHQWpZd0t3Rm1sWHk2Y1kwc3dUNWJLR0JvWEd1Y0JzMFVtWXlWYlFxR0R3aFh1QXhqaURXYTcxY01oYmV4ZUd3cXd6VFh4VGptQWRHTmdROG00RnN1OFpndFVRMTBQSmdkQVBJcHFJNDhGNnNYWnZzcHdqVE1SNUZLYnhVUmU3ZWJ2Qy1FY0RMR3hZcjYzUFdQR3lfbnpwalZXbi0zblVLUndMeHI3ZWtWMGRvTzFSREFiNkRhcjc2dEZBcFdTd0JTWko1REJTS1h0SmJXYTY3ckJaS1Y5ck5Fb0hVQTdEUVFNdFF3NnRUREZwYldXbzRjaHc3cW9KQ3dBd3pBS05ONXF1cy1TV0xoRjNiaEZCQzBEZ1Q1UDctczFGQmY0VTlEOW1wTGx2WngzUXgwclk1VUxrTGVsYlV1OXppenBCRkR4N0FXRk42TDRuMzN6dC1BOHgtMFFYSGJRY1ozZldRbnQ3YzVxZl9zeFdWd2s0dm12bnA4N1NIWmcxbGRBNXhTUlVfQlk1cDhGc3pSNkNyb1hnSUNsaUNRcm9wdlVaczQ0ZVB0T1FlRzB5QmpkeGM3d1JuZy1vdWFBIn0", "protected": "eyJub25jZSI6ICIwMDAzMThoTjg5MFFkc0tlVHNaalJodmk2S25KWFB2Qm9sbWwyUlRvWmtxdTlMWSIsICJ1cmwiOiAiaHR0cHM6Ly9hY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9vcmRlci8xNjg0ODE0My8xOTM1MzcwODQiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNjg0ODE0MyIsICJhbGciOiAiRVMzODQifQ", "signature": "I_8myZwDBZ_fo1cEZB-Fi3j4499Tr0Uk89YqrfrbLN_3MmASaMTT2Qol0deILTS-kgb_OzE0_B6jf6f7RoJQky6Ln69c6YoG7UIxbY5EVicLqoEiIpNSIATK2uQJ1aNw"}
400 b'{\n "type": "urn:ietf:params:acme:error:malformed",\n "detail": "POST-as-GET requests must have an empty payload",\n "status": 400\n}' {}

_az · December 1, 2020, 9:17pm

You need to send the POST to the finalize URL rather than to the order URL.

The may discover the finalize URL (https://acme-staging-v02.api.letsencrypt.org/acme/finalize/16848143/193537084) by looking at the finalize field of the order URL.

This is described in RFC 8555 - Automatic Certificate Management Environment (ACME)

finalize (required, string): A URL that a CSR must be POSTed to once
all of the order's authorizations are satisfied to finalize the
order. The result of a successful finalization will be the
population of the certificate URL for the order.

Dmytri · December 1, 2020, 9:28pm

Thank you!

My not attentiveness!!!

system · December 31, 2020, 9:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.