Jason
February 1, 2016, 8:34pm
1
I receive the following error now that I try to get an EC certificate using staging:
Error: urn:acme:error:malformed :: The request message was malformed :: Error unmarshaling certificate request
My CSR is the following:
-----BEGIN CERTIFICATE REQUEST-----
MIICkjCCAhgCAQAwgYoxCzAJBgNVBAYTAkdSMQ8wDQYDVQQIDAZBdGhlbnMxDzAN
BgNVBAcMBkF0aGVuczEOMAwGA1UECgwFSmFzb24xCzAJBgNVBAsMAklUMRMwEQYD
VQQDDAp3aW5wYWNrLmNmMScwJQYJKoZIhvcNAQkBFhh3aW5wYWNramFzb25Ab3V0
bG9vay5jb20wdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAR0aRzxQcjVmz7sZUNGoKjc
JYm+b7dJNtLYbxjjAQww+Y4at6vCT1AIjv9q6em5yOboL4QBkWDL+lebV/6TBveG
NeOS+ZgvUkXMjluVPS+nl+6M46cI+1LVQWCNJzenid6gggEMMIIBCAYJKoZIhvcN
AQkOMYH6MIH3MAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgP4MCAGA1UdJQEB/wQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBtwYDVR0RBIGvMIGsggp3aW5wYWNrLmNm
gg53d3cud2lucGFjay5jZoIPbWFpbC53aW5wYWNrLmNmgg1teC53aW5wYWNrLmNm
gg5teDIud2lucGFjay5jZoIOd2lucGFjay5ldS5vcmeCEnd3dy53aW5wYWNrLmV1
Lm9yZ4ITbWFpbC53aW5wYWNrLmV1Lm9yZ4IRbXgud2lucGFjay5ldS5vcmeCEm14
Mi53aW5wYWNrLmV1Lm9yZzAKBggqhkjOPQQDBANoADBlAjEAp/t3wm2bZY5zOWz5
VP8T7TSVlMOkpuOVvMMI80t9pYrITTTQ7WBAgdT9jWGPmZSiAjA7dJMgSGx/JGgR
l1paiVqp3YhvG6slC3x6nFwopy4YYbnpP9J4sYzgmDlnOJwSRNE=
-----END CERTIFICATE REQUEST-----
I do not understand: where is the problem?
Osiris
February 1, 2016, 9:22pm
2
I don’t know for sure that’s the problem, but your CSR uses SHA512 as its hash function… Try SHA256 perhaps?
Jason
February 1, 2016, 9:23pm
3
OK, I figured the problem. I had specified some critical extensions that LE wasn’t going to issue, so I fixed that. However, I am now getting:
The request message was malformed :: Invalid key in certificate request :: ECDSA curve P-384 not allowed
@jsha Doesn’t the production server support EC-384 yet?
riking
February 1, 2016, 9:43pm
4
No, the 384 curve is not currently enabled.
Jason
February 1, 2016, 9:45pm
5
May I ask why? And also why staging doesn’t support P-521?
jsha
February 1, 2016, 9:52pm
6
We haven’t yet made the necessary config changes following last week’s deploy. We will get to it, but we have a lot of higher priorities this week.
1 Like
Jason
February 1, 2016, 9:54pm
7
May I also ask exactly what KeyUsages are allowed by LE?
jsha
February 1, 2016, 10:10pm
8
Details are on the other thread: ECDSA testing on staging . We will support Digital Signature. Part of the delay was the requisite code change to support different KeyUsages for different types of EE certs.
1 Like
Hi, is there an issue for the KeyUsages changes?
Osiris
February 2, 2016, 6:27pm
10
1 Like
I think yes, i did not know that it is called CFSSL and found no link from the EC thread.