hello there,
I’ve never attempt to generate SSL from letsencrypt before… Please help, I was using this tool “https://gethttpsforfree.com/” to attempt to generate SSL for “hieuken.com”, “www.hieuken.com” and got this error every time.
Error: Account registration failed. Please start back at Step 1. { “type”: “urn:acme:error:malformed”, “detail”: “JWS verification error”, “status”: 400 }
Certificate signature failed. Certificates per Domain is currently 5 per 7 days. If there is a rate limiting error at the end of this paragraph. Try asking Lets Encrypt to increase the limit or wait 7 days. Rate limits should increase in the near future. { “type”: “urn:acme:error:malformed”, “detail”: “Error unmarshaling certificate request”, “status”: 400 }
The actual error reported by Let’s Encrypt is this part: { "type": "urn:acme:error:malformed", "detail": "Error unmarshaling certificate request", "status": 400 }
The text prior to that is something www.sslforfree.com came up with, and mentions this only applies if there’s a rate-limit-related error message at the end, which is not the case here.
The error seems to indicate there’s a problem with your CSR - did you provide your own CSR, or did you use the one www.sslforfree.com generated for you? If it’s the former, there’s probably something in your CSR that Let’s Encrypt doesn’t like - you can share it if you’d like for us to take a look. If you used the CSR www.sslforfree.com generated for you, it might be a bug with the site.
Thank you. I am not sure what was up with the CSR generated within my server. I tried the CSR from SSLForFree and it worked. It just required a few more tricks to merge the key & cert using OpenSSL.
We’ve seen a problem recently that there are different versions of the CSR format and Let’s Encrypt does not support, I believe, older versions. I don’t know the details, but I’m sure somehow can supply them if this comes up again. But for reference, if you get a malformed CSR error and you’re sure that what you’re sending is really a CSR, you can try generating a fresh CSR with openssl.
Hopefully in the future Boulder will send a more detailed and meaningful error from the CA side.