The certificate public key returned by the API is not the same as the CSR public key I submitted

Client dev
1

The client I use is: python acme==1.11.0
My account address is: https://acme-v02.api.letsencrypt.org/acme/acct/106396927
The order with the error is: https://acme-v02.api.letsencrypt.org/acme/order/106396927/8235322825

My order details are:

 {
 	"body": {
 		"identifiers": [{
 			"type": "dns",
 			"value": "mn1-replay.leihuo.netease.com"
 		}],
 		"status": "pending",
 		"authorizations": ["https://acme-v02.api.letsencrypt.org/acme/authz-v3/11287227725"],
 		"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/106396927/8235322825",
 		"expires": "2021-03-10T18:09:45Z"
 	},
 	"uri": "https://acme-v02.api.letsencrypt.org/acme/order/106396927/8235322825",
 	"csr_pem": "-----BEGIN CERTIFICATE REQUEST-----\nMIIDTzCCAjcCAQAwgc4xJjAkBgNVBAMMHW1uMS1yZXBsYXkubGVpaHVvLm5ldGVh\nc2UuY29tMQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlamlhbmcxETAPBgNVBAcM\nCEhhbmd6aG91MSwwKgYDVQQKDCNOZXRFYXNlIChIYW5nemhvdSkgTmV0d29yayBD\nby4sIEx0ZDESMBAGA1UECwwJR2FtZSBEZXAuMS8wLQYJKoZIhvcNAQkBFiBncnAu\nbmllc2VjdXJpdHlAY29ycC5uZXRlYXNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBANpeHhihA0I+T5EZBVRBBJGt+iqTxHpSVNce4K6FHfknm1wm\n5VV2RVCgAM5LmjGbmSVaAa2kj/PWNXkb0I4cCliO0A6+/UPCS6YZjUX9Mve3HDIy\n7iAUsWA25X4hxd9aZ5aFMX057iCJpw467tStDRcsTs/5YOOKzjIaDUFpi1ujvotz\nYI9YImgGs51P2DVLjfmtebtG34UbR2tdq1nt6zhKPzbSd6b+6yk6YGqtn8OfmlZt\n7xb4/FMNJRIsQ9/O5k7pcxNlEPzs5J/dvdLZb+FdJjrvY4MkzdRhEulAQco3CyNq\ni2LjeYaxxj2Ismnpx8bDUQERLC8E8fi3e4AWGq8CAwEAAaA7MDkGCSqGSIb3DQEJ\nDjEsMCowKAYDVR0RBCEwH4IdbW4xLXJlcGxheS5sZWlodW8ubmV0ZWFzZS5jb20w\nDQYJKoZIhvcNAQELBQADggEBADL+fKRvPx8ZKE00/cRMQgUaYG3JvKmpbdggLG1i\n4Mesm/aKNDv7iPgFH7eI43xvzPdVtJj/TV9CF01nIBT72lcRyBB+hz1feOvJRewn\nVEE0IKxjlguEm10MyWB7wvDayk0nM2gFjHIpPLISAwtfryCV+qTBuDQS8CCNkeee\nxKsei+3Y9c/ATmLs/PpoO+E9aXv/cUoBYKFTmnvYnm3Yd1J55KphPDZWn75VQybX\n4DtLg6Kg1/7QZa13YM/AbQJwo6SQXX/z4SeTuV39zqbjHJ6dUVSiFEJTZNFdd3nL\nrqE2P2C86DRKWg8DPULsuFf9Dh0YCYovPwVQSz+sf/DKkds=\n-----END CERTIFICATE REQUEST-----\n",
 	"authorizations": [{
 		"body": {
 			"identifier": {
 				"type": "dns",
 				"value": "mn1-replay.leihuo.netease.com"
 			},
 			"challenges": [{
 				"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11287227725/gTU9yg",
 				"status": "pending",
 				"token": "-GkjatymgftCjmqCWa4d9rlx3WAm22P__GVv2XyMexg",
 				"type": "http-01"
 			}, {
 				"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11287227725/B5NpIw",
 				"status": "pending",
 				"token": "-GkjatymgftCjmqCWa4d9rlx3WAm22P__GVv2XyMexg",
 				"type": "dns-01"
 			}, {
 				"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/11287227725/OMcLyw",
 				"status": "pending",
 				"token": "-GkjatymgftCjmqCWa4d9rlx3WAm22P__GVv2XyMexg",
 				"type": "tls-alpn-01"
 			}],
 			"status": "pending",
 			"expires": "2021-03-10T18:09:45Z"
 		},
 		"uri": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/11287227725"
 	}]
 }

The certificate I got is:

-----BEGIN CERTIFICATE-----
MIIFQDCCBCigAwIBAgISA5q+MLWR75R+Hfk7wOc7u9N9MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTAzMDMxNzE0MTZaFw0yMTA2MDExNzE0MTZaMCgxJjAkBgNVBAMT
HW1uMS1yZXBsYXkubGVpaHVvLm5ldGVhc2UuY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAoe7w2Zb7nRS7pBUVAf3Przqq2mWJmXb0XHB86Z0c5gVX
jKAdSIbsazG7vM/GQd5aeEzdWReFfvaTKDcUC8TWNYLuMvVxtj5uj1JwG5XOs87w
fpjpNvxzcdjFbwIEIMb3cuijr/USsQZi4QkcSt1RuNE0vOJWcYNpiTS8Vd7PAhO/
9h7wFfiyZWp2rsqAZqaM7O5LbwKhxyneQLjdHn9v9TgVq8+hf82BW1QsLg3aiO6y
zHjBNsnLtp9iZ7DvUDYcCM2B4/T15OJ2WhZ9PrSQNBqjKnIOYUc5VVu8N4tbpqyA
cMQrI+C/DdDPTYf+K6ReZDoRdJ5M1I1Emq4QRiUplQIDAQABo4ICWDCCAlQwDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNV
HRMBAf8EAjAAMB0GA1UdDgQWBBSCUbQijkHwx5Cao3iXCTa/KzanoTAfBgNVHSME
GDAWgBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYB
BQUHMAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDov
L3IzLmkubGVuY3Iub3JnLzAoBgNVHREEITAfgh1tbjEtcmVwbGF5LmxlaWh1by5u
ZXRlYXNlLmNvbTBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAo
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisG
AQQB1nkCBAIEgfUEgfIA8AB2AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+UPWHbTi9Y
TaLCAAABd/lMMhAAAAQDAEcwRQIhAMrAbX14dL2iZmb10C0afQev1UfzBz2Qx+8I
QdhkUnoTAiA5ewvCVSvbpuh4CvIz8/uV7v1yM3JwwEeFHJOa6iSpIQB2APZclC/R
dzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABd/lMMgsAAAQDAEcwRQIgILVR
N8uhI/m2rVy2PU7ugu7owv8CLd3PO9ZGrFm/1XYCIQDLQOzyyO3VAstJof5k4zwn
Z1cvv3er8EvCg4wzdpOG3DANBgkqhkiG9w0BAQsFAAOCAQEAGKGWi6QvvBd+GOGN
vHChXtjSbW7OMzDCK2IASDNv3K07WTzW84YyXAPG7H7R63a1ChuiOXmwPLIVT0rR
uMhCtx6CurU5Py1nVSy/k8QdbpUvOEJOWShn+cdJyaiRp2twEbxMPz6fAmYevpv4
gnxuRvCGFPvbU2iTPD6foAOwOgTbyhkIEY0mUzInZ54QclvW35SWLD2YJaWxS2iV
r0m+YvRUvIAmXHmGscQDaIxa6OohWzdEc6ISmvRpb8cjZrKn9oF6p3xCbp1TYlHI
xfPxs5C9kPubXWUxFMFpwFSqxaxbZ0WVR2mdIBCiTU4EsZM0+/fMI9KkcfjyYdgW
qVPVCQ==
-----END CERTIFICATE-----

When I use Nginx on Nginx, I get the following error:

nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/b.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
2

If you care to share the CSR, maybe someone can figure out what is going on.

3

@rg305 it looks like it's in the csr_pem variable—let me extract it. :slight_smile:

1 Like
4

The (supposed) CSR is included in the first code snippet.

I would guess that there is some kind of bug in the finalization code of the ACME client. There aren't any certificates issued with the SPKI from the CSR.

Anything's possible, but I find it exceptionally unlikely for Boulder to accidentally sign a CSR with the same subject but different subject key :man_shrugging:.

2 Likes
5

I yes, I do see it now!

6

yeah

-----BEGIN CERTIFICATE REQUEST-----
MIIDTzCCAjcCAQAwgc4xJjAkBgNVBAMMHW1uMS1yZXBsYXkubGVpaHVvLm5ldGVh
c2UuY29tMQswCQYDVQQGEwJDTjERMA8GA1UECAwIWmhlamlhbmcxETAPBgNVBAcM
CEhhbmd6aG91MSwwKgYDVQQKDCNOZXRFYXNlIChIYW5nemhvdSkgTmV0d29yayBD
by4sIEx0ZDESMBAGA1UECwwJR2FtZSBEZXAuMS8wLQYJKoZIhvcNAQkBFiBncnAu
bmllc2VjdXJpdHlAY29ycC5uZXRlYXNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBANpeHhihA0I+T5EZBVRBBJGt+iqTxHpSVNce4K6FHfknm1wm
5VV2RVCgAM5LmjGbmSVaAa2kj/PWNXkb0I4cCliO0A6+/UPCS6YZjUX9Mve3HDIy
7iAUsWA25X4hxd9aZ5aFMX057iCJpw467tStDRcsTs/5YOOKzjIaDUFpi1ujvotz
YI9YImgGs51P2DVLjfmtebtG34UbR2tdq1nt6zhKPzbSd6b+6yk6YGqtn8OfmlZt
7xb4/FMNJRIsQ9/O5k7pcxNlEPzs5J/dvdLZb+FdJjrvY4MkzdRhEulAQco3CyNq
i2LjeYaxxj2Ismnpx8bDUQERLC8E8fi3e4AWGq8CAwEAAaA7MDkGCSqGSIb3DQEJ
DjEsMCowKAYDVR0RBCEwH4IdbW4xLXJlcGxheS5sZWlodW8ubmV0ZWFzZS5jb20w
DQYJKoZIhvcNAQELBQADggEBADL+fKRvPx8ZKE00/cRMQgUaYG3JvKmpbdggLG1i
4Mesm/aKNDv7iPgFH7eI43xvzPdVtJj/TV9CF01nIBT72lcRyBB+hz1feOvJRewn
VEE0IKxjlguEm10MyWB7wvDayk0nM2gFjHIpPLISAwtfryCV+qTBuDQS8CCNkeee
xKsei+3Y9c/ATmLs/PpoO+E9aXv/cUoBYKFTmnvYnm3Yd1J55KphPDZWn75VQybX
4DtLg6Kg1/7QZa13YM/AbQJwo6SQXX/z4SeTuV39zqbjHJ6dUVSiFEJTZNFdd3nL
rqE2P2C86DRKWg8DPULsuFf9Dh0YCYovPwVQSz+sf/DKkds=
-----END CERTIFICATE REQUEST-----
7

Are there any Let's Encrypt developers here? I need your help.
I checked the database and found no CSR with the same public key as the certificate.
I'm sure the CSR I submitted is that one.

8

I seem to have found the reason
I have two certificates with the same common_name and SAN.DNS. They both performed the acme_order operation within 10s. As a result, the API returned the same order number, which resulted in a certificate public key mismatch

1 Like
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.