The request message was malformed :: Error creating new order :: DNS name does not have enough labels


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
dev.retex.global

I ran this command:
[root@ip-172-31-13-103 ec2-user]# sudo keytool -genkey -alias tomcat -keyalg RSA -keystore /usr/share/tomcat/.keystore -keysize 2048

Enter keystore password:

What is your first and last name?

[Unknown]:

What is the name of your organizational unit?

[Unknown]:

What is the name of your organization?

[Unknown]:

What is the name of your City or Locality?

[Unknown]:

What is the name of your State or Province?

[Unknown]:

What is the two-letter country code for this unit?

[Unknown]:

Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?

Enter key password for <tomcat>

(RETURN if same as keystore password):

[root@ip-172-31-13-103 ec2-user]# sudo keytool -certreq -alias tomcat -file request.csr -keystore /usr/share/tomcat/.keystore

Enter keystore password:

[root@ip-172-31-13-103 ec2-user]# sudo certbot certonly --csr request.csr

Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?


1: Spin up a temporary webserver (standalone)

2: Place files in webroot directory (webroot)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 1

Plugins selected: Authenticator standalone, Installer None

Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

An unexpected error occurred:
The request message was malformed :: Error creating new order :: DNS name does not have enough labels

Please see the logfiles in /var/log/letsencrypt for more details.

It produced this output:

An unexpected error occurred:
The request message was malformed :: Error creating new order :: DNS name does not have enough labels

My web server is (include version):

[root@ip-172-31-13-103 ec2-user]# tomcat version
Server version: Apache Tomcat/7.0.76
Server built: Oct 1 2018 16:39:09 UTC
Server number: 7.0.76.0
OS Name: Linux
OS Version: 3.10.0-514.16.1.el7.x86_64
Architecture: amd64
JVM Version: 1.8.0_131-b11
JVM Vendor: Oracle Corporation

The operating system my web server runs on is (include version):

[root@ip-172-31-13-103 ec2-user]# cat /etc/*release

NAME=“Red Hat Enterprise Linux Server”

VERSION=“7.6 (Maipo)”

ID=“rhel”

ID_LIKE=“fedora”

VARIANT=“Server”

VARIANT_ID=“server”

VERSION_ID=“7.6”

PRETTY_NAME=“Red Hat Enterprise Linux Server 7.6 (Maipo)”

ANSI_COLOR=“0;31”

CPE_NAME=“cpe:/o:redhat:enterprise_linux:7.6:GA:server”

HOME_URL=“https://www.redhat.com/

BUG_REPORT_URL=“https://bugzilla.redhat.com/

REDHAT_BUGZILLA_PRODUCT=“Red Hat Enterprise Linux 7”

REDHAT_BUGZILLA_PRODUCT_VERSION=7.6

REDHAT_SUPPORT_PRODUCT=“Red Hat Enterprise Linux”

REDHAT_SUPPORT_PRODUCT_VERSION=“7.6”

Red Hat Enterprise Linux Server release 7.6 (Maipo)

Red Hat Enterprise Linux Server release 7.6 (Maipo)

My hosting provider, if applicable, is:

AWS

I can login to a root shell on my machine (yes or no, or I don’t know):

YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

NO


#2

Hi,

Do you mind to share us the content of your csr?

Thank you


#3

Hi @Masber

this

is wrong. As CN (CommonName), you must use your domain name. With this informations you would request a certificate with the domain name “unknown”, which is too short -> not enough labels.

Your domain name dev.retex.global is ok, .global is on the public suffix list. This domain name has three labels.


#5

I’d suggest finding a way to avoid generating your own CSR. When you use Certbot’s --csr option, it disables most of its certificate management features, including automatic renewal.

It’s possible to have Certbot generate its own keys and use a --deploy-hook to create the files Tomcat needs and reload/restart Tomcat, all automatically.

I don’t personally know exactly how, though.

There are a number of past threads on Tomcat on this forum, e,g.:

See also the Certbot documentation:


#6

Hi @JuergenAuer

thank you, I git it fixed after changing CN to my FQDN.