Please fill out the fields below so we can help you better.
My domain is:remote.aurorafa.com
I ran this command:n/a
It produced this output:Certificate signature failed. If you supplied your own CSR make sure the domains on it match what you put on SSLForFree. If there is a rate limiting error at the end of this paragraph certificates per Domain is currently 5 per 7 days. Try asking Lets Encrypt to increase the limit or wait 7 days. Rate limits should increase in the near future. { “type”: “urn:acme:error:malformed”, “detail”: “Error parsing certificate request: asn1: syntax error: sequence truncated”, “status”: 400 }
My operating system is (include version):Windows SBS 2008
My web server is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no
I’m trying to create a certificate using a certificate request generated by the Win 2008 Certificate Wizard.
go to sslforffree
verify I control domain by adding a TXT record
in Windows Cert Wizard, generate a certificate request for remote.aurorafa.com, creates .txt file.
at sslforfree, check box “I have my own CSR”
paste in contents of .txt file with request (note not converting to win std CR+LF at end of each line
get above error
Any thoughts? Anyone else generate a cert from a windows-generated CSR? Should I just trim all LFs, so the CSR is a single line?
Thanks!
Hi @ashaw021
On first perusal of that article, I converted my CRR ( CRLFs to LFs,removed ‘NEW’ from header and footer)
I am wading through that article now - but am unclear as to how I might use openssl to clean it out.
On the off chance it might move the conversation forward, here is the CSR I am submitting
I am taking notes, and, assuming I get this working, would be glad to write up a how-to for other poor Windows sods running into the same issue.
Thanks!
I ran the CSR through OpenSSL (openssl req) and it was unchanged, so that approach won’t help in this case, though it was worth a try!
I’m not sure of the specific reason that Let’s Encrypt doesn’t like that CSR, but it definitely has several things that Let’s Encrypt wouldn’t be willing to include in a certificate, and probably at least one that would cause the CSR to be rejected.
The CSR mentions a city, state, location, organization, and organizational unit, but Let’s Encrypt can’t verify any of this information, so it won’t include it in a certificate
There are 3 AuthentiCode-related attributes included in the cert, but Let’s Encrypt never issues code-signing certs (I think it’s about 70% likely that it’s the presence of these attributes which is causing the parsing failure)
One of the requested subject names is DNS:SERVER.afa.local, but no publicly-trusted CA is permitted to issue for .local names anymore
The CSR was signed with sha1WithRSAEncryption (an obsolete algorithm), though I’m not sure Let’s Encrypt rejects CSRs that use this algorithm
You can usually re-use a CSR from another CA with Let’s Encrypt, and most extraneous information will be ignored; in this case I would say that trying to re-use a CSR that was used to request code-signing certs is probably causing trouble, and it would be best to generate a completely new CSR instead, especially omitting both the AuthentiCode attributes and the request for the .local name. You should be able to keep using the same public and private keys, if you want.
The contents which work the best for certreq_config.txt are below
[NewRequest]
Subject = "CN="
Exportable = TRUE
KeyLength = 4096
KeySpec = 1
MachineKeySet = TRUE
SuppressDefaults = True
SMIME = false
RequestType= PKCS10
Some explanation for configuration:
Exportable=TRUE. Allows the private key (stored in Microsoft Store) to be exported. You need this to be able to export the certificate and key in PFX format.
SuppressDefaults = True - stops certreq adding certain Microsoft Extension to CSR (e.g. name of request machine) which can break the process
SMIME = false - Stops certreq adding certain extensions to the CSR which can break the process
RequestType= PKCS10 - forces certreq to format the CSR in a PCKS10 format.
If everything works well we can use MMC and the Certificate Snap-In we can confirm a pending certificate request.