Trying to get a cert for Win SBS 2008 using sslforfree


#1

Please fill out the fields below so we can help you better.

My domain is:remote.aurorafa.com

I ran this command:n/a

It produced this output:Certificate signature failed. If you supplied your own CSR make sure the domains on it match what you put on SSLForFree. If there is a rate limiting error at the end of this paragraph certificates per Domain is currently 5 per 7 days. Try asking Lets Encrypt to increase the limit or wait 7 days. Rate limits should increase in the near future. { “type”: “urn:acme:error:malformed”, “detail”: “Error parsing certificate request: asn1: syntax error: sequence truncated”, “status”: 400 }

My operating system is (include version):Windows SBS 2008

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

I’m trying to create a certificate using a certificate request generated by the Win 2008 Certificate Wizard.

  1. go to sslforffree
  2. verify I control domain by adding a TXT record
  3. in Windows Cert Wizard, generate a certificate request for remote.aurorafa.com, creates .txt file.
  4. at sslforfree, check box “I have my own CSR”
  5. paste in contents of .txt file with request (note not converting to win std CR+LF at end of each line
  6. get above error

Any thoughts? Anyone else generate a cert from a windows-generated CSR? Should I just trim all LFs, so the CSR is a single line?
Thanks!


#2

Hi @bobkoure,

Maybe you could trim CRs but not LFs, because Unix text files use LF as a line separator where Windows uses CRLF.

If you’d like to post the CSR here, maybe we can figure out what’s the trouble with it.


#3

hi @schoen

you are absolutely on the right track

@bobkoure

Review this article: https://www.linkedin.com/pulse/lets-encrypt-part-2-3-repurposing-clients-making-things-andrei-hawke

I came across a similar issue when trying to use CSRs from windows.

I usually run them through Openssl to clean them out.

The article also outlines some differences i Spotted and has some recomendations on how to create effective CSRs in windows.

Windows add some funny ASN1 extensions which letsencrypt clients don’t like

Andrei


#4

Hi @ashaw021
On first perusal of that article, I converted my CRR ( CRLFs to LFs,removed ‘NEW’ from header and footer)
I am wading through that article now - but am unclear as to how I might use openssl to clean it out.
On the off chance it might move the conversation forward, here is the CSR I am submitting

-----BEGIN CERTIFICATE REQUEST-----
MIIEMzCCAxsCAQAwgZQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJNQTESMBAGA1UE
BwwJV2VsbGVzbGV5MSIwIAYDVQQLDBlBdXJvcmEgRmluYW5jaWFsIEFkdmlzb3Jz
MSIwIAYDVQQKDBlBdXJvcmEgRmluYW5jaWFsIEFkdmlzb3JzMRwwGgYDVQQDDBNy
ZW1vdGUuYXVyb3JhZmEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAr0wNYFUrcw73C+HcdtyVHIXR5M8cZHi6SXVBk4di8oyEbwf1Ju72HXt6mCpP
+J31lDIta8KYMfZy5mKW5zncuTtO2OrUAWsz2i46UHohsjGgPG7/eUsYLvCf6ZIl
BTW09vEPIOVciYC6UzOOZz0TgGTr7dNpi2DNdwT1Mx/rJPHSK9VI5mZR5Qg07CLU
45PbQhqizBY1jAPlDAESbLRVDlYqrwGM4DqlKr+clMkstKF13lnl6ZK+4nltpR/9
Ly6nhCUtR65nScC3sRRmfY37NAn3E0TYtGt0VGHegX5VU7xHkBG0QfhxLVoK+2dF
aSYdF4NbwnYDPb5wjl9dUMCVuwIDAQABoIIBVzAaBgorBgEEAYI3DQIDMQwWCjYu
MC42MDAyLjIwQwYJKwYBBAGCNxUUMTYwNAIBBQwQU0VSVkVSLmFmYS5sb2NhbAwM
QUZBXGJvYmtvdXJlDA9UcnVzdGVkQ2VydC5leGUwdAYKKwYBBAGCNw0CAjFmMGQC
AQEeXABNAGkAYwByAG8AcwBvAGYAdAAgAEUAbgBoAGEAbgBjAGUAZAAgAEMAcgB5
AHAAdABvAGcAcgBhAHAAaABpAGMAIABQAHIAbwB2AGkAZABlAHIAIAB2ADEALgAw
AwEAMH4GCSqGSIb3DQEJDjFxMG8wPgYDVR0RBDcwNYIMYXVyb3JhZmEuY29tghNy
ZW1vdGUuYXVyb3JhZmEuY29tghBTRVJWRVIuYWZhLmxvY2FsMB0GA1UdDgQWBBQI
wzWKIta21r/UitbOxUuHz/WSrjAOBgNVHQ8BAf8EBAMCBSAwDQYJKoZIhvcNAQEF
BQADggEBABsLtN4C4abZoXsPnvwMG/bG9qVZ+PCLOtiql8ilo2UWOMZy1EI/AUEc
sTM06eoP07sJn6p7l38BVqnNeBxQsWYBd/c/AjaMR+ns1WZ9j/WCq5IXKi6JkFVl
hD4fjqucapuGZ6Sgx8nwp0+Li597C1lk0+a13Er6XLPn7mlBzulDQNtYnCXFf0gp
0h4DxNRhtVQQhLmwNGMV/2o4cUgV7333O0YV97fSdiwffs/er98uhg12rmoa9wm8
28g9IbMlp2HHtrgiRFLLy29bkB77M5UOwIbGrIHjLAOQ1+FYcMkox9YKhHaIfP5I
dwQOkHT0UDz6gQEWRVmRdJU8j+hqfKI=
-----END CERTIFICATE REQUEST-----

I am taking notes, and, assuming I get this working, would be glad to write up a how-to for other poor Windows sods running into the same issue.
Thanks!


#5

Hi @bobkoure,

I ran the CSR through OpenSSL (openssl req) and it was unchanged, so that approach won’t help in this case, though it was worth a try!

I’m not sure of the specific reason that Let’s Encrypt doesn’t like that CSR, but it definitely has several things that Let’s Encrypt wouldn’t be willing to include in a certificate, and probably at least one that would cause the CSR to be rejected.

  • The CSR mentions a city, state, location, organization, and organizational unit, but Let’s Encrypt can’t verify any of this information, so it won’t include it in a certificate
  • There are 3 AuthentiCode-related attributes included in the cert, but Let’s Encrypt never issues code-signing certs (I think it’s about 70% likely that it’s the presence of these attributes which is causing the parsing failure)
  • One of the requested subject names is DNS:SERVER.afa.local, but no publicly-trusted CA is permitted to issue for .local names anymore
  • The CSR was signed with sha1WithRSAEncryption (an obsolete algorithm), though I’m not sure Let’s Encrypt rejects CSRs that use this algorithm

You can usually re-use a CSR from another CA with Let’s Encrypt, and most extraneous information will be ignored; in this case I would say that trying to re-use a CSR that was used to request code-signing certs is probably causing trouble, and it would be best to generate a completely new CSR instead, especially omitting both the AuthentiCode attributes and the request for the .local name. You should be able to keep using the same public and private keys, if you want.


#6

hi @bobkoure

have a look at the ZeroSSL client https://www.linkedin.com/pulse/lets-encrypt-part-1-issuing-installing-certificates-andrei-hawke

This client is usually the easiest way to start with as you can paste your domain name in and it will generate the CSR for you

when you are more confident there are other ways of generating the CSR

I use certreq utility personally for several reasons

Creating a CSR with Certreq

Reviewing the documentation here: https://technet.microsoft.com/en-us/library/dn296456(v=ws.11).aspx we can see that to use certreq we need to specify a configuration file and use the following syntax.

certreq -New .\certreq_config.txt

The contents which work the best for certreq_config.txt are below

[NewRequest]

Subject = “CN=”

Exportable = TRUE

KeyLength = 4096

KeySpec = 1

MachineKeySet = TRUE

SuppressDefaults = True

SMIME = false

RequestType= PKCS10

Some explanation for configuration:

Exportable=TRUE. Allows the private key (stored in Microsoft Store) to be exported. You need this to be able to export the certificate and key in PFX format.

SuppressDefaults = True - stops certreq adding certain Microsoft Extension to CSR (e.g. name of request machine) which can break the process

SMIME = false - Stops certreq adding certain extensions to the CSR which can break the process

RequestType= PKCS10 - forces certreq to format the CSR in a PCKS10 format.

If everything works well we can use MMC and the Certificate Snap-In we can confirm a pending certificate request.

You can also use openssl to generate your CSRs

out of interest are you a video guy or a article guy?

I am thinking of doing a youtube series on windows and letsencrypt

Andrei


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.