Urn:acme:error:malformed - Error unmarshaling certificate request


#1

Hello,

I am writing my own client in PHP, and I have stuck on sending CSR because I’m getting

 ["type"]=> string(24) "urn:acme:error:malformed" ["detail"]=> string(38) "Error unmarshaling certificate request" ["status"]=> int(400) 

I believe there is some problem in CSR generation algorithm or something like that.

Here is code example:

$result = $this->signedRequest(
 '/acme/new-cert',
[
'resource' => 'new-cert',
'csr' => $csr,
]);

I have performed domain verification with success with similar code, so I assume it’s sending good requests to endpoint.

value of $csr is:

-----BEGIN CERTIFICATE REQUEST-----
MIIEqDCCApACAQAwHDEaMBgGA1UEAxMRdGVzdC5qb3VuY2UuY28udWswggIiMA0G
CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC4fv59DEuslUbA1xae0UDpS5ISmWYI
v8UeI//Ktk0SFqnpLmyKbx6sbu5TOBJ38/3kvBoalaDRsIW/J/CK8dfpdlmwGA5X
ip4FxWABKCShoPPN47b8h7taPn1QqZGygaHzoyfvtrVJbdIxvDdlWI2fdGrPETKA
iYktrXor4snsWj8JVM/NUkVx1xIPXw6nEWCSDfkgFyFIlO20CZjhX5WqwY3wtMU+
LAcC6dRbLgR5pDB40wrhta6tSG2fEUBppxxQF4TBpWICkCtenaFZTWF+zENPu2yD
GMtxw6rm4EdalRpPexxgyyY0LX4r54bw160ExGfQNHzg7vdT03c0JNHqnzJUvjgj
xuVhgDhkYzwDnHEt3weEx36sNEhAh6dpU6dCCJH1953911+00Dn5hctECw1ypsP4
oz/zU7T8VBIZ6POGSA0PuyKQ8dQ7IlKIWH1zM47cg87kitLdFR67laK67thkEJ4c
m+1KiawKLgG4Em0HWS25B6C7dnmOaqEVuiI7hvIy265adlFOMh4dd09yWg0mIz5M
JN/+wiP/8CyeTOtuR3zVLdE8rWuPqKpdVsen7rZGhHUtdwsDu9qd9sE0gC53L8fe
q9ju1ZYLWguxrMPtUtSY1Gh4OKfgi65Exxw+fbpAxzgxuJcRsXcPzq7tbKDfXZhC
32VXutvkckAavQIDAQABoEcwRQYJKoZIhvcNAQkOMTgwNjAJBgNVHRMEAjAAMBwG
A1UdEQQVMBOCEXRlc3Quam91bmNlLmNvLnVrMAsGA1UdDwQEAwIF4DANBgkqhkiG
9w0BAQsFAAOCAgEAJMZiWGLt8B4TYOwk58qCeIg/QTorJARrWywt+5SRgRROECla
BnfieEELxBKVCldM27W2aZ5LJcooY9D72QeSHpqtrMvDma4pyOYGofgma1a8Qvl5
nIHUiAYA6/xzGV/QB8MF/rN7TMCtgS4+dEP49FHwXF7sRCE8VUBlSV8xD7gZviRW
IDpzyfFkoSVToTqsUfP3zgxZ/mskvb9W3evMnknA+AImZaugvCKZUThqUdCjngrn
KDKISoq2oEYEqJsANwTbpRqp1qG5EMsF481kJDJKTjkHpwWc4ElSIN8AX5kKqA3Z
aDj+uGxF6SUKNeaOKiLAFPBsgGORoY85Eei4rd82wACKoFsUjraEJ1x5/A6m5Np3
98+ZT3BGjmVOAL+oJ4fn30iE5Vb5O6M57p4pCXvAJ6p6Gqhk3804iBd9Xlnt7KCv
4pyDVuQ+gpuKRuFJYjdUwW0/Jx/9y0k6wzcyhVqTnt8kl6P1IG1bn+diHQpD1btu
2yCAG/j3D24vd40OPC6eTtOQztjIn8snIwQk+bPD01CDqjMO3ihh+U5mMJIDlfNH
TFi38hZa8hKfU1fmu8NfTKjl2kKKL1rzwZMaqGRmdoGrqae3jg1g1yAzeQfkvor4
+qlbxUZyrKSO2pGiZcn14LkSlqniKaI1jQCw7y99ZPfo08HJWV9A1N13m80=
-----END CERTIFICATE REQUEST-----

Generated by PHP, but all online parsers are OK with this CSR, but when I send it I only got in return the said error.

This error message is not very verbose so I have stuck on this one.


#2

Are you using the right encoding for the csr parameter? Here’s what the spec says:

   csr (required, string):  A CSR encoding the parameters for the
      certificate being requested.  The CSR is sent in the
      Base64-encoded version of the DER format.  (Note: This field uses
      the same modified Base64-encoding rules used elsewhere in this
      document, so it is different from PEM.)

Here’s some relevant code from another PHP client, might be worth comparing with your implementation:

You might even be able to reuse code from that project. :smile:

There are some less-obvious issues with Go (which boulder, the CA server behind Let’s Encrypt, uses) choking on some CSRs, though I’m not sure if that would trigger this particular error message. I think one of the issues was related to the X509 version field being set to zero, or something like that.


#3

I have re-implemented my code based on this fragment and it seems like malformed problem went away :slight_smile:. Problem was with base64 encoding of cert.

Thank you!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.