Using already issued CSR

Hi! I'm getting ready to LE release in november, so started to play arround with the client.

The FAQ states:

Can I use an existing private key or Certificate Signing Request (CSR) with the Let's Encrypt client?
Yes, you can obtain a certificate for an existing private key (if the
key is an appropriate type and size), and, if you want, you can use an
existing CSR.

How should I tell LE client to use my old good CSR from my server?

Thanks!

1 Like

Hi @razor7! Currently, to use a preexisting CSR, the CSR has to be in DER format and have subject alternative names for every domain you wish to receive a cert for. If you have this, include the --csr option on the command line with the path to the CSR you’d like to use and run the auth command like so:

letsencrypt --csr /path/to/csr auth

You can include any other additional flags that you wish, such as --cert-path which specifies where to save the resulting certificate (if it’s not included, it’s saved in your working directory).

The auth command obtains a certificate from the ACME server but does not install it to your webserver. You can install it afterwards using the install command.

Hope this helps!

4 Likes

There’s no “letsencrypt” command in the letsencrypt repo as of 2015-12-04. Running “letsencrypt-auto --csr ~/mydomain.csr auth” gives this error:

Error: [(‘asn1 encoding routines’, ‘ASN1_CHECK_TLEN’, ‘wrong tag’), (‘asn1 encoding routines’, ‘ASN1_ITEM_EX_D2I’, ‘nested asn1 error’)]

Detailed error from the logs is here: http://pastebin.com/vaFs4s9Y

(FYI: My CSR is the one given by wpengine.com to me as my website is based on WordPress, hosted on WPEngine)

1 Like

I have the same issue - this is completely broken.

[(‘asn1 encoding routines’, ‘ASN1_CHECK_TLEN’, ‘wrong tag’), (‘asn1 │
│ encoding routines’, ‘ASN1_ITEM_EX_D2I’, ‘nested asn1 error’)] │
│ Traceback (most recent call last): │
│ File │
│ “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/le │
│ tsencrypt/crypto_util.py”, line 225, in _get_sans_from_cert_or_req │
│ cert_or_req = load_func(typ, cert_or_req_str) │
│ File │
│ “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/Op │
│ enSSL/crypto.py”, line 2380, in load_certificate_request │
│ _raise_current_error() │
│ File │
│ “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/Op │
│ enSSL/_util.py”, line 48, in exception_from_error_queue │
│ raise exception_type(errors) │
│ Error: [(‘asn1 encoding routines’, ‘ASN1_CHECK_TLEN’, ‘wrong tag’), │
│ (‘asn1 encoding routines’, ‘ASN1_ITEM_EX_D2I’, ‘nested asn1 error’)]

@skunkwerk and @nilesh, perhaps you have a CSR in DER format instead of PEM format?

If you run openssl req -in ~/mydomain.csr -text -noout, do you see data from the CSR? If not, do you see data by running openssl req -inform der -in ~/mydomain.csr -text -noout?

In this case, you need to convert the CSR to PEM format via

openssl req -inform der -outform pem -in ~/mydomain.csr -out ~/mydomain.pem

or something similar. The Let’s Encrypt client is expecting the CSR to be in PEM format, not DER format.

1 Like

Actually, it's the other way around :wink:

1 Like

@Osiris, sure enough, I misremembered that. Perhaps the PEM/DER issue is still the problem here, though!

worked for me the other way around, thanks