What format of csr parameter in ACME protocol

test_mail_new · December 21, 2020, 8:11am

invoke /acme/order/xxxx/finalize API

request is


protected: {
  "alg": "ES256", 
  "kid": "https://acme-staging-v02.api.letsencrypt.org/acme/acct/...", 
  "nonce": "0003dDiXOmkQnGE6QwzQqaxzZIauoqN7WmfKdrUllakbOsI", 
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/finalize/.../..."
}
payload: {
  "csr": "-----BEGIN CERTIFICATE REQUEST-----\nMIICvzCCAacCAQAwejELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUJKIFN0cmVldDEQ\nMA4GA1UEBwwHQmVpamluZzESMBAGA1UECgwJUWluZ0Nsb3VkMRcwFQYDVQQLDA5E\nZXYgRGVwYXJ0bWVudDEYMBYGA1UEAwwPbGV0c2VuY3J5cHQudG9wMIIBIjANBgkq\nhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt6snycLptLaARz3Dwq6jtToUd3jIa6wu\nEkg8b4kP62vba50qDvBDbvrOAZU8+4WZka3HFmyMNHANklFugJIC6FhSKpu23JLs\n9jO2tDJ2a8szpBrpFH355mSGr+Rw59HVQDJbyiq5LbjvuARWU9SMnXllFIvLZShU\nAXWjWCshvKWqJZ4M0l06SvCxxWXaDSqc7FLW2BjB8Y4FgehkH5g+yE9sawz6QqpL\n26TFYP4DfOsd91mtJjLJojEJ4lTfHRO/YVqLzgNdCNYil3/ib+uogci5CE6sVf2C\nAy/Y1zf1Gh1QAYd/KxH96L5XyrBWKkaGUjMH2dBr8M0eSIk6qCIgxwIDAQABoAAw\nDQYJKoZIhvcNAQELBQADggEBAD6G17rOy5qDM4W5hy1PDLmKEg/OQDrF9X0MclrN\ntDw1ecvI4qd/ZYdvWna4bQx0B+KLjsIEffQdr8K+fff6ARxf9SBpt3gzpYWsrNe3\n+TWAXkAfv4zu3lcGWWu4VmG/6/kn/Rf6rlweACnKRhpSB7ZmeDfHTlPJ6kdu5ets\n7KtVEkCD7fZjADVxMYeOMAuClF2bmsL7GCH6nz2ELqPKS8N3BNJW+HDQe3rBgeQs\nvnV8daG1KQ7N4XZ7+2ug3AAqcMKADBeAZq3Tneq7ZQCQNAxkXgqTaFauqNaYTUJg\nugbgMmvNNvCeKCOTB50szgd1JYtk47W6knf9awRyMh1pKLg=\n-----END CERTIFICATE REQUEST-----"
}
  signature: 'xxxxx'

and get this response

======= header =========
{
  'Content-Length': '126', 
  'Cache-Control': 'public, max-age=0, no-cache', 
  'Server': 'nginx', 
  'Connection': 'keep-alive', 
  'Link': '<https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"', 
  'Boulder-Requester': '17092284', 
  'Date': 'Mon, 21 Dec 2020 08:06:29 GMT', 
  'Content-Type': 'application/problem+json', 
  'Replay-Nonce': '00047wzsrbO10bJC-6BnN_Wm3TdUUUumNWeNH5Fl06reoAk'
}

======== body =========
{
  u'detail': u'Error unmarshaling finalize order request',
  u'status': 400,
  u'type': u'urn:ietf:params:acme:error:malformed'
}

Question is what format or encoding type of csr string parameter in the payload?

I have tried the DER format, but got same error response.

rg305 · December 21, 2020, 8:14am

Try it without the header, footer, and newlines:

  "csr": "MIICvzCCAacCAQAwejELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUJKIFN0cmVldDEQ\nMA4GA1UEBwwHQmVpamluZzESMBAGA1UECgwJUWluZ0Nsb3VkMRcwFQYDVQQLDA5E\nZXYgRGVwYXJ0bWVudDEYMBYGA1UEAwwPbGV0c2VuY3J5cHQudG9wMIIBIjANBgkq\nhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt6snycLptLaARz3Dwq6jtToUd3jIa6wu\nEkg8b4kP62vba50qDvBDbvrOAZU8+4WZka3HFmyMNHANklFugJIC6FhSKpu23JLs\n9jO2tDJ2a8szpBrpFH355mSGr+Rw59HVQDJbyiq5LbjvuARWU9SMnXllFIvLZShU\nAXWjWCshvKWqJZ4M0l06SvCxxWXaDSqc7FLW2BjB8Y4FgehkH5g+yE9sawz6QqpL\n26TFYP4DfOsd91mtJjLJojEJ4lTfHRO/YVqLzgNdCNYil3/ib+uogci5CE6sVf2C\nAy/Y1zf1Gh1QAYd/KxH96L5XyrBWKkaGUjMH2dBr8M0eSIk6qCIgxwIDAQABoAAw\nDQYJKoZIhvcNAQELBQADggEBAD6G17rOy5qDM4W5hy1PDLmKEg/OQDrF9X0MclrN\ntDw1ecvI4qd/ZYdvWna4bQx0B+KLjsIEffQdr8K+fff6ARxf9SBpt3gzpYWsrNe3\n+TWAXkAfv4zu3lcGWWu4VmG/6/kn/Rf6rlweACnKRhpSB7ZmeDfHTlPJ6kdu5ets\n7KtVEkCD7fZjADVxMYeOMAuClF2bmsL7GCH6nz2ELqPKS8N3BNJW+HDQe3rBgeQs\nvnV8daG1KQ7N4XZ7+2ug3AAqcMKADBeAZq3Tneq7ZQCQNAxkXgqTaFauqNaYTUJg\nugbgMmvNNvCeKCOTB50szgd1JYtk47W6knf9awRyMh1pKLg="}

test_mail_new · December 21, 2020, 8:16am

But I saw the '\n' in your csr parameter

rg305 · December 21, 2020, 8:18am

Where?
After the end quote?

test_mail_new · December 21, 2020, 8:18am

Oh , it does not work.

test_mail_new · December 21, 2020, 8:21am

rg305:

"csr": "MIICvzCCAacCAQAwejELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUJKIFN0cmVldDEQ\nMA4GA1UEBwwHQmVpamluZzESMBAGA1UECgwJUWluZ0Nsb3VkMRcwFQYDVQQLDA5E\nZXYgRGVwYXJ0bWVudDEYMBYGA1UEAwwPbGV0c2VuY3J5cHQudG9wMIIBIjANBgkq\nhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt6snycLptLaARz3Dwq6jtToUd3jIa6wu\nEkg8b4kP62vba50qDvBDbvrOAZU8+4WZka3HFmyMNHANklFugJIC6FhSKpu23JLs\n9jO2tDJ2a8szpBrpFH355mSGr+Rw59HVQDJbyiq5LbjvuARWU9SMnXllFIvLZShU\nAXWjWCshvKWqJZ4M0l06SvCxxWXaDSqc7FLW2BjB8Y4FgehkH5g+yE9sawz6QqpL\n26TFYP4DfOsd91mtJjLJojEJ4lTfHRO/YVqLzgNdCNYil3/ib+uogci5CE6sVf2C\nAy/Y1zf1Gh1QAYd/KxH96L5XyrBWKkaGUjMH2dBr8M0eSIk6qCIgxwIDAQABoAAw\nDQYJKoZIhvcNAQELBQADggEBAD6G17rOy5qDM4W5hy1PDLmKEg/OQDrF9X0MclrN\ntDw1ecvI4qd/ZYdvWna4bQx0B+KLjsIEffQdr8K+fff6ARxf9SBpt3gzpYWsrNe3\n+TWAXkAfv4zu3lcGWWu4VmG/6/kn/Rf6rlweACnKRhpSB7ZmeDfHTlPJ6kdu5ets\n7KtVEkCD7fZjADVxMYeOMAuClF2bmsL7GCH6nz2ELqPKS8N3BNJW+HDQe3rBgeQs\nvnV8daG1KQ7N4XZ7+2ug3AAqcMKADBeAZq3Tneq7ZQCQNAxkXgqTaFauqNaYTUJg\nugbgMmvNNvCeKCOTB50szgd1JYtk47W6knf9awRyMh1pKLg="}

em.... you can find it . '\n'

"csr": "MIICvzCCAacCAQAwejELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUJKIFN0cmVl
dDEQ\nMA4
GA1UEBwwHQmVpamluZzESMBAGA1UECgwJUWluZ0Nsb3VkMRcwFQYDVQQLDA
5E\nZXY
gRGVwYXJ0bWVudDEYMBYGA1UEAwwPbGV0c2VuY3J5cHQudG9wMIIBIjANB
gkq\nhkiG9w
0BAQEFAAOCAQ8AMIIBCgKCAQEAt6snycLptLaARz3Dwq6jtToUd3jIa
6wu\nEkg8b4kP
62vba50qDvBDbvrOAZU8+4WZka3HFmyMNHANklFugJIC6FhSKpu23
JLs\n9jO2tDJ2a8s
zpBrpFH355mSGr+Rw59HVQDJbyiq5LbjvuARWU9SMnXllFIv
LZShU\nAXWjW
CshvKWqJZ4M0l06SvCxxWXaDSqc7FLW2BjB8Y4FgehkH5g+yE9saw
z6QqpL\n26TFYP4
DfOsd91mtJjLJojEJ4lTfHRO/YVqLzgNdCNYil3/ib+uogci5CE6sVf2C\nAy/Y1zf1Gh1QAYd/KxH96L5XyrBWKkaGUjMH2dBr8M0eSIk6qCIgxwIDAQABoAAw\nDQYJKoZIhvcNAQELBQADggEBAD6G17rOy5qDM4W5hy1PDLmKEg/OQDrF9X0MclrN\ntDw1ecvI4qd/ZYdvWna4bQx0B+KLjsIEffQdr8K+fff6ARxf9SBpt3gzpYWsrNe3\n+TWAXkAfv4zu3lcGWWu4VmG/6/kn/Rf6rlweACnKRhpSB7ZmeDfHTlPJ6kdu5ets\n7KtVEkCD7fZjADVxMYeOMAuClF2bmsL7GCH6nz2ELqPKS8N3BNJW+HDQe3rBgeQs\nvnV8daG1KQ7N4XZ7+2ug3AAqcMKADBeAZq3Tneq7ZQCQNAxkXgqTaFauqNaYTUJg\nugbgMmvNNvCeKCOTB50szgd1JYtk47W6knf9awRyMh1pKLg="}

Did you see it ?

webprofusion · December 21, 2020, 8:21am

The CSR field is the base64url(der) encoding without padding of the DER version (bytes) of your CSR, so the content is base64 encoded without any newlines or padding characters.

rg305 · December 21, 2020, 8:22am

See: How do I debug this? - Client dev - Let's Encrypt Community Support

test_mail_new · December 21, 2020, 8:23am

As far as I know,

DER file is encoded into a binary content.

How to remove the newline character in it ?

test_mail_new · December 21, 2020, 8:26am


    csr_file = open('./CSR.csr.der', 'r')
    csr_str = csr_file.read()
    print csr_str

    req_url = 'https://acme-staging-v02.api.letsencrypt.org/acme/finalize/xxx/xxx'
    kid = 'https://acme-staging-v02.api.letsencrypt.org/acme/acct/xxx'
    resp_headers, resp_body = send_to_letsencrypt(
        url=req_url,
        protected_header=protected_header_,
        payload={
            'csr': csr_str
        },
        account_key_dict=key_dict,
        account_url=kid
    )
    pp(resp_headers)
    pp(resp_body)

rg305 · December 21, 2020, 8:26am

What you post here is altered.
Unless you use three backticsks above and below your post.

```
your post
```

As shown, yes, there are spaces and returns:

test_mail_new · December 21, 2020, 8:27am

Oh, did you see the '\n' before the yellow area?

rg305 · December 21, 2020, 8:28am

Unless you show that function/procedure, there is no way to know.

webprofusion · December 21, 2020, 8:28am

DER is a binary (bytes) format and doesn't look like text. If your file looks like MIICvzCCAacCAQAwejELMAkGA1UEBhMCQ04xEjAQBgNVBAgMCUJKIFN0cmVl
dDEQ etc then it's actually a PEM file (base64 encoded with padding characters). You need the same thing converted to bytes and then base64url encoded.

test_mail_new · December 21, 2020, 8:29am

here is the raw DER file

I just use the origin python way to open the DER file.

rg305 · December 21, 2020, 8:29am

It can't have spaces - so that is just incorrect (or this site is altering your posted text).

rg305 · December 21, 2020, 8:30am

Where are you going with that?
A. it needs to be PEM encoded
B. What does the procedre csr_file.read() do?

rg305 · December 21, 2020, 8:31am

All of which should be happening in this one line:

test_mail_new · December 21, 2020, 8:36am

em...

Base64url on payload will be done in the function send_to_letsencrypt()

rg305 · December 21, 2020, 8:36am

Let's begin at the begining...
Your initial post shows:

followed by:

don't you see how those two are different?