Yes, I have remove the
'-----BEGIN CERTIFICATE REQUEST-----'
and
'-----END CERTIFICATE REQUEST-----'
and
the newline in this big string.
But get the same error response.
Did you mean transform the newline into '\n' character ?
Yes, I have remove the
'-----BEGIN CERTIFICATE REQUEST-----'
and
'-----END CERTIFICATE REQUEST-----'
and
the newline in this big string.
But get the same error response.
Did you mean transform the newline into '\n' character ?
So you don't want to follow the instructions.
It will be encoded later so no need to encode it now - bad logic.
Can you show this fail, I mean file?
ok that is already in the wrong format, no way to fix it within your code.
eh..... 
I can get it.
em....
Actually, I used this logic to invoke the
/newAccount
/newOrder
/auth
all succeed.
SO, I think there is something wired in
/finalize API.
Then , I get this response:
{u'detail': u"Error parsing certificate request: asn1: structure error: tags don't match (16 vs {class:0 tag:13 length:45 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} certificateRequest @2",
u'status': 400,
u'type': u'urn:ietf:params:acme:error:malformed'}
@rg305
@webprofusion
What does that mean?
Does that mean my csr file is wrong ?

I wonder know why this question can get liking but no Solution.
@griffin
I'll give you the answer in a bit. Busy now. 
Oh, It's Grateful !!!!!!
I also new a post on: Does ACME have CSR standard?
{u'detail': u"Error parsing certificate request: asn1: structure error: tags don't match (16 vs {class:0 tag:13 length:45 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} certificateRequest @2",
u'status': 400,
u'type': u'urn:ietf:params:acme:error:malformed'}
It seems that my csr contents have problem.
Such as these field:
/ST
/L
/O
/OU
/CN
We all know LetsEncrypt only issue the DV certificate .
Does LetsEncrypt care about these fields above ?
Or does LetsEncrypt only validate the CN field in the csr file?
OK, I'm sorry.
Because one problem is found when fixing another problem.
I would take care of this. @JuergenAuer
Here is CSR text format
openssl req -in CSR.csr -text
Data:
Version: 0 (0x0)
Subject: C=xxx, ST=xxx Street, L=xxx, O=xxx, OU=xxx, CN=xx.xx
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
I choose RSA 2048 bit.
And where can I get the certificate sign algorithm list supported by the LetsEncrypt ?
Yep, 4 question totally.

Given that $CSR is the certificate signing request in PEM format including the header and footer lines...
The finalize payload is an object with an index of "csr" and the result of the steps above.
To answer the questions in your closed topic...
Let's Encrypt doesn't really care much about any of the identity fields in the CSR, including the CN, which has been obsolete for quite a long time. What Let's Encrypt does really care about are the subject alternative names (SANs) in the CSR.
LE does honer CN in CSR, actually if CSR didn't have any CN for it, it will hoist a name to it (see normalizeCSR function )
if features.Enabled(features.NonCFSSLSigner) {
ca.log.AuditInfof("Signing: serial=[%s] names=[%s] csr=[%s]",
serialHex, strings.Join(csr.DNSNames, ", "), hex.EncodeToString(csr.Raw))
certDER, err = issuer.boulderIssuer.Issue(&issuance.IssuanceRequest{
PublicKey: csr.PublicKey,
Serial: serialBigInt.Bytes(),
CommonName: csr.Subject.CommonName,
DNSNames: csr.DNSNames,
IncludeCTPoison: true,
IncludeMustStaple: issuance.ContainsMustStaple(csr.Extensions),
NotBefore: validity.NotBefore,
NotAfter: validity.NotAfter,
})
ca.noteSignError(err)
if err != nil {
adding to what @webprofusion said...
In python, if you have a DER
import base64
import textwrap
b64_encoded = base64.b64encode(der_data).decode("utf8")
pem_encoded = """-----BEGIN CERTIFICATE REQUEST-----\n{0}\n-----END CERTIFICATE REQUEST-----\n""".format(
"\n".join(textwrap.wrap(b64_encoded, 64))
)
and to roundtrip back to DER:
def convert_pem_to_der(pem_data=None):
lines = [l.strip() for l in pem_data.strip().split("\n")]
if (
("BEGIN CERTIFICATE" in lines[0])
or ("BEGIN RSA PRIVATE KEY" in lines[0])
or ("BEGIN PRIVATE KEY" in lines[0])
or ("BEGIN CERTIFICATE REQUEST" in lines[0])
):
lines = lines[1:]
if (
("END CERTIFICATE" in lines[-1])
or ("END RSA PRIVATE KEY" in lines[-1])
or ("END PRIVATE KEY" in lines[-1])
or ("END CERTIFICATE REQUEST" in lines[-1])
):
lines = lines[:-1]
lines = "".join(lines)
result = base64.b64decode(lines)
return result