What format of csr parameter in ACME protocol

Yes, I have remove the

'-----BEGIN CERTIFICATE REQUEST-----'

and

'-----END CERTIFICATE REQUEST-----'

and

the newline in this big string.

But get the same error response.

Did you mean transform the newline into '\n' character ?

So you don't want to follow the instructions.
It will be encoded later so no need to encode it now - bad logic.

Can you show this fail, I mean file?

Here is.

ok that is already in the wrong format, no way to fix it within your code.

eh..... :sweat_smile:

I can get it.

em....

Actually, I used this logic to invoke the

/newAccount

/newOrder

/auth

all succeed.

SO, I think there is something wired in
/finalize API.

Then , I get this response:


{u'detail': u"Error parsing certificate request: asn1: structure error: tags don't match (16 vs {class:0 tag:13 length:45 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} certificateRequest @2",
 u'status': 400,
 u'type': u'urn:ietf:params:acme:error:malformed'}

@rg305
@webprofusion
What does that mean?

Does that mean my csr file is wrong ?

:rofl: :rofl: :rofl: :rofl:

I wonder know why this question can get liking but no Solution.
@griffin

I'll give you the answer in a bit. Busy now. :slightly_smiling_face:

Oh, It's Grateful !!!!!!

I also new a post on: Does ACME have CSR standard?

{u'detail': u"Error parsing certificate request: asn1: structure error: tags don't match (16 vs {class:0 tag:13 length:45 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} certificateRequest @2",
 u'status': 400,
 u'type': u'urn:ietf:params:acme:error:malformed'}

It seems that my csr contents have problem.
Such as these field:

/ST
/L
/O
/OU
/CN

We all know LetsEncrypt only issue the DV certificate .

Does LetsEncrypt care about these fields above ?

Or does LetsEncrypt only validate the CN field in the csr file?

@Osiris told you already

This is your single topic.

Thanks!

OK, I'm sorry.

Because one problem is found when fixing another problem.

I would take care of this. @JuergenAuer

Here is CSR text format

openssl req -in CSR.csr -text
    Data:
        Version: 0 (0x0)
        Subject: C=xxx, ST=xxx Street, L=xxx, O=xxx, OU=xxx, CN=xx.xx
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)

I choose RSA 2048 bit.

And where can I get the certificate sign algorithm list supported by the LetsEncrypt ?

Yep, 4 question totally.

:rofl: :rofl: :rofl: :rofl: :rofl:

Given that $CSR is the certificate signing request in PEM format including the header and footer lines...

  1. Remove the header and footer lines.
  2. Remove any newlines (\n), spaces ( ), and equals signs (=).
  3. Replace any plus signs (+) with minus signs (-) and any forward slashes (/) with underscores (_).

The finalize payload is an object with an index of "csr" and the result of the steps above.


To answer the questions in your closed topic...

Let's Encrypt doesn't really care much about any of the identity fields in the CSR, including the CN, which has been obsolete for quite a long time. What Let's Encrypt does really care about are the subject alternative names (SANs) in the CSR.

LE does honer CN in CSR, actually if CSR didn't have any CN for it, it will hoist a name to it (see normalizeCSR function )

if features.Enabled(features.NonCFSSLSigner) {
	ca.log.AuditInfof("Signing: serial=[%s] names=[%s] csr=[%s]",
		serialHex, strings.Join(csr.DNSNames, ", "), hex.EncodeToString(csr.Raw))
	certDER, err = issuer.boulderIssuer.Issue(&issuance.IssuanceRequest{
		PublicKey:         csr.PublicKey,
		Serial:            serialBigInt.Bytes(),
		CommonName:        csr.Subject.CommonName,
		DNSNames:          csr.DNSNames,
		IncludeCTPoison:   true,
		IncludeMustStaple: issuance.ContainsMustStaple(csr.Extensions),
		NotBefore:         validity.NotBefore,
		NotAfter:          validity.NotAfter,
	})
	ca.noteSignError(err)
	if err != nil {

adding to what @webprofusion said...

  • DER is a binary format
  • ACME expects a base64 encoded DER
  • PEM is a base64 encoded DER with header/footers ("---Begin certificate---", etc) and newlines for wrapping.

In python, if you have a DER

import base64
import textwrap
b64_encoded = base64.b64encode(der_data).decode("utf8")
pem_encoded = """-----BEGIN CERTIFICATE REQUEST-----\n{0}\n-----END CERTIFICATE REQUEST-----\n""".format(
    "\n".join(textwrap.wrap(b64_encoded, 64))
)

and to roundtrip back to DER:

def convert_pem_to_der(pem_data=None):
    lines = [l.strip() for l in pem_data.strip().split("\n")]
    if (
        ("BEGIN CERTIFICATE" in lines[0])
        or ("BEGIN RSA PRIVATE KEY" in lines[0])
        or ("BEGIN PRIVATE KEY" in lines[0])
        or ("BEGIN CERTIFICATE REQUEST" in lines[0])
    ):
        lines = lines[1:]
    if (
        ("END CERTIFICATE" in lines[-1])
        or ("END RSA PRIVATE KEY" in lines[-1])
        or ("END PRIVATE KEY" in lines[-1])
        or ("END CERTIFICATE REQUEST" in lines[-1])
    ):
        lines = lines[:-1]
    lines = "".join(lines)
    result = base64.b64decode(lines)
    return result