acme2certifier
acme2certifier copied to clipboard
grindsa
2 is not a valid CSR version
I'm trying to set up a local ACME server with the mswcce ca_handler and I'm getting an error that I do not know how to debug.
The message is: ca_server.get_cert() failed with error: 2 is not a valid CSR version
I get this error with both master and with version 0.22.
The CSR is created from using certbot. When looking at the created CSR from certbot it says version 3 (0x2) .
Just for information. I created a version 1 CSR and used the --csr switch in certbot. This resulted in another type of error:
ca_server.get_cert() failed with error: RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid.
Can you enable debugging in acme2certifer (option debug: True in acme_srv.cfg) and share the logs?
The certbot version as well as the command line for enrollment you did use would also be helpful.
Another thought coming into my mind: Certbot is not populating the CN field in the CSR. Could it be that your CA is mandating this and the above error message is just misleading? Can you try another acme-client (acme.sh or lego)?
We'll look at our PKI and see if there is any rules stopping us. Our PKI admin couldn't see any failed requests in the log. We'll dig deeper.
The certbort command used is below. We first tested without the --csr switch and as you said it created CSR without a CommonName. We tried to create our own CSR with a CN and got another error.
certbot certonly --server http://ouracmeserver.example.org:22280 --standalone --preferred-challenges http -d ourtestwebaddress.example.org --cert-name ourtestwebaddress.exampleorg --csr ourcsr.csr
I'll do some more testing and return with debug logs.
I have now tried with acme.sh and I get the same error as when using certbot with --csr switch.
acme-srv_1 | [Mon Sep 26 14:27:53.089148 2022] [wsgi:error] [pid 22:tid 139899023406656] Requesting certificate
acme-srv_1 | [Mon Sep 26 14:27:53.097891 2022] [wsgi:error] [pid 22:tid 139899023406656] ca_server.get_cert() failed with error: RequestSessionError: code: 0x80070057 - E_INVALIDARG - One or more arguments are invalid.
acme-srv_1 | [Mon Sep 26 14:27:53.098184 2022] [wsgi:error] [pid 22:tid 139899023406656] cert bundling failed
acme-srv_1 | [Mon Sep 26 14:27:53.098352 2022] [wsgi:error] [pid 22:tid 139899023406656] Certificate.enroll() ended
acme-srv_1 | [Mon Sep 26 14:27:53.098521 2022] [wsgi:error] [pid 22:tid 139899023406656] acme2certifier enrollment error: cert bundling failed
Certbot version: 0.40.0
I did try to issue a certificate manually with a certbot created CSR using the certsrv web interface and I didn't get any errors. (not the certsrv ca_handler.)
I tried to use certipy against our CA and it looks like it works.
/usr/local/bin/certipy req -username [email protected] -password WIko1010 -ca "Mid Sweden University CA v2" -target ca.miun.se -template WebServer -debug
Certipy v4.0.0 - by Oliver Lyak (ly4k)
[+] Trying to resolve 'ca.example.org' at '127.0.0.53'
[+] Trying to resolve 'ADDOMAIN.EXAMPLE.ORG' at '127.0.0.53'
[+] Generating RSA key
[*] Requesting certificate via RPC
[+] Trying to connect to endpoint: ncacn_np:a.b.c.d[\pipe\cert]
[+] Connected to endpoint: ncacn_np:a.b.c.d[\pipe\cert]
[*] Successfully requested certificate
[*] Request ID is 47174
[*] Got certificate without identification
[*] Certificate has no object SID
[*] Saved certificate and private key to 'username.pfx'
This is a somewhat cleaned up log. Hope this is enough for you to get an idea.
acme-srv_1 | [Mon Sep 26 09:31:37.249291 2022] [wsgi:error] [pid 14:tid 140647092713024] CAhandler._config_load()
acme-srv_1 | [Mon Sep 26 09:31:37.249340 2022] [wsgi:error] [pid 14:tid 140647092713024] load_config(/var/www/acme2certifier/acme_srv/acme_srv.cfg:CAhandler)
acme-srv_1 | [Mon Sep 26 09:31:37.249951 2022] [wsgi:error] [pid 14:tid 140647092713024] CAhandler._config_load() ended
acme-srv_1 | [Mon Sep 26 09:31:37.249997 2022] [wsgi:error] [pid 14:tid 140647092713024] Certificate._enroll_and_store(): trigger enrollment
acme-srv_1 | [Mon Sep 26 09:31:37.250033 2022] [wsgi:error] [pid 14:tid 140647092713024] CAhandler.enroll(WebServer)
acme-srv_1 | [Mon Sep 26 09:31:37.250064 2022] [wsgi:error] [pid 14:tid 140647092713024] CAhandler.request_create()
acme-srv_1 | [Mon Sep 26 09:31:37.250352 2022] [wsgi:error] [pid 14:tid 140647092713024] Trying to resolve 'ca.example.org' at '127.0.0.11'
acme-srv_1 | [Mon Sep 26 09:31:37.252429 2022] [wsgi:error] [pid 14:tid 140647092713024] Trying to connect to endpoint: ncacn_np: a.b.c.d[\\pipe\\cert]
acme-srv_1 | [Mon Sep 26 09:31:37.290874 2022] [wsgi:error] [pid 14:tid 140647092713024] Connected to endpoint: ncacn_np:a.b.c.d[\\pipe\\cert]
acme-srv_1 | [Mon Sep 26 09:31:37.303609 2022] [wsgi:error] [pid 14:tid 140647092713024] CAhandler.request_create() ended
acme-srv_1 | [Mon Sep 26 09:31:37.303780 2022] [wsgi:error] [pid 14:tid 140647092713024] build_pem_file()
acme-srv_1 | [Mon Sep 26 09:31:37.304230 2022] [wsgi:error] [pid 14:tid 140647092713024] Requesting start
acme-srv_1 | [Mon Sep 26 09:31:37.304444 2022] [wsgi:error] [pid 14:tid 140647092713024] ca_server.get_cert() failed with error: 2 is not a valid CSR version
acme-srv_1 | [Mon Sep 26 09:31:37.304485 2022] [wsgi:error] [pid 14:tid 140647092713024] cert bundling failed
acme-srv_1 | [Mon Sep 26 09:31:37.304545 2022] [wsgi:error] [pid 14:tid 140647092713024] Certificate.enroll() ended
acme-srv_1 | [Mon Sep 26 09:31:37.304641 2022] [wsgi:error] [pid 14:tid 140647092713024] acme2certifier enrollment error: cert bundling failed
acme-srv_1 | [Mon Sep 26 09:31:37.304747 2022] [wsgi:error] [pid 14:tid 140647092713024] Certificate._enroll_and_store(): invalidating order as there is no certificate and no poll_identifier: cert bundling failed/6XJSW7yhnxNa
As a last comment I can say that I've tried to use the certsrv ca_handler. I don't get any errors but still no certs. I can see in the log that is issuing the same request multiple time after it has made a successful http-01 validation. some output from certbot:
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
acme.errors.TimeoutError
I see no errors in the server log and have no idea if it is a problem with my configuration or if there is any problem connecting to the to our certsrv CA-web-address.
If I use acme.sh-agent I do get a python error.
acme-srv_1 | [Mon Sep 26 16:01:32.532897 2022] [wsgi:error] [pid 17:tid 140041083807296] Certificate._enroll_and_store(*redacted*)
acme-srv_1 | [Mon Sep 26 16:01:32.533086 2022] [wsgi:error] [pid 17:tid 140041083807296] Exception in thread Thread-4 (_enroll_and_store):
acme-srv_1 | [Mon Sep 26 16:01:32.533111 2022] [wsgi:error] [pid 17:tid 140041083807296] Traceback (most recent call last):
acme-srv_1 | [Mon Sep 26 16:01:32.533121 2022] [wsgi:error] [pid 17:tid 140041083807296] File "/usr/lib/python3.10/threading.py", line 1016, in _bootstrap_inner
acme-srv_1 | [Mon Sep 26 16:01:32.533415 2022] [wsgi:error] [pid 17:tid 140041083807296] self.run()
acme-srv_1 | [Mon Sep 26 16:01:32.533428 2022] [wsgi:error] [pid 17:tid 140041083807296] File "/var/www/acme2certifier/acme_srv/threadwithreturnvalue.py", line 17, in run
acme-srv_1 | [Mon Sep 26 16:01:32.533486 2022] [wsgi:error] [pid 17:tid 140041083807296] self._return = self._target(*self._args, **self._kwargs)
acme-srv_1 | [Mon Sep 26 16:01:32.533496 2022] [wsgi:error] [pid 17:tid 140041083807296] File "/var/www/acme2certifier/acme_srv/certificate.py", line 254, in _enroll_and_store
acme-srv_1 | [Mon Sep 26 16:01:32.533590 2022] [wsgi:error] [pid 17:tid 140041083807296] with self.cahandler(self.debug, self.logger) as ca_handler:
acme-srv_1 | [Mon Sep 26 16:01:32.533604 2022] [wsgi:error] [pid 17:tid 140041083807296] TypeError: 'NoneType' object is not callable
acme-srv_1 | [Mon Sep 26 16:01:32.533778 2022] [wsgi:error] [pid 17:tid 140041284220480] [remote a.b.c.d:33256] Certificate.enroll_and_store() ended with: None:timeout
acme-srv_1 | [Mon Sep 26 16:01:32.534249 2022] [wsgi:error] [pid 17:tid 140041284220480] [remote a.b.c.d:33256] Order._csr_process() ended with order:6Vxi1FqcgbVk 400:timeout:timeout
And now it works! And the reason was, of course, annoyingly very simple.
We have spaces in our CA name. And being the scripter and command line person I am I added "" to the ca_name: setting.
To get it to work I only needed to remove the "". The error messages didn't help hunting down this error. So if "" never should be used in ca_name: you could add an extra check on that.
One error is still with me and that is when I use certbot to create the CSR. Somehow I still get the error about CSR-version. I would like to believe this error happens before the MS PKI is contacted and that is due to the way certbot is creating the CSR.
If I supply a CSR (created with openssl) using the --csr switch or use acme.sh-agent then it works.
One last entry. I found where certbot create CSR and it is hardcoded for version 2 CSRs. I changed so certbot issued version 0 CSR and I'm now able to issue new certificates.
If you want to try it yourself you can change version in make_csr in this file. https://github.com/certbot/certbot/blob/master/acme/acme/crypto_util.py
Thanks for troubleshooting yourself and for finding the root-cause. The remark to have an additional check for config-options starting or ending with " makes sense. I will implement this in the next release.
As for the CSR version issue. I need to look into this. We have a test between certbot and the wcce handler as part of our regression and the combination works without issues. Will keep you updated on this...
ok I think got the full picture now. The error message 2 is not a valid CSR version comes from the cryptography library used by acme2certifer. It has been introduced in May this year but made it into a 38.0.0 release in September. Certbot already fixed the issue
in version 1.29 released on July 29th.
- Our regression did not spot the issue as the fix from certbot came in earlier than the fix in the cryptography module and we do always use the latest versions
- You did observe the problem as you were using an old certbot version with the latest cryptography module.
- I did not see the issue as I did use both old and new certbot versions with an older cryptography (37.x) module.
Learning from all this: we should always use the latest software packages :-)
I will leave the issue open till I implemented the above mentioned config check.
Great work. I'm looking forward to the new version. I'll do my job and use a newer version of certbot. :)