Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error when creating fullchain #279

Closed
wibimaster opened this issue Sep 17, 2016 · 4 comments
Closed

Error when creating fullchain #279

wibimaster opened this issue Sep 17, 2016 · 4 comments
Labels
bug

Comments

@wibimaster
Copy link

Hi,

I try to create a certificate with DNS validation, but it always fail on fullchain creation :

 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
unable to load certificate
140288499504896:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:crypto/asn1/asn1_lib.c:100:

I take a look on the code, and after some debug I see that the certificate that fail comes from :
http://cert.int-x3.letsencrypt.org/

Note: I'm working with "OpenSSL 1.1.0 25 Aug 2016"

I tried :

wget -4 http://cert.int-x3.letsencrypt.org/ && \
mv index.html test.pem && \
openssl x509 -in "test.pem" -inform DER -out "test2.pem" -outform PEM

=> fail

wget -4 http://cert.int-x3.letsencrypt.org/ && \
mv index.html test.pem && \
openssl x509 -in "test.pem" -inform DER -out "test2.pem" -outform PEM

=> success

The only difference is the name of the output file which is different from the input file.

On your bash script you do the same thing :

openssl x509 -in "${CERTDIR}/${domain}/chain-${timestamp}.pem" -inform DER -out "${CERTDIR}/${domain}/chain-${timestamp}.pem" -outform PEM

I try a rename before :

mv ${CERTDIR}/${domain}/chain-${timestamp}.pem ${CERTDIR}/${domain}/tmp-chain-${timestamp}.pem
openssl x509 -in "${CERTDIR}/${domain}/tmp-chain-${timestamp}.pem" -inform DER -out "${CERTDIR}/${domain}/chain-${timestamp}.pem" -outform PEM

and it works.

Can you fix it ?

Thanks !
@lukas2511 lukas2511 added the bug label Sep 17, 2016
@lukas2511
Copy link
Member

@wibimaster can you check if that fixed your problem?

@wibimaster
Copy link
Author

wibimaster commented Sep 17, 2016
edited

I got a fail now, don't know if it's a consequence of the fix :

Processing xxx.xxx with alternative names: www.xxx.xxx
 + Signing domains...
 + Creating new directory /home/xxx/dehydrated/certs/xxx.xxx ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for xxx.xxx...
  + ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-authz (Status 403)

Details:
{
  "type": "urn:acme:error:unauthorized",
  "detail": "No registration exists matching provided key",
  "status": 403
}

EDIT

Sorry, just see #92

All seems good but DNS validation is very slow, I could validate as soon as it's finished

@wibimaster
Copy link
Author

That's OK, temporary got a fail :

  + ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/challenge/5J3S4KbKiWRmhBISoUyOdhQMxFQT3F1yY9TLdTPz03U/14433918 (Status 400)

Details:
{
  "type": "urn:acme:error:malformed",
  "detail": "JWS verification error",
  "status": 400
}

 + OVH hook executing: clean_challenge
 + http_request() error in letsencrypt.sh?

But after a retry all seems good :)

Thanks !

@lukas2511
Copy link
Member

@wibimaster Since you are doing dns validation the temporary error was probably because the dns entry didn't propagate fast enough.

@GUI GUI mentioned this issue Jul 13, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lukas2511 @wibimaster