asn1: syntax error: sequence truncated (urn:ietf:params:acme:error:malformed)
dhuv opened this issue · comments
I am using the latest ACMECert.php file and testing my script against Let's Encrypt Staging.
My account info is fine but when I use the getCertificateChain method to get a signed cert for my wildcard cert for my domain, I get the following in the console.
I created the CSR myself and passing that into getCertificateChain via file://
Getting account info
Initializing ACME v2 staging environment
Using cURL
https://acme-staging-v02.api.letsencrypt.org/directory [200] (0.26s)
Initialized
https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce [200] (0.06s)
https://acme-staging-v02.api.letsencrypt.org/acme/new-acct [200] (0.12s)
AccountID: https://acme-staging-v02.api.letsencrypt.org/acme/acct/********
Account info retrieved
Using provided CSR
Creating Order
https://acme-staging-v02.api.letsencrypt.org/acme/new-order [201] (0.14s)
Order created: https://acme-staging-v02.api.letsencrypt.org/acme/order/********/66862812
All authorizations already valid, skipping validation altogether
Finalizing Order
https://acme-staging-v02.api.letsencrypt.org/acme/finalize/********/66862812 [400] (0.12s)
PHP Fatal error: Uncaught ACME_Exception: Error parsing certificate request: asn1: syntax error: sequence truncated (urn:ietf:params:acme:error:malformed) in /home/dhuv/git/ACMECert/ACMECert.php:718
Stack trace:
#0 /home/dhuv/git/ACMECert/ACMECert.php(561): ACMEv2->http_request('https://acme-st...', '{"protected":"e...')
#1 /home/dhuv/git/ACMECert/ACMECert.php(234): ACMEv2->request('_tmp', Array)
#2 /home/dhuv/lets-encrypt/acme-test(29): ACMECert->getCertificateChain('file:///home/dh...', Array, Object(Closure))
#3 {main}
thrown in /home/dhuv/git/ACMECert/ACMECert.php on line 718
I went to line 718 and the $headers variable was the following:
Array
(
[server] => nginx
[date] => Mon, 23 Dec 2019 02:32:05 GMT
[content-type] => application/problem+json
[content-length] => 158
[connection] => keep-alive
[boulder-requester] => ********
[cache-control] => public, max-age=0, no-cache
[link] => https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"
[replay-nonce] => 0002i5_LDNIh8N_0PrIb8p7r6DO5Q1MwPXjL_2qGk9ahO5g
)
FYI, I used the same CSR with https://gethttpsforfree.com and was able to get a signed cert from Let's Encrypt so it rules out a CSR problem.
Does it work if you run your CSR through openssl first, like this:
openssl req -in your.csr -out test.csr
and then use test.csr?
The problem turns out to be how I specified the CSR to getCertificateChain (via file://). After some debugging last night I realized that the contents of the file were not being sent through. When I passed in the contents of the CSR as a string it worked fine.
I was following the example but perhaps I did something wrong? I will check it out tonight and let you know if I was using the file:// parameter wrong.
Unintentionally the getCertificateChain function did indeed not accept a CSR from file using the file:// prefix :(
I've just released v2.5 which addresses this issue.
Thank you very much for spotting and reporting this bug!
The fix looks good. Closing the bug.