"The CSR is unacceptable (e.g., due to a short key)"

[tmontney]

Using XCA, handler has been copied per https://github.com/grindsa/acme2certifier/blob/master/docs/xca.md#configuration.

Running this command on the server requesting the cert: REQUESTS_CA_BUNDLE=/path/to/ca.pem certbot certonly --server https://ca.foo.bar --preferred-challenges http -d myhost.foo.bar --cert-name myhost_cert --webroot -w /var/www/letsencrypt

Even tried appending --rsa-key-size 4096.

(Names used are the internal names.)
acme_srv.cfg

[CAhandler]
# CA specific options
xdb_file: /opt/xca/db/MyCA.xdb
issuing_ca_name: "My Sub CA"
issuing_ca_key: "My Sub CA"
passphrase_variable: XCA_PASSPHRASE
ca_cert_chain_list: ["My Root CA"]
template_name: TLS_server

(Apache)
acme2certifier_ssl.conf

SetEnv XCA_PASSPHRASE "MyPassPhraseHere"

[grindsa]

Please enable debugging in by setting debug=True flag in acme_srv.cfg. Replicate the issue and attach the logs? a2c needs write access to your /opt/xca/db/MyCA.xdb Is your webserver configured accordingly and are the permissions set correctly?

Attaching logs/console output from certbot would also be helpful.

Thx G.

[tmontney]

It's probably relevant to note I'm using OpenSSL 1.1.1h and Certbot 1.3.0. Of course, both are a number of years old. I'd update them, but that'd require an OS upgrade. acme.sh is an option, but if this turns out to be an OpenSSL issue (or some other system package) then I guess I'll have to tackle the OS first.

For certbot, it's really just {"status": 400, "type": "urn:ietf:params:acme:error:badCSR", "detail": "enrollment failed"}. DNS and HTTP seems to be OK.

Looking at the certifier logs, I noticed it complained about not finding the handler. My mistake, I merely copied the file without renaming it. Corrected that; however, same error from certbot.

What stands out to me is error: 2 is not a valid CSR version

(Contents below somewhat redacted.)

[Mon Feb 03 23:24:00.241375 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] ca_handler: <module 'acme_srv.ca_handler' from '/var/www/acme2certifier/acme_srv/ca_handler.py'>
[Mon Feb 03 23:24:00.241397 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate._config_load() ended.
[Mon Feb 03 23:24:00.241419 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate.store_csr(<REMOVED>)
[Mon Feb 03 23:24:00.241438 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Helper.generate_random_string()
[Mon Feb 03 23:24:00.241482 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore.certificate_add(jfZeaQzI0HoW)
[Mon Feb 03 23:24:00.241502 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore._certificate_search(column:name, pattern:jfZeaQzI0HoW)
[Mon Feb 03 23:24:00.241662 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] modified column to certificate.name
[Mon Feb 03 23:24:00.242312 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore._certificate_search() ended with: False
[Mon Feb 03 23:24:00.242344 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] _certificate_insert() for jfZeaQzI0HoW
[Mon Feb 03 23:24:00.242365 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore._order_search(column:name, pattern:<REMOVED>)
[Mon Feb 03 23:24:00.242942 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore._order_search() ended
[Mon Feb 03 23:24:00.251776 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] insert new entry for jfZeaQzI0HoW
[Mon Feb 03 23:24:00.251816 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] _certificate_insert() ended with: 9
[Mon Feb 03 23:24:00.251838 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore.certificate_add() ended with: 9
[Mon Feb 03 23:24:00.251858 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate.store_csr() ended
[Mon Feb 03 23:24:00.251891 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate.enroll_and_store(jfZeaQzI0HoW, <REMOVED>)
[Mon Feb 03 23:24:00.251913 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate._csr_check()
[Mon Feb 03 23:24:00.251932 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate._info(jfZeaQzI0HoW)
[Mon Feb 03 23:24:00.251952 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBstore.certificate_lookup(name:jfZeaQzI0HoW)
[Mon Feb 03 23:24:00.251970 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore._certificate_search(column:name, pattern:jfZeaQzI0HoW)
[Mon Feb 03 23:24:00.252076 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] modified column to certificate.name
[Mon Feb 03 23:24:00.252584 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore._certificate_search() ended with: True
[Mon Feb 03 23:24:00.252649 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore.certificate_lookup() ended with: {'name': 'jfZeaQzI0HoW', 'csr': '<REMOVED>', 'cert': None, 'order__name': '<REMOVED>', 'order': '<REMOVED>'}
[Mon Feb 03 23:24:00.252683 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate._info() ended with:{'name': 'jfZeaQzI0HoW', 'csr': '<REMOVED>', 'cert': None, 'order__name': '<REMOVED>', 'order': '<REMOVED>'}
[Mon Feb 03 23:24:00.252708 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] order_lookup(name:<REMOVED>)
[Mon Feb 03 23:24:00.252726 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore._order_search(column:name, pattern:<REMOVED>)
[Mon Feb 03 23:24:00.253203 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore._order_search() ended
[Mon Feb 03 23:24:00.253243 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore.order_lookup() ended with: {'identifiers': '[{"type": "dns", "value": "myhost.foo.bar"}]'}
[Mon Feb 03 23:24:00.253265 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate._identifiers_load()
[Mon Feb 03 23:24:00.253313 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate._tnauth_identifier_check()
[Mon Feb 03 23:24:00.253334 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate._tnauth_identifier_check() ended with: False
[Mon Feb 03 23:24:00.253354 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Helper.cert_san_get()
[Mon Feb 03 23:24:00.253371 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Helper.cert_load()
[Mon Feb 03 23:24:00.253388 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Helper.b64_url_recode()
[Mon Feb 03 23:24:00.253428 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Helper.build_pem_file()
[Mon Feb 03 23:24:00.253833 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate._csr_check() error while checking csr.
[Mon Feb 03 23:24:00.253838 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] error: 2 is not a valid CSR version
[Mon Feb 03 23:24:00.253863 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate._identifiers_load() ended with []
[Mon Feb 03 23:24:00.253889 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate._csr_check() ended with False
[Mon Feb 03 23:24:00.253911 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Certificate.enroll_and_store() ended with: None:urn:ietf:params:acme:error:badCSR
[Mon Feb 03 23:24:00.253936 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Order._csr_process() ended with order:<REMOVED> 400:{urn:ietf:params:acme:error:badCSR:CSR validation failed
[Mon Feb 03 23:24:00.253963 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Order._finalize() ended
[Mon Feb 03 23:24:00.253984 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Order._process() ended with order:<REMOVED> 400:urn:ietf:params:acme:error:badCSR:enrollment failed
[Mon Feb 03 23:24:00.254005 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Order._parse() ended with code: 400
[Mon Feb 03 23:24:00.254027 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Message.prepare_response()
[Mon Feb 03 23:24:00.254051 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Error.enrich_error()
[Mon Feb 03 23:24:00.254071 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Error.acme_errormessage(urn:ietf:params:acme:error:badCSR)
[Mon Feb 03 23:24:00.254093 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Nonce.nonce_generate_and_add()
[Mon Feb 03 23:24:00.254110 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Nonce.nonce__new()
[Mon Feb 03 23:24:00.254151 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] got nonce: <REMOVED>
[Mon Feb 03 23:24:00.254170 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore.nonce_add(<REMOVED>)
[Mon Feb 03 23:24:00.262767 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] DBStore.nonce_add() ended
[Mon Feb 03 23:24:00.262800 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Nonce.generate_and_add() ended with:<REMOVED>
[Mon Feb 03 23:24:00.262853 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] Order.parse() returns: {"code": 400, "header": {"Replay-Nonce": "<REMOVED>"}, "data": {"status": 400, "type": "urn:ietf:params:acme:error:badCSR", "detail": "enrollment failed"}}
[Mon Feb 03 23:24:00.262933 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] 192.168.1.100 /acme/order/<REMOVED>/finalize {'code': 400, 'header': {'Replay-Nonce': '- modified -'}, 'data': {'status': 400, 'type': 'urn:ietf:params:acme:error:badCSR', 'detail': 'enrollment failed'}}

[tmontney]

I realized the upgrade wouldn't be so bad, so I went ahead and did it (since it needed to be done anyway). Now I'm getting a "ContextualVersionConflict" error from certbot. I'll have to address that separately before I can go any farther.

[grindsa]

Hi,

thank you for sharing the logs.

Your original problem is not related to the key-lengh.

[Mon Feb 03 23:24:00.253838 2025] [wsgi:error] [pid 2161:tid 2172] [remote 192.168.1.100:16691] error: 2 is not a valid CSR version

You rather got trapped in a kind of Certbot dependency hell. See here and here for further information.

So when updating certbot please make sure that pyOpenSSL and cryptography modules get updated accordingly.

Another option would be to use an alternate acme-client like lego for testing.

HTH
G.

[tmontney]

I decided to go with acme.sh as that's pure bash, and installing/updating packages on this "appliance" is difficult.

acme.sh --server https://ca.foo.bar --ca-bundle /path/to/ca.pem --register-account --accountemail [email protected] runs successfully.

acme.sh --issue -w /var/www/letsencrypt -d myhost.foo.bar \
    --server https://ca.foo.bar \
    --ca-bundle /path/to/ca.pem \
    --fullchain-file myhost.crt \
    --key-file myhost.key

Returns "Order status is 'processing', let's sleep and retry.", waits 600 seconds and repeats.

[grindsa]

Hi,

the processing loop indicates an issue with the handler configuration. Can you please share the logs again?

Thanks...

[tmontney]

I believe I found the culprit: [Thu Feb 06 22:52:06.828816 2025] [wsgi:error] [pid 822:tid 1198] CAhandler._config_load() could not load passphrase_variable:'XCA_PASSPHRASE'

acme2certifier/examples/ca_handler/xca_ca_handler.py

Line 333 in 82d539d

self.passphrase = os.environ[config_dic['CAhandler']['passphrase_variable']]

Looks like it's pulling a traditional system environment variable. root is currently the user running Apache (something I'll change later), so I exported the variable through .bashrc. Restarted Apache, still getting the error. Running python as root (after a shell restart) returns the correct value: os.environ['XCA_PASSPHRASE']

How do you recommend the variable be set?

[tmontney]

So I decided to skip environment variables until I can get this working. Set passphrase instead, eliminated special characters (because I was unsure how to escape them). DB path is owned, recursively, by root, and 640 set on the DB itself. The path is correct and can be enumerated by root.

[Sat Feb 08 01:26:01.174567 2025] [wsgi:error] [pid 825:tid 2717] Helper.csr_san_get() ended with: ['DNS:myhost.foo.bar']
[Sat Feb 08 01:26:01.174615 2025] [wsgi:error] [pid 825:tid 2717] CAhandler._requestname_get() ended with: myhost.foo.bar
[Sat Feb 08 01:26:01.174646 2025] [wsgi:error] [pid 825:tid 2717] CAhandler._csr_import()
[Sat Feb 08 01:26:01.174674 2025] [wsgi:error] [pid 825:tid 2717] CAhandler._csr_search()
[Sat Feb 08 01:26:01.174760 2025] [wsgi:error] [pid 825:tid 2717] Exception in thread Thread-8 (_enroll_and_store):
[Sat Feb 08 01:26:01.174772 2025] [wsgi:error] [pid 825:tid 2717] Traceback (most recent call last):
[Sat Feb 08 01:26:01.174783 2025] [wsgi:error] [pid 825:tid 2717]   File "/usr/lib/python3.11/threading.py", line 1038, in _bootstrap_inner
[Sat Feb 08 01:26:01.175145 2025] [wsgi:error] [pid 825:tid 2717]     self.run()
[Sat Feb 08 01:26:01.175204 2025] [wsgi:error] [pid 825:tid 2717]   File "/var/www/acme2certifier/acme_srv/threadwithreturnvalue.py", line 16, in run
[Sat Feb 08 01:26:01.175272 2025] [wsgi:error] [pid 825:tid 2717]     self._return = self._target(*self._args, **self._kwargs)
[Sat Feb 08 01:26:01.175351 2025] [wsgi:error] [pid 825:tid 2717]                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Sat Feb 08 01:26:01.175360 2025] [wsgi:error] [pid 825:tid 2717]   File "/var/www/acme2certifier/acme_srv/certificate.py", line 405, in _enroll_and_store
[Sat Feb 08 01:26:01.175531 2025] [wsgi:error] [pid 825:tid 2717]     (error, certificate, certificate_raw, poll_identifier) = self._enroll(csr)
[Sat Feb 08 01:26:01.175612 2025] [wsgi:error] [pid 825:tid 2717]                                                              ^^^^^^^^^^^^^^^^^
[Sat Feb 08 01:26:01.175620 2025] [wsgi:error] [pid 825:tid 2717]   File "/var/www/acme2certifier/acme_srv/certificate.py", line 294, in _enroll
[Sat Feb 08 01:26:01.175750 2025] [wsgi:error] [pid 825:tid 2717]     (error, certificate, certificate_raw, poll_identifier) = ca_handler.enroll(csr)
[Sat Feb 08 01:26:01.175832 2025] [wsgi:error] [pid 825:tid 2717]                                                              ^^^^^^^^^^^^^^^^^^^^^^
[Sat Feb 08 01:26:01.175840 2025] [wsgi:error] [pid 825:tid 2717]   File "/var/www/acme2certifier/acme_srv/ca_handler.py", line 934, in enroll
[Sat Feb 08 01:26:01.176159 2025] [wsgi:error] [pid 825:tid 2717]     _csr_info = self._csr_import(csr, request_name)  # lgtm [py/unused-local-variable]
[Sat Feb 08 01:26:01.176235 2025] [wsgi:error] [pid 825:tid 2717]                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Sat Feb 08 01:26:01.176244 2025] [wsgi:error] [pid 825:tid 2717]   File "/var/www/acme2certifier/acme_srv/ca_handler.py", line 367, in _csr_import
[Sat Feb 08 01:26:01.176391 2025] [wsgi:error] [pid 825:tid 2717]     csr_info = self._csr_search('request', csr)
[Sat Feb 08 01:26:01.176454 2025] [wsgi:error] [pid 825:tid 2717]                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Sat Feb 08 01:26:01.176462 2025] [wsgi:error] [pid 825:tid 2717]   File "/var/www/acme2certifier/acme_srv/ca_handler.py", line 410, in _csr_search
[Sat Feb 08 01:26:01.176622 2025] [wsgi:error] [pid 825:tid 2717]     self._db_open()
[Sat Feb 08 01:26:01.176650 2025] [wsgi:error] [pid 825:tid 2717]   File "/var/www/acme2certifier/acme_srv/ca_handler.py", line 425, in _db_open
[Sat Feb 08 01:26:01.176812 2025] [wsgi:error] [pid 825:tid 2717]     self.dbs = sqlite3.connect(self.xdb_file)
[Sat Feb 08 01:26:01.176872 2025] [wsgi:error] [pid 825:tid 2717]                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[Sat Feb 08 01:26:01.176885 2025] [wsgi:error] [pid 825:tid 2717] sqlite3.OperationalError: unable to open database file

Debug is still on yet that's all it gives, "unable to open database file".

Using the following as a reference:

acme2certifier/examples/ca_handler/xca_ca_handler.py

Line 410 in 82d539d

self._db_open()

Running interactively as root works fine.

import sqlite3
con = sqlite3.connect("/path/to/db.xdb")
cur = con.cursor()
cur.execute("SELECT * FROM view_requests")

Which lead me to wonder if the handler was running as root. I'm not familiar at all with Apache web applications, a quick Google of "apache wsgi user account" made me realize it's running as www-data. Changing ownership to that user/group got me farther. Now I'm facing Certificate._enrollerror_handler(ca lookup failed). Figure it's just a matter of picking the right name? My over-cautious use of quotes, because my CA name had spaces in it, was the problem. certbot's dry run was successful.

[grindsa]

I am using the feature to pass env variables in containerized environments as it allows me to pass configuration parameters during instantiation process. Not sure if there is a similar mechanism on a legacy bm or VM installation. Let me check...

[tmontney]

@grindsa

Some feedback on my experience...

1. When acme2certifier (A2C) can't find the passphrase, it caused a 10 minute re-try period for acme.sh. For certbot, it was not more than 30 seconds. I can't recall what the retry-after header was set to, so perhaps this is an acme.sh issue. In any case, I would expect A2C to fail instantly without the passphrase. Unless the passphrase is optional for XCA?
2. Similarly, certbot hung when A2C couldn't open the database. This certainly is a hard-fail, as A2C must read the database to do anything meaningful. A2C should immediately return a HTTP 500.
3. I don't see anything in the docs about ownership and permissions. It should be updated to indicate www-data:www-data needs ownership and appropriate permissions (660?). Docs should point out if the log reports unable to open database file that this is an indication of bad permissions.
4. In addition to 3, it'd be nice if A2C was "grouchy" about insecure filesystem permissions (like I believe SSH can be). If, for example, xdb is world-readable A2C will refuse to handle unless some kind of flag is passed (perhaps in the config). Perhaps there are scenarios where this wouldn't make sense. The DB should be encrypted anyway, so this may not be that big of a deal.

[grindsa]

thank you for your feedback. Your proposals make absolute sense. Let me work on it.

[grindsa]

Quick question as for your item #2. Are you referring to the XCA database or to the a2c database?

as for item #1. This is rather an acme-sh issue, but I have an idea how to improve it. Improvements for #3, #4 are included in my local development branch. If you want to test let me know.

[tmontney]

Yes, sorry, # 2 I was referring to the XCA database.

Sweet, I'll test those out soon.

[grindsa]

All changes have been included in the devel branch.

For item 2, the implementation has been updated: a2c now checks the CA-handler configuration when querying the directory resource. If it encounters a problem, it will throw a 403 error instead of allowing the client to continue further.

changes are included in examples/ca_handler/xca_handler.py and acme_srv/directory.py only. It should be sufficient to replace the existing versions with the ones from the devel branch.

Please let me know if this works for you. Feedback is always welcome.