https://crt.sh/gen-add-chain not working

[RufusJWB]

If I execute https://crt.sh/gen-add-chain with the following PEM file, I receive the error message

Executing the SQL statement "SELECT public.generate_add_chain_body(@cert_data,@only_one_chain)" with the certificate as a byte array directly on the data base returns an empty result.

The PEM file belongs to https://crt.sh/?id=5815024778

MIIKPDCCCCSgAwIBAgIEYByDszANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMC
REUxDzANBgNVBAgMBkJheWVybjERMA8GA1UEBwwITXVlbmNoZW4xEDAOBgNVBAoM
B1NpZW1lbnMxETAPBgNVBAUTCFpaWlpaWkExMR0wGwYDVQQLDBRTaWVtZW5zIFRy
dXN0IENlbnRlcjEiMCAGA1UEAwwZU2llbWVucyBSb290IENBIFYzLjAgMjAxNjAe
Fw0yMDA2MjQwOTQ0NTVaFw0yNjA2MjQwOTQ0NTVaMIGfMQswCQYDVQQGEwJERTEP
MA0GA1UECAwGQmF5ZXJuMREwDwYDVQQHDAhNdWVuY2hlbjEQMA4GA1UECgwHU2ll
bWVuczERMA8GA1UEBRMIWlpaWlpaQjIxHTAbBgNVBAsMFFNpZW1lbnMgVHJ1c3Qg
Q2VudGVyMSgwJgYDVQQDDB9TaWVtZW5zIElzc3VpbmcgQ0EgRUUgQXV0aCAyMDIw
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAygO6wQ9MA4AQ5PAjtCRJ
3dvDPApKAxu7NfFQ9qhiwRYICnMZ7h7OH1lnPTTD36VuSJKe4SRa7Bf4U/nQsuSA
/U1SSyKBvC2xnd04N4H8fUZWD7lxXihpYHdGG3l49gUJE7CySniVRLoMaW6cpz63
Y0GQd6wHQRZ6Jol5lImfSAC3ZqMXIRU/bCnBEcJpH9KPCZA98JTWOrC65TT7NLTo
QtF1LysGI3Q9ey1LohujL7eM+k+Uqeu0C6aM7Y1Ox8MEO3erXz5k7jygpkQ091rg
UZ8XSbEY/7RevQ4gjXhbVsIxTAUQ//hRaW8W+2OmNSqiuFZXhvEkZ7sT+hnWeaZG
ffzayX43e/YyX/LJvn2btEKENEKbZALae+vN+LSE3qg85rZUdmzKp6kxgcom8F6P
a+T+3BqllGxjje9s/O0DnVcUdyt2cluyof1FipdW7gzbvmXRI3rbZXW/OyP6SAwp
cjEd/FPuMCX2/wcsUtNz570Gt7b1bX7CnDR32oNsYZBg75Q3fVO6wzGkiFPUXm0u
R5nBMtdSUXAD3dwZOkCu2ftdLTeoIncTYh5RzBnJ1A7Af0U1MEiFS9rRZdp597Zi
h+55+ML5ejEWO8rOzU14jxNqsjYHVqX2Ku67ZvM/vaZL6NZ2+Toq6RBcQC2uV9ow
tz5Oax5AaY7GkPb0c8p2mGcCAwEAAaOCBIIwggR+MIH4BggrBgEFBQcBAQSB6zCB
6DBBBggrBgEFBQcwAoY1bGRhcDovL2FsLnNpZW1lbnMubmV0L0NOPVpaWlpaWkEx
LEw9UEtJP2NBQ2VydGlmaWNhdGUwMgYIKwYBBQUHMAKGJmh0dHA6Ly9haC5zaWVt
ZW5zLmNvbS9wa2k/WlpaWlpaQTEuY3J0MEoGCCsGAQUFBzAChj5sZGFwOi8vYWwu
c2llbWVucy5jb20vdWlkPVpaWlpaWkExLG89VHJ1c3RjZW50ZXI/Y0FDZXJ0aWZp
Y2F0ZTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2llbWVucy5jb20wHwYDVR0j
BBgwFoAUcG2gUOyp0CxnnRkV/v0EczXD4tQwEgYDVR0TAQH/BAgwBgEB/wIBADCC
AhwGA1UdIASCAhMwggIPMDUGCCsGAQQBoWkHMCkwJwYIKwYBBQUHAgEWG2h0dHA6
Ly93d3cuc2llbWVucy5jb20vcGtpLzA6Bg0rBgEEAaFpBwICAwIBMCkwJwYIKwYB
BQUHAgEWG2h0dHA6Ly93d3cuc2llbWVucy5jb20vcGtpLzA6Bg0rBgEEAaFpBwIC
AwEBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuc2llbWVucy5jb20vcGtpLzA6
Bg0rBgEEAaFpBwICBAEBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuc2llbWVu
cy5jb20vcGtpLzA6Bg0rBgEEAaFpBwICAwICMCkwJwYIKwYBBQUHAgEWG2h0dHA6
Ly93d3cuc2llbWVucy5jb20vcGtpLzA6Bg0rBgEEAaFpBwICAwECMCkwJwYIKwYB
BQUHAgEWG2h0dHA6Ly93d3cuc2llbWVucy5jb20vcGtpLzA6Bg0rBgEEAaFpBwIC
BAECMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuc2llbWVucy5jb20vcGtpLzA3
BgorBgEEAaFpBwIFMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuc2llbWVucy5j
b20vcGtpLzA1BggrBgEEAaFpYzApMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LnNp
ZW1lbnMuY29tL3BraS8wgccGA1UdHwSBvzCBvDCBuaCBtqCBs4Y/bGRhcDovL2Ns
LnNpZW1lbnMubmV0L0NOPVpaWlpaWkExLEw9UEtJP2F1dGhvcml0eVJldm9jYXRp
b25MaXN0hiZodHRwOi8vY2guc2llbWVucy5jb20vcGtpP1paWlpaWkExLmNybIZI
bGRhcDovL2NsLnNpZW1lbnMuY29tL3VpZD1aWlpaWlpBMSxvPVRydXN0Y2VudGVy
P2F1dGhvcml0eVJldm9jYXRpb25MaXN0MDMGA1UdJQQsMCoGCCsGAQUFBwMCBggr
BgEFBQcDBAYKKwYBBAGCNxQCAgYIKwYBBQUHAwkwDgYDVR0PAQH/BAQDAgEGMB0G
A1UdDgQWBBTW7/un5yqxwF1MaIXCLY9WZn6C7jANBgkqhkiG9w0BAQsFAAOCAgEA
UCuN2Z7S6tpG3m0pPOS74I5GT1ida+n7BoRs3DetB9S66iw5t0k2Y4wP+P3O/SVM
QsA3BI1E/tiOHDKtYPJxXzQVuEr0SwhSHd+tIJzWxt3f/14bOQyyBK5jrQYgfJ3C
xlB70kXJEMII75F/PYZe77AqHwQ1C2LrDhTbKBDDZqq0iwVBVANzOqOKx80GQZVI
nKn3JfFrYk6sQ6N13HnId/WlVNTaQ09qHeWJwNChnSYJnHKW5QsnDdEo5aOX0/wD
ZWkgA+pt4mBpaiv78HOTO+1DfJokHk88aUPYYVA0lFw1SlB2kOztwBSTBOiKSvfK
AZVSAiZ8eCGcMNlpgbS3DF5+oDz6H2UNyQAcj5zRUwIMy3hMCfpsWiEBwim+1p9D
4v/6TmFdoEq//+T4RIdqS9m53YMArHDhuywehzUX9Kx7mQY6xtI74e3eKCzu9Vjp
yhphdjRWYyxyslQm2V/JIK82YOnFwmfHGP0/7+HaHNeJA9+OKcSPs/qM1AjY7sKK
TZM9jlctU0aPPnFCsQUswPIojA0t2CFEuHMxKf89ijlupqxn9b3zaVIYY4SvDVek
pUyxELK7NZnWrexBF3q4mKgiJSaPv9X/AcWHiSm9qjigRxDY1Lw1UQEgxG32q31c
SNVdZaIdWF1kK4f8PLQibigrX76zUyMeXkd3kuq2u0o=

[robstradling]

@RufusJWB I expect you're running into the issue described at the bottom of the https://crt.sh/gen-add-chain page... "Please note: This tool currently finds chains that are trusted by the Mozilla and/or Microsoft and/or Apple root programs. FIXME: Look at each log's /ct/v1/get-roots instead"

[RufusJWB]

That's true. Any clever idea how to fix this?

[RufusJWB]

I'll craft the submission chain by hand.

[RufusJWB]

Just in case someone else runs into this problem: I created a simple (very Siemens specific) GIST how to do this effectively. https://gist.github.com/RufusJWB/ed37330e5d023ac7f3bed3c240d34578