search

glatzert / ACME-Server-ADCS

ACME (RFC 8555) Server compatible implementation, connecting to Active Directory Certificate Services (ADCS)
Other
96 stars 14 forks source link

Validation of CSR failed with exception #20

Closed petermdevries closed 9 months ago

petermdevries commented 1 year ago

Hi,

I'm running ACME-Server-ADCS v1.3beta for a couple of months now. However since a couple of day I get the following error when renewing a certificate via win-acme client. This certificate has been renewed a 3-4 times successfully before, but now it comes with this error. Not sure yet where to look for a solution.

The eventlog shows the following:

Category: TGIT.ACME.Protocol.IssuanceServices.ADCS.CsrValidator
EventId: 0
SpanId: 4f8c2da89a5bfffa
TraceId: 970b2936470d66ba5139c64cf68e11df
ParentId: 0000000000000000
RequestId: 80000034-0000-f300-b63f-84710c7967bb
RequestPath: /order/Kd6P3KmC70mDSzUvx-wW_Q/finalize
ActionId: 9b73504d-7647-4590-8172-5af40a4e0ebc
ActionName: TGIT.ACME.Server.Controllers.OrderController.FinalizeOrder (TGIT.ACME.Server.Core)

Validation of CSR failed with exception.

Exception: 
System.Runtime.InteropServices.COMException (0x80093102): CertEnroll::CX509CertificateRequestPkcs10::InitializeDecode: ASN1 unexpected end of data. 0x80093102 (ASN: 258 CRYPT_E_ASN1_EOD)
   at CERTENROLLLib.CX509CertificateRequestPkcs10Class.InitializeDecode(String strEncodedData, EncodingType Encoding)
   at TGIT.ACME.Protocol.IssuanceServices.ADCS.CsrValidator.ValidateCsrAsync(Order order, String csr, CancellationToken cancellationToken) in E:\Dev\ACME-Server-ADCS\src\ACME.CertProvider.ADCS\CsrValidator.cs:line 30

And the log for the most recent renewal: 20231026.json

Any suggestions what could be the cause? Between the last succesful renewal and now the server has been rebooted and patches to latest Windows service packs. These are the only "relevant" changes I can think of right now.

Peter

glatzert commented 10 months ago

Uh.. I just saw, i never commented on your problem. Has it resolved itself or did you give up?

petermdevries commented 10 months ago

Yesterday I was just running through my github tasks etc and indeed I saw this open issue and I assumed it resolved itself. But unfortunately exactly this morning I got this error again. Of course not very strange as I have a win-acme task which tries a renew every 2 month and now it's exactly 2 months since the last time.

But 2 months ago, after a couple of days the certificate renewel was successful. Not sure why yet.

So if you have any suggestion where to look? Otherwise I'll wait a couple of days to see what will happen.

glatzert commented 10 months ago

If you got time for it, please take a look into the CAs log, if the request even has been submitted. It should log when it's refused.

glatzert commented 9 months ago

So I had the time to take a proper look into CSR validation and I f** it up somewhere beetween the versions. I've rewritten it now and constructed propert tests and re-consulted the RFC 8555. This part should now work properly again. Sorry for any inconvenience.

petermdevries commented 9 months ago

Thanks. Just installed it and time will learn if it solves the issue :)