Help with API and curl - Githubissues

rjes commented 8 years ago

Hello! I'm trying to issue a certificate with curl:

$ openssl req -nodes -newkey rsa:2048 -keyout test-cert.key -out test-cert.csr -subj "/C=SE/ST=Stockholm/L=Stockholm/O=Netnerdz/OU=CA-App/CN=test-cert"
Generating a 2048 bit RSA private key
....+++
.........................................................................+++
writing new private key to 'test-cert.key'
-----
$ curl -XPOST -v -d "subject[C]=SE&subject[ST]=Stockholm&subject[L]=Stockholm&subject[O]=Netnerdz&subject[OU]=CA-App&subject[CN]=test-cert&ca=ca-app.netnerdz.se&profile=server&validityPeriod=31536000&csr=$(cat test-cert.csr | grep -v -- '----')" 172.20.202.20:9292/1/certificate/issue
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 10081 (#0)
> POST /1/certificate/issue HTTP/1.1
> Host: 172.20.202.20:9292
> User-Agent: curl/7.50.3
> Accept: */*
> Content-Length: 1125
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
> 
* Done waiting for 100-continue
* We are completely uploaded and fine
< HTTP/1.1 500 Internal Server Error 
< Content-Type: text/plain;charset=utf-8
< Content-Length: 49
< Server: WEBrick/1.3.1 (Ruby/2.3.1/2016-04-26)
< Date: Sun, 16 Oct 2016 12:04:49 GMT
< Connection: Keep-Alive
< 
* Curl_http_done: called premature == 0
* Connection #0 to host 172.20.202.20 left intact
#<OpenSSL::X509::RequestError: nested asn1 error>
$

Any clue how to fix this? //Robert

reaperhulk commented 8 years ago

Does issuance work if you make the request through the web form (/test/certificate/issue)?

rjes commented 8 years ago

Hi! Yes, it does, and that so strange. Here's the server output when I use the test form:

I, [2016-10-16T16:53:02.134753 #174]  INFO -- : Issue Certificate
I, [2016-10-16T16:53:02.135260 #174]  INFO -- : ca=ca-app.netnerdz.se&profile=server&validityPeriod=31536000&subject%5BC%5D=Sweden&subject%5BST%5D=Stockholm&subject%5BL%5D=Stockholm&subject%5BO%5D=Netnerdz&subject%5BOU%5D=CA-App&subject%5BCN%5D=test-cert&subject%5BemailAddress%5D=&extensions%5BsubjectAlternativeName%5D%5B%5D=&extensions%5BsubjectAlternativeName%5D%5B%5D=&extensions%5BsubjectAlternativeName%5D%5B%5D=&extensions%5BsubjectAlternativeName%5D%5B%5D=&extensions%5BsubjectAlternativeName%5D%5B%5D=&csr=-----BEGIN+CERTIFICATE+REQUEST-----%0D%0AMIICiTCCAXECAQAwRDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTEh%0D%0AMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0B%0D%0AAQEFAAOCAQ8AMIIBCgKCAQEAypf%2B0Tlf5fPo5kgsBYdetr6mFLXwDGDlbkhWK9OR%0D%0ApZZSGMHrSH1aHQvJjCcYO1YD78Gte1W8z5erYVIaRSfoKfYvzVWW9%2BjihI7W1fsV%0D%0Axs8Uk48a6lnvULZVrSi3rcW%2F0eaXGBKrFYAaPtfnhM9snJwJ6fZWSj34jNENjFA%2B%0D%0ACYUslwW%2FAsqFhG8mD3DNEyFpF6mBK6%2FAzmQnyAw%2BRTQWTjI4riw1BoD0PNVDAnvT%0D%0AM%2FVijIglC202if027ZDDRJM1pFbUIx0XNEgLTojDuEF97Q5q2%2BarNHiTR%2FLW9%2BB9%0D%0AUMvCk%2F5znI2p2o7kBUCJtJFgNZnNK%2FigFUcXI4Lb7oXMeQIDAQABoAAwDQYJKoZI%0D%0AhvcNAQELBQADggEBAMcmfs%2FUQL%2BjvPxa7drFa%2BhdEBJu140OF%2B6sZUMSuCBhi1M2%0D%0Adek0nD0HIuEWmMRN8KiH9gNl7axuo1F1U1VK9AGm9H59EnSHInUMabgotnnPPf8n%0D%0A62jHhzH7sesgOCLPpRqVbrjNtbeu5HqK6jQZ7RXf%2Ft3zF688NABwidKTP4oJgjmV%0D%0AFWAC%2F60MeveQtcbsPhaC%2BLmgdVNqqXD9C22eBVwvjZg2VVWRSYaI596sAhOVWusJ%0D%0AJZI%2Fnc2ySp3bHkcvA37CP4yRPu3TCqNmfyJoGwZdRg0OZoYRD%2FTweE8BWZecxR93%0D%0AWkNFihGStMOX0c0LQ7fKpJT6%2Bzf%2F8GnIkaLr268%3D%0D%0A-----END+CERTIFICATE+REQUEST-----%0D%0A
I, [2016-10-16T16:53:02.135400 #174]  INFO -- : {"ca"=>"ca-app.netnerdz.se", "profile"=>"server", "validityPeriod"=>"31536000", "subject"=>{"C"=>"Sweden", "ST"=>"Stockholm", "L"=>"Stockholm", "O"=>"Netnerdz", "OU"=>"CA-App", "CN"=>"test-cert", "emailAddress"=>""}, "extensions"=>{"subjectAlternativeName"=>["", "", "", "", ""]}, "csr"=>"-----BEGIN CERTIFICATE REQUEST-----\r\nMIICiTCCAXECAQAwRDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTEh\r\nMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0B\r\nAQEFAAOCAQ8AMIIBCgKCAQEAypf+0Tlf5fPo5kgsBYdetr6mFLXwDGDlbkhWK9OR\r\npZZSGMHrSH1aHQvJjCcYO1YD78Gte1W8z5erYVIaRSfoKfYvzVWW9+jihI7W1fsV\r\nxs8Uk48a6lnvULZVrSi3rcW/0eaXGBKrFYAaPtfnhM9snJwJ6fZWSj34jNENjFA+\r\nCYUslwW/AsqFhG8mD3DNEyFpF6mBK6/AzmQnyAw+RTQWTjI4riw1BoD0PNVDAnvT\r\nM/VijIglC202if027ZDDRJM1pFbUIx0XNEgLTojDuEF97Q5q2+arNHiTR/LW9+B9\r\nUMvCk/5znI2p2o7kBUCJtJFgNZnNK/igFUcXI4Lb7oXMeQIDAQABoAAwDQYJKoZI\r\nhvcNAQELBQADggEBAMcmfs/UQL+jvPxa7drFa+hdEBJu140OF+6sZUMSuCBhi1M2\r\ndek0nD0HIuEWmMRN8KiH9gNl7axuo1F1U1VK9AGm9H59EnSHInUMabgotnnPPf8n\r\n62jHhzH7sesgOCLPpRqVbrjNtbeu5HqK6jQZ7RXf/t3zF688NABwidKTP4oJgjmV\r\nFWAC/60MeveQtcbsPhaC+LmgdVNqqXD9C22eBVwvjZg2VVWRSYaI596sAhOVWusJ\r\nJZI/nc2ySp3bHkcvA37CP4yRPu3TCqNmfyJoGwZdRg0OZoYRD/TweE8BWZecxR93\r\nWkNFihGStMOX0c0LQ7fKpJT6+zf/8GnIkaLr268=\r\n-----END CERTIFICATE REQUEST-----\r\n"}
I, [2016-10-16T16:53:02.137106 #174]  INFO -- : #<R509::Subject:0x007f8c369acff8 @array=[["C", "Sweden"], ["ST", "Stockholm"], ["L", "Stockholm"], ["O", "Netnerdz"], ["OU", "CA-App"], ["CN", "test-cert"]]>
I, [2016-10-16T16:53:02.137194 #174]  INFO -- : /C=Sweden/ST=Stockholm/L=Stockholm/O=Netnerdz/OU=CA-App/CN=test-cert
I, [2016-10-16T16:53:02.156809 #174]  INFO -- : -----BEGIN CERTIFICATE-----
MIIFTjCCAzagAwIBAgITBp8YjIUJ7SibmElkjpzb+Y928DANBgkqhkiG9w0BAQ0F
ADBmMRgwFgYDVQQDDA9OZXRuZXJkeiBBUFAgQ0ExETAPBgNVBAoMCE5ldG5lcmR6
MRIwEAYDVQQHDAlTdG9ja2hvbG0xEjAQBgNVBAgMCVN0b2NraG9sbTEPMA0GA1UE
BhMGU3dlZGVuMB4XDTE2MTAxNjEwNTMwMloXDTE3MTAxNjE2NTMwMlowcTEPMA0G
A1UEBhMGU3dlZGVuMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2Nr
aG9sbTERMA8GA1UECgwITmV0bmVyZHoxDzANBgNVBAsMBkNBLUFwcDESMBAGA1UE
AwwJdGVzdC1jZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAypf+
0Tlf5fPo5kgsBYdetr6mFLXwDGDlbkhWK9ORpZZSGMHrSH1aHQvJjCcYO1YD78Gt
e1W8z5erYVIaRSfoKfYvzVWW9+jihI7W1fsVxs8Uk48a6lnvULZVrSi3rcW/0eaX
GBKrFYAaPtfnhM9snJwJ6fZWSj34jNENjFA+CYUslwW/AsqFhG8mD3DNEyFpF6mB
K6/AzmQnyAw+RTQWTjI4riw1BoD0PNVDAnvTM/VijIglC202if027ZDDRJM1pFbU
Ix0XNEgLTojDuEF97Q5q2+arNHiTR/LW9+B9UMvCk/5znI2p2o7kBUCJtJFgNZnN
K/igFUcXI4Lb7oXMeQIDAQABo4HpMIHmMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FDYWTsdJHtHCjLZA4IFK40aaTIXjMB8GA1UdIwQYMBaAFGSHxZat4+rMW1g8CfJh
7L/3kTmLMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8E
LzAtMCugKaAnhiVodHRwOi8vY3JsLWFwcC5uZXRuZXJkei5zZS9jYS1hcHAuY3Js
MDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL29jc3AtYXBwLm5l
dG5lcmR6LnNlOjkyOTEwDQYJKoZIhvcNAQENBQADggIBABLHUa6iqFZzWCb1imuJ
vpM0hxX8UaJWjKYsjVKRF0zwC7D5/2F3okwzdQOAZb3ryNtOHmpZWlY22DU15tiA
UwLxnys2jiDwvpayBnp+nqh6YiG0phqeUzElr1ARaox9y+SCU4Oyn+UsdAICbq1W
ViYQiHQUIe4M33Z3MCrKRNXptAt4cUkn4xHfRAREQPAVFQ3oLkMfvE2Vpl7qcTm9
+QSZmgLh1xy5O5rk6TW3yG4ACWo1Vsdp1Qjj5mK4e47tnIH0c0CW1vv1DrwG9+5a
lHwqr4oFSkcszZneALHPV0eCCIv9cCDLX7J1FOUjkD8/Ep3E6sZYrAdR18kThSjk
/kqQ/CbPK/XVwlengksdGMcPVoZsN+LLHRXjD30oRBw9VnQDkywiSG5Ek9GrIUVa
pacI17yDjUQXCO997hDjpzwdWG0HIear3owPEZqA0QSonJYV5nkDIAFQwP1I+UsB
ITLjbzqo52psyrdNuZNW9Syh9PPYOLEfZOvBdgE1K/Dt+TJqr1nk07hETPJGXGGM
pSzRnDxiif/q1OmWG11Nc4x8Ydl+yHCQjrIbHU7ZBAeR1K2rnR+u2xaYx2U8WO2g
DqKvJ2OQMZgpee1OO3MKBQ5LfzJAmh7LZn7GFBbCls3bVp6/LsfxNuYgKcSJlF0o
5Ys7vdjDvaGcrylFW8422Si5
-----END CERTIFICATE-----

I, [2016-10-16T16:53:02.158052 #174]  INFO -- : Writing: /app/certwriter/test-cert_ca-app.netnerdz.se_069F188C8509ED289B9849648E9CDBF98F76F0.pem
I, [2016-10-16T16:53:02.159743 #174]  INFO -- : Writing serial: 147663678213835943990956705914426027989235440, Issuer: /CN=Netnerdz APP CA/O=Netnerdz/L=Stockholm/ST=Stockholm/C=Sweden
10.192.10.20 - - [16/Oct/2016:16:53:02 +0000] "POST /1/certificate/issue/ HTTP/1.1" 200 1899 0.0272
178:M 16 Oct 16:53:02.190 * 1 changes in 3600 seconds. Saving...
178:M 16 Oct 16:53:02.190 * Background saving started by pid 243
243:C 16 Oct 16:53:02.406 * DB saved on disk
243:C 16 Oct 16:53:02.406 * RDB: 0 MB of memory used by copy-on-write
178:M 16 Oct 16:53:02.491 * Background saving terminated with success

And when I use the API:

I, [2016-10-16T16:54:19.499394 #174]  INFO -- : Issue Certificate
I, [2016-10-16T16:54:19.499517 #174]  INFO -- : subject[C]=SE&subject[ST]=Stockholm&subject[L]=Stockholm&subject[O]=Netnerdz&subject[OU]=CA-App&subject[CN]=test-cert&ca=ca-app.netnerdz.se&profile=server&validityPeriod=31536000s&csr=MIICsjCCAZoCAQAwbTELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTES
MBAGA1UEBwwJU3RvY2tob2xtMREwDwYDVQQKDAhOZXRuZXJkejEPMA0GA1UECwwG
Q0EtQXBwMRIwEAYDVQQDDAl0ZXN0LWNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCuZuRqvVDsyqn5DHUcb/6db9cLzOBHe80HWJ6mV40IOq7db1dj
m2ZshCOvLu1B0UnfObMTmA1Q27x8G5ynT843rg2jth+pfEC4hcn8WOYjZxSnsiTr
YSNJadwHjRstp1luqzdpIPQP54X1JRWT98T0rAPtuelgylGl6C/7QMDmWBSP0KeW
MIvWigCdWgootkTKih77knqpGhokGrFgLvkOrZ7ybz7VM1yGlO3s0WViGQfdCHQ0
6cNLg6p0GA20HDPKtVvMtiBX8qGUaOt7ovtuM7NC4zxNOkm8Z5p3CIL2Hde4HFn1
EaGS65LfHgXCRkjsNoDXCNo23zk72ihMvUkVAgMBAAGgADANBgkqhkiG9w0BAQsF
AAOCAQEAL0sjquP+eh1gTusQYXkNBvdy3RCf8zYEJVpCdeeZ3IV/fapoMHjGgoR7
fQ6MMga6nXgSgmPIANuF9MyZdf2X6YIomhuvLctlcoemJcTHk4lZ0qcm1adJFTmi
OM3N/ZGOHfqaw66N6xLu5sbykNiF3bG7Ru+yMwIyt2qpUihBzg87gCEtsmQqucqD
UNTb38ibFG+o0HDQaDgAu3ths9cwmkaKkqL/Ca971G8su1mDt1xTzYgG7FKeCtHE
L3HofhgBwY3T6gIYPBR5CXxz7UPNwBM04V3rfiybQ/yT1IciHUQfrGTNmj9k3qta
GzldPzABfRit3/M674NTacIUM3M75A==
I, [2016-10-16T16:54:19.499660 #174]  INFO -- : {"subject"=>{"C"=>"SE", "ST"=>"Stockholm", "L"=>"Stockholm", "O"=>"Netnerdz", "OU"=>"CA-App", "CN"=>"test-cert"}, "ca"=>"ca-app.netnerdz.se", "profile"=>"server", "validityPeriod"=>"31536000s", "csr"=>"MIICsjCCAZoCAQAwbTELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTES\nMBAGA1UEBwwJU3RvY2tob2xtMREwDwYDVQQKDAhOZXRuZXJkejEPMA0GA1UECwwG\nQ0EtQXBwMRIwEAYDVQQDDAl0ZXN0LWNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQCuZuRqvVDsyqn5DHUcb/6db9cLzOBHe80HWJ6mV40IOq7db1dj\nm2ZshCOvLu1B0UnfObMTmA1Q27x8G5ynT843rg2jth pfEC4hcn8WOYjZxSnsiTr\nYSNJadwHjRstp1luqzdpIPQP54X1JRWT98T0rAPtuelgylGl6C/7QMDmWBSP0KeW\nMIvWigCdWgootkTKih77knqpGhokGrFgLvkOrZ7ybz7VM1yGlO3s0WViGQfdCHQ0\n6cNLg6p0GA20HDPKtVvMtiBX8qGUaOt7ovtuM7NC4zxNOkm8Z5p3CIL2Hde4HFn1\nEaGS65LfHgXCRkjsNoDXCNo23zk72ihMvUkVAgMBAAGgADANBgkqhkiG9w0BAQsF\nAAOCAQEAL0sjquP eh1gTusQYXkNBvdy3RCf8zYEJVpCdeeZ3IV/fapoMHjGgoR7\nfQ6MMga6nXgSgmPIANuF9MyZdf2X6YIomhuvLctlcoemJcTHk4lZ0qcm1adJFTmi\nOM3N/ZGOHfqaw66N6xLu5sbykNiF3bG7Ru yMwIyt2qpUihBzg87gCEtsmQqucqD\nUNTb38ibFG o0HDQaDgAu3ths9cwmkaKkqL/Ca971G8su1mDt1xTzYgG7FKeCtHE\nL3HofhgBwY3T6gIYPBR5CXxz7UPNwBM04V3rfiybQ/yT1IciHUQfrGTNmj9k3qta\nGzldPzABfRit3/M674NTacIUM3M75A=="}
I, [2016-10-16T16:54:19.500694 #174]  INFO -- : #<R509::Subject:0x007f8c36949458 @array=[["C", "SE"], ["ST", "Stockholm"], ["L", "Stockholm"], ["O", "Netnerdz"], ["OU", "CA-App"], ["CN", "test-cert"]]>
I, [2016-10-16T16:54:19.500820 #174]  INFO -- : /C=SE/ST=Stockholm/L=Stockholm/O=Netnerdz/OU=CA-App/CN=test-cert
2016-10-16 16:54:19 - OpenSSL::X509::RequestError - nested asn1 error:
        /usr/lib/ruby/gems/2.3.0/gems/r509-0.10.0/lib/r509/csr.rb:178:in `initialize'
        /usr/lib/ruby/gems/2.3.0/gems/r509-0.10.0/lib/r509/csr.rb:178:in `new'
        /usr/lib/ruby/gems/2.3.0/gems/r509-0.10.0/lib/r509/csr.rb:178:in `rescue in parse_csr'
        /usr/lib/ruby/gems/2.3.0/gems/r509-0.10.0/lib/r509/csr.rb:158:in `parse_csr'
        /usr/lib/ruby/gems/2.3.0/gems/r509-0.10.0/lib/r509/csr.rb:70:in `initialize'
        /usr/lib/ruby/gems/2.3.0/gems/r509-ca-http-0.3.2/lib/r509/certificateauthority/http/factory.rb:5:in `new'
        /usr/lib/ruby/gems/2.3.0/gems/r509-ca-http-0.3.2/lib/r509/certificateauthority/http/factory.rb:5:in `build'
        /usr/lib/ruby/gems/2.3.0/gems/r509-ca-http-0.3.2/lib/r509/certificateauthority/http/server.rb:153:in `block in <class:Server>'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1611:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1611:in `block in compile!'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:975:in `block (3 levels) in route!'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:994:in `route_eval'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:975:in `block (2 levels) in route!'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1015:in `block in process_route'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1013:in `catch'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1013:in `process_route'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:973:in `block in route!'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:972:in `each'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:972:in `route!'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1085:in `block in dispatch!'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `block in invoke'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `catch'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `invoke'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1082:in `dispatch!'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:907:in `block in call!'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `block in invoke'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `catch'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `invoke'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:907:in `call!'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:895:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/nulllogger.rb:9:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/head.rb:13:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:182:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:2013:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1487:in `block in call'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1787:in `synchronize'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1487:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/r509-middleware-certwriter-0.2.1/lib/r509/middleware/certwriter.rb:20:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/r509-middleware-validity-0.2.1/lib/r509/middleware/validity.rb:20:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/tempfile_reaper.rb:15:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/lint.rb:49:in `_call'
        /usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/lint.rb:37:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/showexceptions.rb:24:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/commonlogger.rb:33:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:219:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/chunked.rb:54:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/content_length.rb:15:in `call'
        /usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/handler/webrick.rb:88:in `service'
        /usr/lib/ruby/2.3.0/webrick/httpserver.rb:140:in `service'
        /usr/lib/ruby/2.3.0/webrick/httpserver.rb:96:in `run'
        /usr/lib/ruby/2.3.0/webrick/server.rb:296:in `block in start_thread'
E, [2016-10-16T16:54:19.503516 #174] ERROR -- : #<OpenSSL::X509::RequestError: nested asn1 error>
E, [2016-10-16T16:54:19.503604 #174] ERROR -- : /usr/lib/ruby/gems/2.3.0/gems/r509-0.10.0/lib/r509/csr.rb:178:in `initialize'
/usr/lib/ruby/gems/2.3.0/gems/r509-0.10.0/lib/r509/csr.rb:178:in `new'
/usr/lib/ruby/gems/2.3.0/gems/r509-0.10.0/lib/r509/csr.rb:178:in `rescue in parse_csr'
/usr/lib/ruby/gems/2.3.0/gems/r509-0.10.0/lib/r509/csr.rb:158:in `parse_csr'
/usr/lib/ruby/gems/2.3.0/gems/r509-0.10.0/lib/r509/csr.rb:70:in `initialize'
/usr/lib/ruby/gems/2.3.0/gems/r509-ca-http-0.3.2/lib/r509/certificateauthority/http/factory.rb:5:in `new'
/usr/lib/ruby/gems/2.3.0/gems/r509-ca-http-0.3.2/lib/r509/certificateauthority/http/factory.rb:5:in `build'
/usr/lib/ruby/gems/2.3.0/gems/r509-ca-http-0.3.2/lib/r509/certificateauthority/http/server.rb:153:in `block in <class:Server>'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1611:in `call'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1611:in `block in compile!'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:975:in `block (3 levels) in route!'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:994:in `route_eval'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:975:in `block (2 levels) in route!'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1015:in `block in process_route'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1013:in `catch'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1013:in `process_route'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:973:in `block in route!'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:972:in `each'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:972:in `route!'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1085:in `block in dispatch!'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `block in invoke'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `catch'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `invoke'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1082:in `dispatch!'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:907:in `block in call!'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `block in invoke'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `catch'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1067:in `invoke'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:907:in `call!'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:895:in `call'
/usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/nulllogger.rb:9:in `call'
/usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/head.rb:13:in `call'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:182:in `call'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:2013:in `call'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1487:in `block in call'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1787:in `synchronize'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:1487:in `call'
/usr/lib/ruby/gems/2.3.0/gems/r509-middleware-certwriter-0.2.1/lib/r509/middleware/certwriter.rb:20:in `call'
/usr/lib/ruby/gems/2.3.0/gems/r509-middleware-validity-0.2.1/lib/r509/middleware/validity.rb:20:in `call'
/usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/tempfile_reaper.rb:15:in `call'
/usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/lint.rb:49:in `_call'
/usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/lint.rb:37:in `call'
/usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/showexceptions.rb:24:in `call'
/usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/commonlogger.rb:33:in `call'
/usr/lib/ruby/gems/2.3.0/gems/sinatra-1.4.7/lib/sinatra/base.rb:219:in `call'
/usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/chunked.rb:54:in `call'
/usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/content_length.rb:15:in `call'
/usr/lib/ruby/gems/2.3.0/gems/rack-1.6.4/lib/rack/handler/webrick.rb:88:in `service'
/usr/lib/ruby/2.3.0/webrick/httpserver.rb:140:in `service'
/usr/lib/ruby/2.3.0/webrick/httpserver.rb:96:in `run'
/usr/lib/ruby/2.3.0/webrick/server.rb:296:in `block in start_thread'
10.192.10.20 - - [16/Oct/2016:16:54:19 +0000] "POST /1/certificate/issue HTTP/1.1" 500 49 0.0064

reaperhulk commented 8 years ago

The test page just POSTs to the API endpoint. It's likely you're improperly encoding the CSR when you are using curl.

rjes commented 8 years ago

Thank you for your input, I think I managed to get one step forward:

$ cat curl_args 
ca=ca-app.netnerdz.se&profile=server&validityPeriod=31536000&subject%5BC%5D=Sweden&subject%5BST%5D=Stockholm&subject%5BL%5D=Stockholm&subject%5BO%5D=Netnerdz&subject%5BOU%5D=CA-App&subject%5BCN%5D=test-cert&subject%5BemailAddress%5D=&extensions%5BsubjectAlternativeName%5D%5B%5D=&extensions%5BsubjectAlternativeName%5D%5B%5D=&extensions%5BsubjectAlternativeName%5D%5B%5D=&extensions%5BsubjectAlternativeName%5D%5B%5D=&extensions%5BsubjectAlternativeName%5D%5B%5D=&csr=-----BEGIN+CERTIFICATE+REQUEST-----%0D%0AMIICiTCCAXECAQAwRDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTEh%0D%0AMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0B%0D%0AAQEFAAOCAQ8AMIIBCgKCAQEAypf%2B0Tlf5fPo5kgsBYdetr6mFLXwDGDlbkhWK9OR%0D%0ApZZSGMHrSH1aHQvJjCcYO1YD78Gte1W8z5erYVIaRSfoKfYvzVWW9%2BjihI7W1fsV%0D%0Axs8Uk48a6lnvULZVrSi3rcW%2F0eaXGBKrFYAaPtfnhM9snJwJ6fZWSj34jNENjFA%2B%0D%0ACYUslwW%2FAsqFhG8mD3DNEyFpF6mBK6%2FAzmQnyAw%2BRTQWTjI4riw1BoD0PNVDAnvT%0D%0AM%2FVijIglC202if027ZDDRJM1pFbUIx0XNEgLTojDuEF97Q5q2%2BarNHiTR%2FLW9%2BB9%0D%0AUMvCk%2F5znI2p2o7kBUCJtJFgNZnNK%2FigFUcXI4Lb7oXMeQIDAQABoAAwDQYJKoZI%0D%0AhvcNAQELBQADggEBAMcmfs%2FUQL%2BjvPxa7drFa%2BhdEBJu140OF%2B6sZUMSuCBhi1M2%0D%0Adek0nD0HIuEWmMRN8KiH9gNl7axuo1F1U1VK9AGm9H59EnSHInUMabgotnnPPf8n%0D%0A62jHhzH7sesgOCLPpRqVbrjNtbeu5HqK6jQZ7RXf%2Ft3zF688NABwidKTP4oJgjmV%0D%0AFWAC%2F60MeveQtcbsPhaC%2BLmgdVNqqXD9C22eBVwvjZg2VVWRSYaI596sAhOVWusJ%0D%0AJZI%2Fnc2ySp3bHkcvA37CP4yRPu3TCqNmfyJoGwZdRg0OZoYRD%2FTweE8BWZecxR93%0D%0AWkNFihGStMOX0c0LQ7fKpJT6%2Bzf%2F8GnIkaLr268%3D%0D%0A-----END+CERTIFICATE+REQUEST-----%0D%0A

Then the response is:

$ curl -d@curl_args -vvv --socks5 127.0.0.1:10081 172.20.202.20:9292/1/certificate/issue
*   Trying 127.0.0.1...
* TCP_NODELAY set
* SOCKS5 communication to 172.20.202.20:9292
* SOCKS5 connect to IPv4 172.20.202.20 (locally resolved)
* SOCKS5 request granted.
* Connected to 127.0.0.1 (127.0.0.1) port 10081 (#0)
> POST /1/certificate/issue HTTP/1.1
> Host: 172.20.202.20:9292
> User-Agent: curl/7.50.3
> Accept: */*
> Content-Length: 1554
> Content-Type: application/x-www-form-urlencoded
> Expect: 100-continue
> 
* Done waiting for 100-continue
* We are completely uploaded and fine
< HTTP/1.1 200 OK 
< Content-Type: text/plain;charset=utf-8
< Content-Length: 1899
< Server: WEBrick/1.3.1 (Ruby/2.3.1/2016-04-26)
< Date: Sun, 16 Oct 2016 17:35:30 GMT
< Connection: Keep-Alive
< 
-----BEGIN CERTIFICATE-----
MIIFTjCCAzagAwIBAgITBp8ZTDgPKWdrU45CVXOhzJgm+TANBgkqhkiG9w0BAQ0F
ADBmMRgwFgYDVQQDDA9OZXRuZXJkeiBBUFAgQ0ExETAPBgNVBAoMCE5ldG5lcmR6
MRIwEAYDVQQHDAlTdG9ja2hvbG0xEjAQBgNVBAgMCVN0b2NraG9sbTEPMA0GA1UE
BhMGU3dlZGVuMB4XDTE2MTAxNjExMzUzMFoXDTE3MTAxNjE3MzUzMFowcTEPMA0G
A1UEBhMGU3dlZGVuMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2Nr
aG9sbTERMA8GA1UECgwITmV0bmVyZHoxDzANBgNVBAsMBkNBLUFwcDESMBAGA1UE
AwwJdGVzdC1jZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAypf+
0Tlf5fPo5kgsBYdetr6mFLXwDGDlbkhWK9ORpZZSGMHrSH1aHQvJjCcYO1YD78Gt
e1W8z5erYVIaRSfoKfYvzVWW9+jihI7W1fsVxs8Uk48a6lnvULZVrSi3rcW/0eaX
GBKrFYAaPtfnhM9snJwJ6fZWSj34jNENjFA+CYUslwW/AsqFhG8mD3DNEyFpF6mB
K6/AzmQnyAw+RTQWTjI4riw1BoD0PNVDAnvTM/VijIglC202if027ZDDRJM1pFbU
Ix0XNEgLTojDuEF97Q5q2+arNHiTR/LW9+B9UMvCk/5znI2p2o7kBUCJtJFgNZnN
K/igFUcXI4Lb7oXMeQIDAQABo4HpMIHmMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FDYWTsdJHtHCjLZA4IFK40aaTIXjMB8GA1UdIwQYMBaAFGSHxZat4+rMW1g8CfJh
7L/3kTmLMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATA2BgNVHR8E
LzAtMCugKaAnhiVodHRwOi8vY3JsLWFwcC5uZXRuZXJkei5zZS9jYS1hcHAuY3Js
MDwGCCsGAQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL29jc3AtYXBwLm5l
dG5lcmR6LnNlOjkyOTEwDQYJKoZIhvcNAQENBQADggIBAH3bmZWfBLt+OmJPOajC
q3qg+2mLjAYxfpdsaspKcc8XlMnWRkXJaHqOmCpr0ieOOPkCkkL3RNjuGZhmd98h
2/8N4oV9arNfMZg3Fh9qtr2rhQEHFBJjH2VaJ+od2lMvVYd5vAf+zXgI/Reo2ah7
aQm4sXdoXXjOVLLi4BgEDim6QBYvo5ref2AFw/EpDtc7FWs5OK5Bm7ix03yzX/J/
gOYgRip9YDt8v9Apu0G0f8udiENp+UZLmDNXkN/5yC3da+7jSPaNiZe6rdeSKdOS
e4Sa06NPeo4qDvSFPa++sZRr35H9FzeeouqBgPu/77SYET/W8/FX3jx3RO/ec95C
1S831/Yth4HCvihkkEeWdIc5lzmUq5bCHJHJJ5KYTIX3I7xur4Cayo8VH8TLKdvD
Yu/TlfGgmsT822vBW5NEWd75aEmE8rbH8lsTmPPtL5xiKrMY9ZNLyuc7LPqf7yME
hWvLtK4I5xoCBZ5A0v3OjK+P+QEXbIqmiQw4ken2pgM9PFb1tNV5yIq2aM+PRwqz
R1jkCiHsmwxSQeuOr2t/eIgS1BWiNPmMnBP/R6CqXNElFULEclX6SrmABT+QLbRu
0Xa35QWEiIgI+C1kaAbLhdxHkfcSdZ+yqaPfO86620Eoe6VsU8y6iwYzj3VEVYsp
TpCmr/UF7x8ThMeHxUEFM5MN
-----END CERTIFICATE-----
* Curl_http_done: called premature == 0
* Connection #0 to host 172.20.202.20 left intact

So it seems like r509-ca-http doesn't handle when the request contains '[' or ']' only the encoded form of the characters. I think I'm happy with my workaround, but it is maybe worth mention it in the r509-ca-howto, testing API calls with curl is pretty common.

rjes commented 8 years ago

After some more debugging, my previous comment is wrong. Update with some new data soon

rjes commented 8 years ago

I think i found something now, the data parameter to curl need to urlencode the CSR:

-d "subject[C]=SE&subject[ST]=Stockholm&subject[L]=Stockholm&subject[O]=Netnerdz&subject[OU]=CA-App&subject[CN]=test-cert&ca=ca-app.netnerdz.se&profile=server&validityPeriod=31536000&csr=-----BEGIN+CERTIFICATE+REQUEST-----%0D%0AMIICiTCCAXECAQAwRDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTEh%0D%0AMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0B%0D%0AAQEFAAOCAQ8AMIIBCgKCAQEAypf%2B0Tlf5fPo5kgsBYdetr6mFLXwDGDlbkhWK9OR%0D%0ApZZSGMHrSH1aHQvJjCcYO1YD78Gte1W8z5erYVIaRSfoKfYvzVWW9%2BjihI7W1fsV%0D%0Axs8Uk48a6lnvULZVrSi3rcW%2F0eaXGBKrFYAaPtfnhM9snJwJ6fZWSj34jNENjFA%2B%0D%0ACYUslwW%2FAsqFhG8mD3DNEyFpF6mBK6%2FAzmQnyAw%2BRTQWTjI4riw1BoD0PNVDAnvT%0D%0AM%2FVijIglC202if027ZDDRJM1pFbUIx0XNEgLTojDuEF97Q5q2%2BarNHiTR%2FLW9%2BB9%0D%0AUMvCk%2F5znI2p2o7kBUCJtJFgNZnNK%2FigFUcXI4Lb7oXMeQIDAQABoAAwDQYJKoZI%0D%0AhvcNAQELBQADggEBAMcmfs%2FUQL%2BjvPxa7drFa%2BhdEBJu140OF%2B6sZUMSuCBhi1M2%0D%0Adek0nD0HIuEWmMRN8KiH9gNl7axuo1F1U1VK9AGm9H59EnSHInUMabgotnnPPf8n%0D%0A62jHhzH7sesgOCLPpRqVbrjNtbeu5HqK6jQZ7RXf%2Ft3zF688NABwidKTP4oJgjmV%0D%0AFWAC%2F60MeveQtcbsPhaC%2BLmgdVNqqXD9C22eBVwvjZg2VVWRSYaI596sAhOVWusJ%0D%0AJZI%2Fnc2ySp3bHkcvA37CP4yRPu3TCqNmfyJoGwZdRg0OZoYRD%2FTweE8BWZecxR93%0D%0AWkNFihGStMOX0c0LQ7fKpJT6%2Bzf%2F8GnIkaLr268%3D%0D%0A-----END+CERTIFICATE+REQUEST-----"

The endpoint doesn't accept: The file as-is:

-d "subject[C]=SE&subject[ST]=Stockholm&subject[L]=Stockholm&subject[O]=Netnerdz&subject[OU]=CA-App&subject[CN]=test-cert&ca=ca-app.netnerdz.se&profile=server&validityPeriod=31536000&csr=$(cat test-cert.csr)"

or as a long string:

-d "subject[C]=SE&subject[ST]=Stockholm&subject[L]=Stockholm&subject[O]=Netnerdz&subject[OU]=CA-App&subject[CN]=test-cert&ca=ca-app.netnerdz.se&profile=server&validityPeriod=31536000&csr=$(cat test-cert.csr | tr -d '\n')"

Here's a oneliner that works:

-d "subject[C]=SE&subject[ST]=Stockholm&subject[L]=Stockholm&subject[O]=Netnerdz&subject[OU]=CA-App&subject[CN]=test-cert&ca=ca-app.netnerdz.se&profile=server&validityPeriod=31536000&csr=$(cat test-cert.csr| python2 -c "import sys, urllib as ul; [sys.stdout.write(ul.quote_plus(l)) for l in sys.stdin]")" 172.20.202.20:9292/1/certificate/issue

I think it would be nice to have the r509-ca-http to handle the CSR as-is, to simplify integrations (and have a consequent handling of parameters). But I don't mind if this issue is closed with "wontfix" since I know how to handle the request.

reaperhulk commented 8 years ago

This is a function of how HTTP itself works -- supporting unencoded newlines would break POST data parsing. Thanks for going through the whole thing though!

r509 / r509-ca-http

Help with API and curl #38