The request message was malformed :: CSR generated using a pre-1.0.2 OpenSSL with a client that doesn't properly specify the CSR version

Hi and our first issue report in 2017.

Requesting Let's Encrypt certificate on a CentOS 6.x Virtualmin system is giving:

An unexpected error occurred:
The request message was malformed :: CSR generated using a pre-1.0.2 OpenSSL with a client that doesn't properly specify the CSR version. See https://community.letsencrypt.org/t/openssl-bug-information/19591
Please see the logfiles in /var/log/letsencrypt for more details.

Searching Virtualmin.com gives this relevant discussion https://www.virtualmin.com/node/44321 where Jamie skeptically suggests:

You may have to upgrade OpenSSL manually, by downloading and compiling it from the source. If Let's Encrypt doesn't accept certs from older versions, there isn't much Virtualmin can do :-(

However, unlike Ivan2 in that case we never installed any letsencrypt-related software other than comes from Virtualmin itself, because we always comply with *min official repositories and because that's what Eric recommends in another discussion on https://www.virtualmin.com/node/41607:

You probably want to use our built-in letsencrypt client (which is a minimal client written in Python; I think Jamie settled on using ACME Tiny, but it might be another one), rather than the one provided by Debian or something downloaded. Every client has different command line options and usage, so Virtualmin wouldn't know about any clients other than its own built-in one or the offical ACME client distributed by the Let's Encrypt folks.

The problem is that what Eric said contradicts with what Jamie suggests, so I wonder what is the optimal solution here? Should we follow Jamie's recommendation and upgrade OpenSSL by compiling manually? OR there is another way that would be "officially" proposed by *min team to address this issue principally?

Status: 
Active

Comments

Surprisingly enough deleting the /etc/letsencrypt directory helped and now Let's Encrypt is generated successfully. As I said we never installed any custom solutions, so the /etc/letsencrypt directory comes from Virtualmin. Anyway, I hope this will be processed by your team to make up your mind and offer the official solution.

Howdy -- glad to hear you got it working!

That same solution is also what got it working for Ivan in the first post you linked to. That causes it to generate a new Let's Encrypt account key. It's possible something somehow got corrupted, and that starting over with a new key or other metadata fixed it.

We do recommend using the CentOS provided tools where possible.

None of us, including Jamie, would recommend manually compiling packages when another option is available... Jamie was just working with the error message being provided at the time. The error seemed to be indicating that there was a compatibility problem with the openssl library.

Thankfully, that doesn't appear to be the case, and we're glad to hear it's working for you again.

We're not sure what might have triggered the problem in your case, but we'll certainly keep an eye out for others seeing that same issue.

And of course if it happens again please let us know.