New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error creating certificate from Entrust Certificate Services #2570
Comments
I have made one small change that solves the crash but I kind of doubt that this leads to a usable solution. Leaving out the finalization step from the order payload means that the server is not compliant to the ACME standard as defined in RFC8555. That field missing means that no CSR can/will submitted to the service, which means that we don't have access to the certificate's private key (because it's not using the one we've generated). Presumably that means the key is generated by Entrust (bad for security, that means they have access and can leak it) and sent with the certificate download or something, but that is not how things are supposed to work. I cannot test this because I'm not going to pay 220 dollars for their yearly subscription just to be able to test/support out their non-standard solution. How these people expect to compete against free is beyond me 😄. Anyway you can try the build here: https://ci.appveyor.com/project/WouterTinus/win-acme-s8t9q/builds/49746660/artifacts |
Thank you Wouter :) I will try it. It could perhaps be that we are using OV certificates which means that you cannot input anything you like into the CSR, could that perhaps generate this error? Concidering that if i press retry when i get the error it actually works? As for the CSR being saved by Entrust, im quite uncertain, i will look into this, thank you! :D |
Did you manage to try build 1667? |
It works like a charm! Thank you very much Wouter! :) |
This has been released in 2.2.9 |
Describe the bug
Error when creating a certificate from Entrust Certificate Serviceses using ACMEv2, this is done using manual request. The console errors with the information "Error requesting certificate [Manual] domain.example" directly after "Expecting challenge type http-01 not available". The log error that i get in the file states the following:
"System.Text.Json.JsonException: JSON deserialization for type 'ACMESharp.Protocol.Resources.AcmeOrder' was missing required properties, including the following: finalize"
When running the same command again i will get the certificate and it will install fine using the cache.
To Reproduce
wacs.exe
N, 2, input value, 3
Expected behavior
Get a certificate that is imported to the local machine store
Log
2024-05-02 16:53:27.129 +02:00 [VRB] [HTTP] Request completed with status "OK"
2024-05-02 16:53:27.130 +02:00 [VRB] [HTTP] Response content: {"status":"valid","expires":"2024-05-09T14:53:16Z","identififiers":[{"type":"dns","value":"domain.example"}],"authorizations":["https://acme.entrust.net/acme2/authz/********"],"certificate":"https://acme.entrust.net/acme2/cert/********"}
2024-05-02 16:53:27.160 +02:00 [ERR] Error requesting certificate [Manual] domain.example
System.Text.Json.JsonException: JSON deserialization for type 'ACMESharp.Protocol.Resources.AcmeOrder' was missing required properties, including the following: finalize
at System.Text.Json.ThrowHelper.ThrowJsonException_JsonRequiredPropertyMissing(JsonTypeInfo parent, BitArray requiredPropertiesSet)
at System.Text.Json.Serialization.Converters.ObjectDefaultConverter
1.OnTryRead(Utf8JsonReader& reader, Type typeToConvert, JsonSerializerOptions options, ReadStack& state, T& value) at System.Text.Json.Serialization.Converters.JsonMetadataServicesConverter
1.OnTryRead(Utf8JsonReader& reader, Type typeToConvert, JsonSerializerOptions options, ReadStack& state, T& value)at System.Text.Json.Serialization.JsonConverter
1.TryRead(Utf8JsonReader& reader, Type typeToConvert, JsonSerializerOptions options, ReadStack& state, T& value, Boolean& isPopulatedValue) at System.Text.Json.Serialization.JsonConverter
1.ReadCore(Utf8JsonReader& reader, JsonSerializerOptions options, ReadStack& state)at System.Text.Json.Serialization.Metadata.JsonTypeInfo
1.Deserialize(Utf8JsonReader& reader, ReadStack& state) at System.Text.Json.JsonSerializer.ReadFromSpan[TValue](ReadOnlySpan
1 utf8Json, JsonTypeInfo1 jsonTypeInfo, Nullable
1 actualByteCount)at System.Text.Json.JsonSerializer.ReadFromSpan[TValue](ReadOnlySpan
1 json, JsonTypeInfo
1 jsonTypeInfo)at System.Text.Json.JsonSerializer.Deserialize[TValue](String json, JsonTypeInfo
1 jsonTypeInfo) at ACMESharp.Protocol.AcmeProtocolClient.Deserialize[T](HttpResponseMessage resp, JsonTypeInfo
1 typeInfo)at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync[TResponse,TRequest](String uri, JsonTypeInfo
1 requestType, JsonTypeInfo
1 responseType, HttpMethod method, TRequest message, HttpStatusCode[] expectedStatuses, Boolean includePublicKey, String opName)at ACMESharp.Protocol.AcmeProtocolClient.FinalizeOrderAsync(AcmeOrderDetails details, Byte[] derEncodedCsr)
at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.<>c__DisplayClass1_0
1.<<Retry>b__0>d.MoveNext() --- End of stack trace from previous location --- at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Backoff[T](AcmeProtocolClient client, Func
1 executor, ILogService log, Int32 attempt)at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Retry[T](AcmeProtocolClient client, Func`1 executor, ILogService log, Int32 attempt)
at PKISharp.WACS.Clients.Acme.AcmeClient.SubmitCsr(AcmeOrderDetails details, Byte[] csr)
at PKISharp.WACS.Services.CertificateService.RequestCertificate(ICsrPlugin csrPlugin, Order order)
at PKISharp.WACS.OrderProcessor.GetFromServer(OrderContext context)
Platform:
Additional context
Its just wierd that it works the second time with the cache and not directly. Could it perhaps be a timing problem? Entrust is not done with creating the certificate when we request it again?
The text was updated successfully, but these errors were encountered: