New SSL CSR doesn't want to validate with local CA file

I have created a new certificate for another sub domain. But now it got stuck with a typcial error message:
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :ASN.1 12:'Northrhine-Westphalia'
organizationName :ASN.1 12:'Roland Haeder'
organizationalUnitName:ASN.1 12:'private'
commonName :ASN.1 12:'some.bla.domain'
emailAddress :IA5STRING:'webmaster@shipsimu.de'
The stateOrProvinceName field needed to be the same in the
CA certificate (Northrhine-Westphalia) and the request (Northrhine-Westphalia)

Well, it looks like the same, right? But it is not, use openssl asn1parse </etc/ssl/your/certs/ca.pem to examine your CA file. Then do the same with the CSR file. And you might see the difference: UTF8STRING and PRINTABLESTRING was here the case.

Well, here you have it. Now go to your openssl-ca.cnf file and fix string_mask to utf8only (or otherwise your certificate's configuration file). I'm currently testing UTF-8 in SSL certificates with my server.
#bug-fix certficate csr openssl ssl

Let's Encrypt!

I have now installed a better #SSL certificate issued by #LetsEncrypt and with the help of this #python script: https://github.com/diafygi/acme-tiny

Plus I have used a largely expanded #shell script:

But now my SSL sites got rated with B by #SSLLabs because of an incomplete chain. I think I need to download the CA certificate and attach it at mine?

I also have (not yet reloaded) added DH parameters (DH = Diffie-Hellmann?) to my certificate parameters, I have read it will improve some security.
#SSL #LetsEncrypt #python #shell #SSLLabs letsencrypt security ssl
Yes, that was the case. I needed to include the certificate in my file.
newer older