NullReferenceException when trying to request a certificate for a single domain

I am evaluating CTW with a custom CA.

When making a certificate request without providing a CSR but only specifying a domain name in
the tab Certificate (see screenshot), I end up with an NullReferenceException.

image1531×549 33.4 KB

Logs

2023-08-22 16:47:40.803 +02:00 [ERR] Certificate request process failed: System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.

   bei Certify.ACME.Anvil.IOrderContextExtensions.<CreateCsr>d__1.MoveNext()

--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---

   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   bei Certify.ACME.Anvil.IOrderContextExtensions.<Finalize>d__0.MoveNext()

--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---

   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   bei Certify.Providers.ACME.Anvil.AnvilACMEProvider.<CompleteCertificateRequest>d__51.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Providers\ACME\Anvil\AnvilACMEProvider.cs:Zeile 1451.

--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---

   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   bei System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()

   bei Certify.Management.CertifyManager.<CompleteCertificateRequest>d__27.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:Zeile 808.

--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---

   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   bei Certify.Management.CertifyManager.<PerformCoreCertificateRequest>d__25.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:Zeile 555.

--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---

   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   bei Certify.Management.CertifyManager.<PerformCertificateRequest>d__23.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:Zeile 213.

System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.

I am using CTW 6.0.10.0 for which I unfortunately was not able to find a GitHub tag.
I think GitHub - webprofusion/certify at 31fedb3405ab3a11a9e78a9204560645b5883d3a is the corresponding code. From the code and the logs I derive, that the NullReferenceException probably origins in the anvil CreateCsr function, where the key is dereferenced https://github.com/webprofusion/anvil/blob/main/src/Certify.ACME.Anvil/Extensions/IOrderContextExtensions.cs#L50.

However, I only read the code and did not debugged it!

Is this a bug? What I am missing?

Interesting! Thanks for raising this issue. Was this an entirely new managed certificate or had you previously set this one use a custom CSR?

I requested a certificate for the same domain where I requested a certificate with a CSR first. But I deleted the CSR task and created an entirely new task for it.

I also just tested it with a domain for which I never requested a certificate before. The error stays the same.

May also note, that I do use the authorization method “(Use Custom Script)”.

Thanks, we’ve not see that error before and while there’s a chance it’s a new issue I’m not seeing it in my tests. One thing that happens in the CreateCSR step is a call to the ACME server for the order resource.

Which ACME server product are you using?

Also double check you are using the latest 6.0.11 version, that may help us for debugging specific line numbers.

The authorization type shouldn’t matter though, the error appears to be related to the identifiers (domains) or the key.

So you’re not using any other non-default options, just the following?

• New Certificate > (Adding your domain)
• Authorization > (Custom Script)
• Request Certificate

My remark “I am evaluating CTW with a custom CA.” was imprecise, respectively wrong.
I built my own ACME Server which uses a commerical CA. It works well with Certbot.

I updated CTW to 6.0.11. The logs stay the same but the line number of the NullReferenceException changed.

2023-08-23 12:42:33.800 +02:00 [ERR] Certificate request process failed: System.NullReferenceException: Der Objektverweis wurde nicht auf eine Objektinstanz festgelegt.

   bei Certify.ACME.Anvil.IOrderContextExtensions.<CreateCsr>d__1.MoveNext()

--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---

   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   bei Certify.ACME.Anvil.IOrderContextExtensions.<Finalize>d__0.MoveNext()

--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---

   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   bei Certify.Providers.ACME.Anvil.AnvilACMEProvider.<CompleteCertificateRequest>d__51.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Providers\ACME\Anvil\AnvilACMEProvider.cs:Zeile 1446.

--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---

   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   bei System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()

   bei Certify.Management.CertifyManager.<CompleteCertificateRequest>d__27.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:Zeile 808.

--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---

   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   bei Certify.Management.CertifyManager.<PerformCoreCertificateRequest>d__25.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:Zeile 555.

--- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---

   bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

   bei System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

   bei Certify.Management.CertifyManager.<PerformCertificateRequest>d__23.MoveNext() in D:\a\certify-internal\certify-internal\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:Zeile 213.

I used the options your described and set Deployment Mode to “No Deployment”.

Anyway, if your tests did not found any issue, the problem does probably originate on my side.
Sorry for bothering you with this!

Just found the problem. There was a spelling error in my order resource answer
Again - sorry for bothering you. And thanks for the fast replies!

Thanks, we’re always keen to make sure our app works with different ACME servers. I would suggest setting debug mode logging - edit C:\ProgramData\certify\serviceconfig,json and set “LogLevel” to “debug” then restart the Certify background service. You will then find that all ACME api calls are logged to C:\ProgramData\certify\logs\session.log - I would expect a failed API call to produce a more obvious error in our certificate request process though.

To help with debugging you could also extract the following PDB file into C:\Prorgam Files\CertifyTheWeb
https://certifytheweb.s3.amazonaws.com/downloads/test/Certify.ACME.Anvil.pdb.zip which should provide more detail on line numbers within the Anvil library. The actual CSR creation is within the BouncyCastle library but this error seems to be happening within the Anvil library.