Skip to main content

Import of SSL Certificate Fails with an Error

Error: "Bad signature length: got 512 but was expecting 256" Error: "Signature does not match."

Written by Petr Pech
Updated today

Error: "Bad signature length: got 512 but was expecting 256"

When importing a Let's Encrypt certificate, a command of the following type:

curl -X PUT -u $flexibee_name:$flexibee_pass -k -L -T le-flexibee.pem https://localhost:5434/certificate.json


ends with the following error:

{"winstrom":{"@version":"1.0","success":"false","message":"Bad signature length: got 512 but was expecting 256"}}

The likely cause is that the certificate being uploaded was not an End-entity certificate ← R3 ← ISRG Root X1, but rather an End-entity certificate ← R3 ← ISRG Root X1 ← DST Root CA X3.

If it is changed to End-entity certificate ← R3 ← ISRG Root X1, the certificate should be valid and the import should complete successfully. After importing, restart the application.

Error: "Signature does not match."

When importing a Let's Encrypt certificate, a command of the following type:

curl -s -X PUT -u $flexibee_name:$flexibee_pass -k -L -T le-flexibee.pem https://localhost:5434/certificate.json

ends with the following error:

{"winstrom":"success":"false","@version":"1.0","message@messageCode":"",

"message":"Signature does not match."}}

The cause may be an incomplete SSL chain.

Flexi requires the ROOT certificate of the Certificate Authority to be included in the chain. Once it is added to the chain, the certificate import itself will also proceed correctly.

Sample complete procedure:

#set this to name of your certificate, used as part of path to your Let's Encrypt certificate
certificate_name="example.com"

#flexibee settings for automatic certificate upload to server
flexibee_name="xxx"
flexibee_pass="yyy"

if [ -f /etc/letsencrypt/live/$certificate_name/privkey.pem ] ; then

cd /etc/letsencrypt/live/$certificate_name

# convert key to PKCS#1 format
openssl rsa -in 
/etc/letsencrypt/live/$certificate_name/privkey.pem -out le-rsaprivkey.pem 2> /dev/null

# combine all the certificates into final le-flexibee.pem
cat 
/etc/letsencrypt/live/$certificate_name/fullchain.pem 
/etc/ssl/certs/ISRG_Root_X1.pem le-rsaprivkey.pem > le-flexibee.pem

#now we have Let's Encrypt certificate suitable for Flexi, we can upload this certificate to server
curl -s -X PUT -u $flexibee_name:$flexibee_pass -k -L -T le-flexibee.pem https://localhost:5434/certificate.json

#restart Flexi
service flexibee restart
Did this answer your question?