Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
we are a hosting provider but one example of a failing domain is:
visitpearlofafrica.com
I ran this command:
we are using various Perl modules (LE, ACME, etc) to send customer domain SSL requests via the api: https://acme-v02.api.letsencrypt.org/acme/
It produced this output:
[Sun Jul 9 13:47:37 2023] [error] Param: domain => visitpearlofafrica.com
[Sun Jul 9 13:47:37 2023] [error] Param: hostname => visitpearlofafrica.com
[Sun Jul 9 13:47:37 2023] [error] [can_get_cert] info hash for visitpearlofafrica.com: {
'domain' => 'visitpearlofafrica.com',
'full_domain' => 'visitpearlofafrica.com',
'root_domain' => 'visitpearlofafrica.com',
[Sun Jul 9 13:47:37 2023] [debug] Need a cert for: /wildcard.visitpearlofafrica.com.crtc
[Sun Jul 9 13:47:37 2023] [error] Call get_acme_order with: , visitpearlofafrica.com, visitpearlofafrica.com, /,31306, 0
Sun Jul 9 13:47:37 2023: [get_acme_order] Domains: *.visitpearlofafrica.com, visitpearlofafrica.com
'value' => 'visitpearlofafrica.com'
'value' => 'visitpearlofafrica.com'
Sun Jul 9 13:47:38 2023: [redis_set_pending_authz] Adding pending status for visitpearlofafrica.com::https://acme-v02.api.letsencrypt.org/acme/authz-v3/244110561827
Sun Jul 9 13:47:38 2023: [redis_set_pending_authz] Adding pending status for visitpearlofafrica.com::https://acme-v02.api.letsencrypt.org/acme/authz-v3/244110561837
Sun Jul 9 13:47:38 2023: [_authz_handler] Started with zone: visitpearlofafrica.com, with challenges: bless( {
Sun Jul 9 13:47:38 2023: [_authz_handler] Challenge for: visitpearlofafrica.com => bless( {
Sun Jul 9 13:47:38 2023: [_authz_handler] [visitpearlofafrica.com] Need a DNS record at _acme-challenge.visitpearlofafrica.com with content: 0xB_l4IefvzNv44NvWwKQl7BZg5K5cSBy4Jf4U-t2_Y
Sun Jul 9 13:47:38 2023: [handle_dns] Started with base_domain==visitpearlofafrica.com, hostname_from_challenge==visitpearlofafrica.com, content==0xB_l4IefvzNv44NvWwKQl7BZg5K5cSBy4Jf4U-t2_Y
Sun Jul 9 13:47:38 2023: [add_cname_record] Args: visitpearlofafrica.com, _acme-challenge.visitpearlofafrica.com, visitpearlofafrica.com.letsencrypt.vdeck.eigdyn.com
Sun Jul 9 13:47:38 2023: [add_cname_record] CNAME record for _acme-challenge.visitpearlofafrica.com already exists (domain: visitpearlofafrica.com, id: 60604353)
Sun Jul 9 13:47:38 2023: [add_or_replace_txt_record] Inserting record for visitpearlofafrica.com.letsencrypt.vdeck.eigdyn.com (87732662): 0xB_l4IefvzNv44NvWwKQl7BZg5K5cSBy4Jf4U-t2_Y
Sun Jul 9 13:47:38 2023: [redis_add_txt] Add TXT to redis: visitpearlofafrica.com.letsencrypt.vdeck.eigdyn.com, 0xB_l4IefvzNv44NvWwKQl7BZg5K5cSBy4Jf4U-t2_Y
Sun Jul 9 13:47:38 2023: [_authz_handler] Started with zone: visitpearlofafrica.com, with challenges: bless( {
Sun Jul 9 13:47:38 2023: [_authz_handler] Challenge for: visitpearlofafrica.com => bless( {
Sun Jul 9 13:47:38 2023: [_authz_handler] [visitpearlofafrica.com] Need a DNS record at _acme-challenge.visitpearlofafrica.com with content: XhGkFtSuXahFB7UOv5cIgmfU0ZtO7UaOScVRaPuZnNY
Sun Jul 9 13:47:38 2023: [handle_dns] Started with base_domain==visitpearlofafrica.com, hostname_from_challenge==visitpearlofafrica.com, content==XhGkFtSuXahFB7UOv5cIgmfU0ZtO7UaOScVRaPuZnNY
Sun Jul 9 13:47:38 2023: [add_cname_record] Args: visitpearlofafrica.com, _acme-challenge.visitpearlofafrica.com, visitpearlofafrica.com.letsencrypt.vdeck.eigdyn.com
Sun Jul 9 13:47:38 2023: [add_cname_record] CNAME record for _acme-challenge.visitpearlofafrica.com already exists (domain: visitpearlofafrica.com, id: 60604353)
Sun Jul 9 13:47:38 2023: [add_or_replace_txt_record] Inserting record for visitpearlofafrica.com.letsencrypt.vdeck.eigdyn.com (87732662): XhGkFtSuXahFB7UOv5cIgmfU0ZtO7UaOScVRaPuZnNY
Sun Jul 9 13:47:38 2023: [redis_add_txt] Add TXT to redis: visitpearlofafrica.com.letsencrypt.vdeck.eigdyn.com, XhGkFtSuXahFB7UOv5cIgmfU0ZtO7UaOScVRaPuZnNY
Sun Jul 9 13:47:39 2023: [handle_authorizations] Accepting challenges for *.visitpearlofafrica.com
Sun Jul 9 13:47:39 2023: [handle_authorizations] Dump of challenge for *.visitpearlofafrica.com: bless( {
Sun Jul 9 13:47:39 2023: [handle_authorizations] Dump of challenge for *.visitpearlofafrica.com: bless( {
Sun Jul 9 13:47:40 2023: [handle_authorizations] Done accepting challenges for *.visitpearlofafrica.com
Sun Jul 9 13:47:40 2023: [redis_clear_pending_authz] Deleting pending status for visitpearlofafrica.com::https://acme-v02.api.letsencrypt.org/acme/authz-v3/244110561827 (0/1)
Sun Jul 9 13:47:40 2023: [redis_clear_pending_authz] Deleting pending status for visitpearlofafrica.com::https://acme-v02.api.letsencrypt.org/acme/authz-v3/244110561837 (0/1)
Sun Jul 9 13:47:40 2023: [_make_key_for_domains] Looking for existing key for *.visitpearlofafrica.com at: /wildcard.visitpearlofafrica.com.key
Sun Jul 9 13:47:40 2023: [_make_key_for_domains] Use existing key for *.visitpearlofafrica.com
Sun Jul 9 13:47:40 2023: [handle_authorizations] Creating CSR for *.visitpearlofafrica.com
Sun Jul 9 13:47:40 2023: [_make_key_for_domains] Generating CSR for *.visitpearlofafrica.com
Sun Jul 9 13:47:40 2023: [_make_key_for_domains] CSR req for .visitpearlofafrica.com: openssl req -new -sha384 -key /wildcard.visitpearlofafrica.com.key -subj '/CN=.visitpearlofafrica.com' -reqexts SAN -extensions SAN -config /wildcard.visitpearlofafrica.com.cnf
Sun Jul 9 13:47:40 2023: [handle_authorizations] Calling finalize_order for .visitpearlofafrica.com
[Sun Jul 9 13:47:43 2023] [error] [call_acme] [visitpearlofafrica.com/.visitpearlofafrica.com] Exception in handle_authorizations: Net::ACME2::ACME: âhttps://acme-v02.api.letsencrypt.org/acme/finalize/36261705/193867515727â indicated an ACME error: 403 Forbidden (403 urn:ietf:params:acme:error:orderNotReady (Order's status ("invalid") is not acceptable for finalization)).SCALAR(0x1e5ad364c7b0) ==> Net::ACME2:
:Generic::new('Net::ACME2:
:ACME', 'âhttps://acme-v02.api.letsencrypt.org/acme/finalize/36261705/193867515727â indicated an ACME error: 403 Forbidden (403 urn:ietf:params:acme:error:orderNotReady (Order's status ("invalid") is not acceptable for finalization)).
it seems to be dying here, when the csr/order is sent to acme:
# Paths
my $cert_path = $cert_dir . "/" . $output_name . ".crtc";
my $key_path = $cert_dir . "/" . $output_name . ".key";
my $cert_path_final = $final_dir . "/" . $output_name . ".crtc";
my $key_path_final = $final_dir . "/" . $output_name . ".key";
# Load existing key or make a new one
my $key = _make_key_for_domains( $domains[0], $key_path );
# If we couldn't make a key, fail it
unless ( $key ) {
_log( 1, "[handle_authorizations] Unable to create key for $domains[0]" );
return;
} # end unless
# Debug
_log( 128, "[handle_authorizations] Creating CSR for $domains[0]" );
# Generate CSR
my $csr = _make_csr_for_domains( $key, $key_path, @domains );
# my $csr = _make_csr_for_domains( $key, @domains );
# Debug
_log( 128, "[handle_authorizations] Calling finalize_order for $domains[0]" );
# Sleep for a sec to let things settle
sleep 3;
# Send CSR to LE
$acme->finalize_order( $order, $csr ); <---- doesn't make it past here, as we don't see the "begin order wait loop" in the line below this
# Debug
_log( 128, "[handle_authorizations] Begin order wait loop for $domains[0]" );
I can see that the TXT/CNAME records are generated properly, but for some reason the status is "invalid".
[cmauldin@C02XK26TJG5L-M ~]
[Sun Jul 09 11:42:25]$ dig TXT _acme-challenge.visitpearlofafrica.com +short
visitpearlofafrica.com.letsencrypt.vdeck.eigdyn.com.
[cmauldin@C02XK26TJG5L-M ~]
[Sun Jul 09 11:43:03]$ dig CNAME _acme-challenge.visitpearlofafrica.com +short
visitpearlofafrica.com.letsencrypt.vdeck.eigdyn.com.
The cnr/key files for the csr generation do exist (we keep them in the 'tmp' dir and then the final crt is placed in the same path but without 'tmp'):
ll / |grep visitpearl
-rw-rw-rw- 1 nobody nogroup 11080 Jul 8 16:12 wildcard.visitpearlofafrica.com.cnf
-rw-rw-rw- 1 nobody nogroup 288 Jul 8 16:12 wildcard.visitpearlofafrica.com.key
For some background, this was all architected by someone no longer with our company and I'm pretty new to LE. If any additional information, such as more info from the perl subroutines, is required please let me know
My web server is (include version):
nginx 1:1.17.8-1
The operating system my web server runs on is (include version): Ubuntu 18.04.5
My hosting provider, if applicable, is: we're the provider
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): the customers do, we're troubleshooting via SSH
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot isn't installed, not sure where I would find this information