acme.client:JWS payload: Wrong identifiers.dns value

Help
1

Hi,
I use the following command to issue wildcard certificates:

certbot-auto certonly --email $EMAIL --manual -d *.$DOMAIN -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Today I’m getting this error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "root@sub.mydomain.online": Domain name contains an invalid character
Please see the logfiles in /var/log/letsencrypt for more details.

And I found this in the log, wrong value for the dns (root@sub.mydomain.online):

DEBUG:acme.client:JWS payload:
{
  "identifiers": [
    {
      "type": "dns", 
      "value": "root@sub.mydomain.online"
    }, 
    {
      "type": "dns", 
      "value": "mydomain.online"
    }
  ]
}

What’s wrong?

BTW root@sub.mydomain.online here is not real.

2

Hi @mkh

read your output: Your $DOMAIN value is wrong.

3

A second possibility may be that *.$DOMAIN is being expanded by the shell to an unexpected value.

Wrapping it in quotes may help:

-d "*.${DOMAIN}"
1 Like
4

Nope, I'm sure about the domain.

Same error even by replacing the $DOMAIN variable with exact domain.

I'm just wondering why there are two entries for dns in the log. Actually root@sub.mydomain.online is wrong and I don't know where does it come from!

5 
grep "main:Arguments" /var/log/letsencrypt/letsencrypt.log
6

A long list but the wrong domain is there! What is main:Arguments and what I can I do with that?

7

That’s the log line of how Certbot translated your command line arguments.

Here’s an even lower level debugging technique. This will show exactly what your shell sent to Certbot, after the $VARIABLES have been substituted, but before Certbot receives any input:

strace -e trace=execve -s 1024 certbot-auto certonly --email $EMAIL --manual -d "*.$DOMAIN" -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

e.g.

$ strace -e trace=execve -s 1024 certbot-auto certonly --email $EMAIL --manual -d "*.$DOMAIN" -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory -d foo.bar
execve("/usr/local/bin/certbot-auto", ["certbot-auto", "certonly", "--email", "admin@mydomain.online", "--manual", "-d", "*.mydomain.online", "-d", "mydomain.online", "--agree-tos", "--manual-public-ip-logging-ok", "--preferred-challenges", "dns-01", "--server", "https://acme-v02.api.letsencrypt.org/directory", "-d", "foo.bar"], 0x7fff8e69a360 /* 26 vars */) = 0

What I’m trying to get at is that the input is probably wrong long before Certbot sees it. What you can do about it is to 1) confirm what the actual input is and 2) fix your input as required.

If you are running a common shell like bash, you can also try

set -o xtrace

and it will print very verbosely what it is running.

8

@_az
It turned out that -d *.mydomain.online is not valid any more and it should be wrapped in quotes, as you stated, but it’s not about shell. I’m just confused what has changed! I was using this command for a long time. :thinking:

Thank you anyway. :pray:

1 Like
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.