acme.client:JWS payload: Wrong identifiers.dns value

I use the following command to issue wildcard certificates:

certbot-auto certonly --email $EMAIL --manual -d *.$DOMAIN -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server

Today I’m getting this error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
An unexpected error occurred:
The server will not issue certificates for the identifier :: Error creating new order :: Cannot issue for "": Domain name contains an invalid character
Please see the logfiles in /var/log/letsencrypt for more details.

And I found this in the log, wrong value for the dns (

DEBUG:acme.client:JWS payload:
  "identifiers": [
      "type": "dns", 
      "value": ""
      "type": "dns", 
      "value": ""

What’s wrong?

BTW here is not real.

Hi @mkh

read your output: Your $DOMAIN value is wrong.

A second possibility may be that *.$DOMAIN is being expanded by the shell to an unexpected value.

Wrapping it in quotes may help:

-d "*.${DOMAIN}"
1 Like

Nope, I'm sure about the domain.

Same error even by replacing the $DOMAIN variable with exact domain.

I'm just wondering why there are two entries for dns in the log. Actually is wrong and I don't know where does it come from!

grep "main:Arguments" /var/log/letsencrypt/letsencrypt.log

A long list but the wrong domain is there! What is main:Arguments and what I can I do with that?

That’s the log line of how Certbot translated your command line arguments.

Here’s an even lower level debugging technique. This will show exactly what your shell sent to Certbot, after the $VARIABLES have been substituted, but before Certbot receives any input:

strace -e trace=execve -s 1024 certbot-auto certonly --email $EMAIL --manual -d "*.$DOMAIN" -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server


$ strace -e trace=execve -s 1024 certbot-auto certonly --email $EMAIL --manual -d "*.$DOMAIN" -d $DOMAIN --agree-tos --manual-public-ip-logging-ok --preferred-challenges dns-01 --server -d
execve("/usr/local/bin/certbot-auto", ["certbot-auto", "certonly", "--email", "", "--manual", "-d", "*", "-d", "", "--agree-tos", "--manual-public-ip-logging-ok", "--preferred-challenges", "dns-01", "--server", "", "-d", ""], 0x7fff8e69a360 /* 26 vars */) = 0

What I’m trying to get at is that the input is probably wrong long before Certbot sees it. What you can do about it is to 1) confirm what the actual input is and 2) fix your input as required.

If you are running a common shell like bash, you can also try

set -o xtrace

and it will print very verbosely what it is running.

It turned out that -d * is not valid any more and it should be wrapped in quotes, as you stated, but it’s not about shell. I’m just confused what has changed! I was using this command for a long time. :thinking:

Thank you anyway. :pray:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.