Acme.sh: Another 500 error When trying to renew my cert

My domain is:
login.alumsum.com

I ran this command:
sudo /etc/letsencrypt/acme.sh --renew -d login.alumsum.com --force

It produced this output:
ec2-user@ip-172-31-15-58 ~]$ sudo /etc/letsencrypt/acme.sh --renew -d login.alumsum.com --force
[Fri May 9 14:46:46 UTC 2025] Renew: 'login.alumsum.com'
[Fri May 9 14:46:46 UTC 2025] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Fri May 9 14:46:46 UTC 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri May 9 14:46:46 UTC 2025] Standalone mode.
[Fri May 9 14:46:46 UTC 2025] Single domain='login.alumsum.com'
[Fri May 9 14:46:47 UTC 2025] Getting webroot for domain='login.alumsum.com'
[Fri May 9 14:46:47 UTC 2025] login.alumsum.com is already verified, skip http-01.
[Fri May 9 14:46:47 UTC 2025] Verify finished, start to sign.
[Fri May 9 14:46:47 UTC 2025] Lets finalize the order.
[Fri May 9 14:46:47 UTC 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1582474947/382394759497'
[Fri May 9 14:46:48 UTC 2025] Sign failed, finalize code is not 200.
[Fri May 9 14:46:48 UTC 2025] {
"type": "urn:ietf:params:acme:error:serverInternal",
"detail": "Error finalizing order",
"status": 500
}
[Fri May 9 14:46:48 UTC 2025] Please add '--debug' or '--log' to check more details.
[Fri May 9 14:46:48 UTC 2025] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
aws
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

You are requesting the must-staple option for your cert which Let's Encrypt no longer supports.

If you had registered an email address with your account you would have received emails about this. Better is to monitor the announcements in the API section of this forum

Please see: Error 500 when finalizing ACME order - #3 by petercooperjr

Very important: How do I renew my certificate at this point? What do i need to change in my request?

You need to remove the must-staple option from your cert renewal config.

I am not sure how you do that with acme.sh. Perhaps someone else will know. Or, visit their github and post an issue there. Maybe this google helps: how modify acme.sh renewal config - Google Search

The quick way to fix your renewal config is to open the file

~/.acme.sh/login.alumsum.com/login.alumsum.com.conf 

(may also be ~/.acme.sh/login.alumsum.com_ecc/login.alumsum.com.conf)

then find the line where it says

Le_OCSP_Staple='1'

and change that 1 to a 0, or remove the entire line. Then renew normally.

Apologies for the confusion, this 500 will be fixed shortly.

You do still need to remove MustStaple from your config, but the error code and message should be improved soon.

@Nummer378
Le_OCSP_Staple='1' does not exist in my file, yet I am getting that 500 error..

@Nummer378 : Need to correct myself. Now, I am getting 403 unauthorized as my error

Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1582474947/382474598617'
[Fri May  9 21:12:10 UTC 2025] Sign failed, finalize code is not 200.
[Fri May  9 21:12:10 UTC 2025] {
  "type": "urn:ietf:params:acme:error:unauthorized",
  "detail": "Error finalizing order :: OCSP must-staple extension is no longer available: see https://letsencrypt.org/2024/12/05/ending-ocsp",
  "status": 403
}

The only other explanation would be that you're using custom CSRs that contain the must-staple extension. From the logs you've shared I can't tell you anything else, but running acme.sh with the --debug option may have more information.

@Nummer378 ; More detailed log:

[ec2-user@ip-172-31-15-58 login.alumsum.com]$ sudo /etc/letsencrypt/acme.sh --renew -d login.alumsum.com --force --debug
[Fri May  9 21:24:25 UTC 2025] Lets find script dir.
[Fri May  9 21:24:25 UTC 2025] _SCRIPT_='/etc/letsencrypt/acme.sh'
[Fri May  9 21:24:25 UTC 2025] _script='/etc/letsencrypt/acme.sh'
[Fri May  9 21:24:25 UTC 2025] _script_home='/etc/letsencrypt'
[Fri May  9 21:24:25 UTC 2025] Using default home:/root/.acme.sh
[Fri May  9 21:24:25 UTC 2025] Using config home:/root/.acme.sh
[Fri May  9 21:24:25 UTC 2025] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.8
[Fri May  9 21:24:25 UTC 2025] Running cmd: renew
[Fri May  9 21:24:25 UTC 2025] _renewServer
[Fri May  9 21:24:25 UTC 2025] Using config home:/root/.acme.sh
[Fri May  9 21:24:25 UTC 2025] default_acme_server
[Fri May  9 21:24:25 UTC 2025] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Fri May  9 21:24:25 UTC 2025] _ACME_SERVER_HOST='acme.zerossl.com'
[Fri May  9 21:24:25 UTC 2025] _ACME_SERVER_PATH='v2/DV90'
[Fri May  9 21:24:25 UTC 2025] DOMAIN_PATH='/root/.acme.sh/login.alumsum.com'
[Fri May  9 21:24:25 UTC 2025] Renew: 'login.alumsum.com'
[Fri May  9 21:24:25 UTC 2025] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Fri May  9 21:24:25 UTC 2025] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Fri May  9 21:24:25 UTC 2025] initpath again.
[Fri May  9 21:24:25 UTC 2025] Using config home:/root/.acme.sh
[Fri May  9 21:24:25 UTC 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri May  9 21:24:25 UTC 2025] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Fri May  9 21:24:25 UTC 2025] _ACME_SERVER_PATH='directory'
[Fri May  9 21:24:25 UTC 2025] _main_domain='login.alumsum.com'
[Fri May  9 21:24:25 UTC 2025] _alt_domains='no'
[Fri May  9 21:24:25 UTC 2025] 'no' does not contain 'dns'
[Fri May  9 21:24:25 UTC 2025] 'no' does not contain 'dns'
[Fri May  9 21:24:25 UTC 2025] Le_NextRenewTime='1744138651'
[Fri May  9 21:24:25 UTC 2025] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Fri May  9 21:24:25 UTC 2025] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Fri May  9 21:24:25 UTC 2025] GET
[Fri May  9 21:24:25 UTC 2025] url='https://acme-v02.api.letsencrypt.org/directory'
[Fri May  9 21:24:25 UTC 2025] timeout=
[Fri May  9 21:24:25 UTC 2025] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.w9e90Q1i5o  -g '
[Fri May  9 21:24:25 UTC 2025] ret='0'
[Fri May  9 21:24:25 UTC 2025] response='{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "khk0b2QTHkg": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "profiles": {
      "classic": "https://letsencrypt.org/docs/profiles#classic",
      "shortlived": "https://letsencrypt.org/docs/profiles#shortlived (not yet generally available)",
      "tlsserver": "https://letsencrypt.org/docs/profiles#tlsserver"
    },
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
[Fri May  9 21:24:25 UTC 2025] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Fri May  9 21:24:25 UTC 2025] ACME_NEW_AUTHZ
[Fri May  9 21:24:25 UTC 2025] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Fri May  9 21:24:25 UTC 2025] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Fri May  9 21:24:25 UTC 2025] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Fri May  9 21:24:25 UTC 2025] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf'
[Fri May  9 21:24:25 UTC 2025] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Fri May  9 21:24:25 UTC 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri May  9 21:24:25 UTC 2025] _on_before_issue
[Fri May  9 21:24:25 UTC 2025] _chk_main_domain='login.alumsum.com'
[Fri May  9 21:24:25 UTC 2025] _chk_alt_domains
[Fri May  9 21:24:25 UTC 2025] 'no' contains 'no'
[Fri May  9 21:24:25 UTC 2025] Le_LocalAddress
[Fri May  9 21:24:25 UTC 2025] d='login.alumsum.com'
[Fri May  9 21:24:25 UTC 2025] Check for domain='login.alumsum.com'
[Fri May  9 21:24:25 UTC 2025] _currentRoot='no'
[Fri May  9 21:24:25 UTC 2025] Standalone mode.
[Fri May  9 21:24:25 UTC 2025] _checkport='80'
[Fri May  9 21:24:25 UTC 2025] _checkaddr
[Fri May  9 21:24:25 UTC 2025] Using: ss
[Fri May  9 21:24:25 UTC 2025] d
[Fri May  9 21:24:25 UTC 2025] 'no' does not contain 'apache'
[Fri May  9 21:24:25 UTC 2025] _saved_account_key_hash='TK99KjV6nL9ViDfc1GHHQfV14D7AYCtYoSyDuyUVz/Y='
[Fri May  9 21:24:25 UTC 2025] _saved_account_key_hash is not changed, skip register account.
[Fri May  9 21:24:25 UTC 2025] Read key length:2048
[Fri May  9 21:24:25 UTC 2025] _createcsr
[Fri May  9 21:24:25 UTC 2025] domain='login.alumsum.com'
[Fri May  9 21:24:25 UTC 2025] domainlist
[Fri May  9 21:24:25 UTC 2025] csrkey='/root/.acme.sh/login.alumsum.com/login.alumsum.com.key'
[Fri May  9 21:24:25 UTC 2025] csr='/root/.acme.sh/login.alumsum.com/login.alumsum.com.csr'
[Fri May  9 21:24:25 UTC 2025] csrconf='/root/.acme.sh/login.alumsum.com/login.alumsum.com.csr.conf'
[Fri May  9 21:24:25 UTC 2025] Single domain='login.alumsum.com'
[Fri May  9 21:24:25 UTC 2025] seg='login'
[Fri May  9 21:24:25 UTC 2025] _is_idn_d='login.alumsum.com'
[Fri May  9 21:24:25 UTC 2025] _idn_temp
[Fri May  9 21:24:25 UTC 2025] _is_idn_d='login.alumsum.com'
[Fri May  9 21:24:25 UTC 2025] _idn_temp
[Fri May  9 21:24:25 UTC 2025] _csr_cn='login.alumsum.com'
[Fri May  9 21:24:25 UTC 2025] seg='login'
[Fri May  9 21:24:25 UTC 2025] Getting domain auth token for each domain
[Fri May  9 21:24:25 UTC 2025] seg='login'
[Fri May  9 21:24:25 UTC 2025] _is_idn_d='login.alumsum.com'
[Fri May  9 21:24:25 UTC 2025] _idn_temp
[Fri May  9 21:24:25 UTC 2025] d
[Fri May  9 21:24:25 UTC 2025] _identifiers='{"type":"dns","value":"login.alumsum.com"}'
[Fri May  9 21:24:25 UTC 2025] _notBefore
[Fri May  9 21:24:25 UTC 2025] _notAfter
[Fri May  9 21:24:25 UTC 2025] STEP 1, Ordering a Certificate
[Fri May  9 21:24:25 UTC 2025] =======Begin Send Signed Request=======
[Fri May  9 21:24:25 UTC 2025] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Fri May  9 21:24:25 UTC 2025] payload='{"identifiers": [{"type":"dns","value":"login.alumsum.com"}]}'
[Fri May  9 21:24:25 UTC 2025] EC key
[Fri May  9 21:24:26 UTC 2025] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Fri May  9 21:24:26 UTC 2025] HEAD
[Fri May  9 21:24:26 UTC 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Fri May  9 21:24:26 UTC 2025] body
[Fri May  9 21:24:26 UTC 2025] _postContentType='application/jose+json'
[Fri May  9 21:24:26 UTC 2025] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.Dsn4qLoJVi  -g  -I  '
[Fri May  9 21:24:26 UTC 2025] _ret='0'
[Fri May  9 21:24:26 UTC 2025] _headers='HTTP/2 200
server: nginx
date: Fri, 09 May 2025 21:24:26 GMT
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: QmouDpB2H-t6DWod7GF_o3V1Apt0rihGBR9F20ZvHOxYu0kZVz4
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Fri May  9 21:24:26 UTC 2025] _CACHED_NONCE='QmouDpB2H-t6DWod7GF_o3V1Apt0rihGBR9F20ZvHOxYu0kZVz4'
[Fri May  9 21:24:26 UTC 2025] nonce='QmouDpB2H-t6DWod7GF_o3V1Apt0rihGBR9F20ZvHOxYu0kZVz4'
[Fri May  9 21:24:26 UTC 2025] POST
[Fri May  9 21:24:26 UTC 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Fri May  9 21:24:26 UTC 2025] body='{"protected": "eyJub25jZSI6ICJRbW91RHBCMkgtdDZEV29kN0dGX28zVjFBcHQwcmloR0JSOUYyMFp2SE94WXUwa1pWejQiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciIsICJhbGciOiAiRVMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTU4MjQ3NDk0NyJ9", "payload": "eyJpZGVudGlmaWVycyI6IFt7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6ImxvZ2luLmFsdW1zdW0uY29tIn1dfQ", "signature": "puFOk8_Gb4wfuYa_iVLO_DXW_goTKfQr6pgFPxMZyLOy1N2rNTOe6QYMtcCMkaxgSNKe17p_jxCp7pMJqvIO_g"}'
[Fri May  9 21:24:26 UTC 2025] _postContentType='application/jose+json'
[Fri May  9 21:24:26 UTC 2025] Http already initialized.
[Fri May  9 21:24:26 UTC 2025] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.Dsn4qLoJVi  -g '
[Fri May  9 21:24:26 UTC 2025] _ret='0'
[Fri May  9 21:24:26 UTC 2025] responseHeaders='HTTP/2 201
server: nginx
date: Fri, 09 May 2025 21:24:26 GMT
content-type: application/json
content-length: 349
boulder-requester: 1582474947
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
location: https://acme-v02.api.letsencrypt.org/acme/order/1582474947/382477046777
replay-nonce: QmouDpB2Z13WtJW9LHBsi7Trp1rQ9Yg4hhqqBN3wcgf6PsIHkQw
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Fri May  9 21:24:26 UTC 2025] code='201'
[Fri May  9 21:24:26 UTC 2025] original='{
  "status": "ready",
  "expires": "2025-05-16T21:24:26Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "login.alumsum.com"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz/1582474947/517475205027"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/1582474947/382477046777"
}'
[Fri May  9 21:24:26 UTC 2025] response='{"status":"ready","expires":"2025-05-16T21:24:26Z","identifiers":[{"type":"dns","value":"login.alumsum.com"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz/1582474947/517475205027"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/1582474947/382477046777"}'
[Fri May  9 21:24:26 UTC 2025] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/1582474947/382477046777'
[Fri May  9 21:24:26 UTC 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1582474947/382477046777'
[Fri May  9 21:24:26 UTC 2025] _authorizations_seg='https://acme-v02.api.letsencrypt.org/acme/authz/1582474947/517475205027'
[Fri May  9 21:24:26 UTC 2025] STEP 2, Get the authorizations of each domain
[Fri May  9 21:24:26 UTC 2025] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/1582474947/517475205027'
[Fri May  9 21:24:26 UTC 2025] =======Begin Send Signed Request=======
[Fri May  9 21:24:26 UTC 2025] url='https://acme-v02.api.letsencrypt.org/acme/authz/1582474947/517475205027'
[Fri May  9 21:24:26 UTC 2025] payload
[Fri May  9 21:24:26 UTC 2025] Use cached jwk for file: /root/.acme.sh/ca/acme-v02.api.letsencrypt.org/directory/account.key
[Fri May  9 21:24:26 UTC 2025] Use _CACHED_NONCE='QmouDpB2Z13WtJW9LHBsi7Trp1rQ9Yg4hhqqBN3wcgf6PsIHkQw'
[Fri May  9 21:24:26 UTC 2025] nonce='QmouDpB2Z13WtJW9LHBsi7Trp1rQ9Yg4hhqqBN3wcgf6PsIHkQw'
[Fri May  9 21:24:26 UTC 2025] POST
[Fri May  9 21:24:26 UTC 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/1582474947/517475205027'
[Fri May  9 21:24:26 UTC 2025] body='{"protected": "eyJub25jZSI6ICJRbW91RHBCMloxM1d0Slc5TEhCc2k3VHJwMXJROVlnNGhocXFCTjN3Y2dmNlBzSUhrUXciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LzE1ODI0NzQ5NDcvNTE3NDc1MjA1MDI3IiwgImFsZyI6ICJFUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTgyNDc0OTQ3In0", "payload": "", "signature": "0kSPdAUwnPxod06wFixKMhgZ7czroEijToaLYpy7AgWdwOZ57UTlN3rtQyHUJwiiEkOyodxF4hJQNRSbLRYlsQ"}'
[Fri May  9 21:24:26 UTC 2025] _postContentType='application/jose+json'
[Fri May  9 21:24:26 UTC 2025] Http already initialized.
[Fri May  9 21:24:26 UTC 2025] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.Dsn4qLoJVi  -g '
[Fri May  9 21:24:27 UTC 2025] _ret='0'
[Fri May  9 21:24:27 UTC 2025] responseHeaders='HTTP/2 200
server: nginx
date: Fri, 09 May 2025 21:24:26 GMT
content-type: application/json
content-length: 774
boulder-requester: 1582474947
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: NUDoTsQw_4Nc9sWC4tDQ3unNmteR47ql3iaEJh7Q4HGhbNCaESo
x-frame-options: DENY
strict-transport-security: max-age=604800
'
[Fri May  9 21:24:27 UTC 2025] code='200'
[Fri May  9 21:24:27 UTC 2025] original='{
  "identifier": {
    "type": "dns",
    "value": "login.alumsum.com"
  },
  "status": "valid",
  "expires": "2025-06-07T20:15:21Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1582474947/517475205027/HHAI7A",
      "status": "valid",
      "validated": "2025-05-08T20:15:17Z",
      "token": "QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A",
      "validationRecord": [
        {
          "url": "http://login.alumsum.com/.well-known/acme-challenge/QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A",
          "hostname": "login.alumsum.com",
          "port": "80",
          "addressesResolved": [
            "18.220.87.197"
          ],
          "addressUsed": "18.220.87.197"
        }
      ]
    }
  ]
}'
[Fri May  9 21:24:27 UTC 2025] response='{"identifier":{"type":"dns","value":"login.alumsum.com"},"status":"valid","expires":"2025-06-07T20:15:21Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1582474947/517475205027/HHAI7A","status":"valid","validated":"2025-05-08T20:15:17Z","token":"QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A","validationRecord":[{"url":"http://login.alumsum.com/.well-known/acme-challenge/QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A","hostname":"login.alumsum.com","port":"80","addressesResolved":["18.220.87.197"],"addressUsed":"18.220.87.197"}]}]}'
[Fri May  9 21:24:27 UTC 2025] response='{"identifier":{"type":"dns","value":"login.alumsum.com"},"status":"valid","expires":"2025-06-07T20:15:21Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1582474947/517475205027/HHAI7A","status":"valid","validated":"2025-05-08T20:15:17Z","token":"QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A","validationRecord":[{"url":"http://login.alumsum.com/.well-known/acme-challenge/QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A","hostname":"login.alumsum.com","port":"80","addressesResolved":["18.220.87.197"],"addressUsed":"18.220.87.197"}]}]}'
[Fri May  9 21:24:27 UTC 2025] _d='login.alumsum.com'
[Fri May  9 21:24:27 UTC 2025] _authorizations_map='login.alumsum.com,{"identifier":{"type":"dns","value":"login.alumsum.com"},"status":"valid","expires":"2025-06-07T20:15:21Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1582474947/517475205027/HHAI7A","status":"valid","validated":"2025-05-08T20:15:17Z","token":"QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A","validationRecord":[{"url":"http://login.alumsum.com/.well-known/acme-challenge/QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A","hostname":"login.alumsum.com","port":"80","addressesResolved":["18.220.87.197"],"addressUsed":"18.220.87.197"}]}]}#https://acme-v02.api.letsencrypt.org/acme/authz/1582474947/517475205027
'
[Fri May  9 21:24:27 UTC 2025] d='login.alumsum.com'
[Fri May  9 21:24:27 UTC 2025] Getting webroot for domain='login.alumsum.com'
[Fri May  9 21:24:27 UTC 2025] _w='no'
[Fri May  9 21:24:27 UTC 2025] _currentRoot='no'
[Fri May  9 21:24:27 UTC 2025] _is_idn_d='login.alumsum.com'
[Fri May  9 21:24:27 UTC 2025] _idn_temp
[Fri May  9 21:24:27 UTC 2025] _candidates='login.alumsum.com,{"identifier":{"type":"dns","value":"login.alumsum.com"},"status":"valid","expires":"2025-06-07T20:15:21Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1582474947/517475205027/HHAI7A","status":"valid","validated":"2025-05-08T20:15:17Z","token":"QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A","validationRecord":[{"url":"http://login.alumsum.com/.well-known/acme-challenge/QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A","hostname":"login.alumsum.com","port":"80","addressesResolved":["18.220.87.197"],"addressUsed":"18.220.87.197"}]}]}#https://acme-v02.api.letsencrypt.org/acme/authz/1582474947/517475205027'
[Fri May  9 21:24:27 UTC 2025] response='{"identifier":{"type":"dns","value":"login.alumsum.com"},"status":"valid","expires":"2025-06-07T20:15:21Z","challenges":[{"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1582474947/517475205027/HHAI7A","status":"valid","validated":"2025-05-08T20:15:17Z","token":"QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A","validationRecord":[{"url":"http://login.alumsum.com/.well-known/acme-challenge/QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A","hostname":"login.alumsum.com","port":"80","addressesResolved":["18.220.87.197"],"addressUsed":"18.220.87.197"}]}]}#https://acme-v02.api.letsencrypt.org/acme/authz/1582474947/517475205027'
[Fri May  9 21:24:27 UTC 2025] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz/1582474947/517475205027'
[Fri May  9 21:24:27 UTC 2025] login.alumsum.com is already valid.
[Fri May  9 21:24:27 UTC 2025] keyauthorization='verified_ok'
[Fri May  9 21:24:27 UTC 2025] entry='"type":"http-01","url":"https://acme-v02.api.letsencrypt.org/acme/chall/1582474947/517475205027/HHAI7A","status":"valid","validated":"2025-05-08T20:15:17Z","token":"QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A","validationRecord":[{"url":"http://login.alumsum.com/.well-known/acme-challenge/QCUd8cyIEqmXSMz0LYDtgpLSxO1hcFPzV2e3JbQzu-A","hostname":"login.alumsum.com","port":"80","addressesResolved":["18.220.87.197"],"addressUsed":"18.220.87.197"'
[Fri May  9 21:24:27 UTC 2025] dvlist='login.alumsum.com#verified_ok##http-01#no#https://acme-v02.api.letsencrypt.org/acme/authz/1582474947/517475205027'
[Fri May  9 21:24:27 UTC 2025] d
[Fri May  9 21:24:27 UTC 2025] vlist='login.alumsum.com#verified_ok##http-01#no#https://acme-v02.api.letsencrypt.org/acme/authz/1582474947/517475205027,'
[Fri May  9 21:24:27 UTC 2025] d='login.alumsum.com'
[Fri May  9 21:24:27 UTC 2025] login.alumsum.com is already verified, skip http-01.
[Fri May  9 21:24:27 UTC 2025] ok, let's start to verify
[Fri May  9 21:24:27 UTC 2025] login.alumsum.com is already verified, skip http-01.
[Fri May  9 21:24:27 UTC 2025] pid
[Fri May  9 21:24:27 UTC 2025] No need to restore nginx, skip.
[Fri May  9 21:24:27 UTC 2025] _clearupdns
[Fri May  9 21:24:27 UTC 2025] dns_entries
[Fri May  9 21:24:27 UTC 2025] skip dns.
[Fri May  9 21:24:27 UTC 2025] Verify finished, start to sign.
[Fri May  9 21:24:27 UTC 2025] i='2'
[Fri May  9 21:24:27 UTC 2025] j='17'
[Fri May  9 21:24:27 UTC 2025] Lets finalize the order.
[Fri May  9 21:24:27 UTC 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1582474947/382477046777'
[Fri May  9 21:24:27 UTC 2025] =======Begin Send Signed Request=======
[Fri May  9 21:24:27 UTC 2025] url='https://acme-v02.api.letsencrypt.org/acme/finalize/1582474947/382477046777'
[Fri May  9 21:24:27 UTC 2025] payload='{"csr": "MIICzTCCAbUCAQAwHDEaMBgGA1UEAwwRbG9naW4uYWx1bXN1bS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkZJ8jxIqKbq9QakMI9XBPBRV7x6D2mzdjc2DtPKscCB06KPw_Va9p7Ek-ha5U6sTR_Za06lhvk2bJI33mhbpJ41KhvbPeMk_yEbw38szWCPpETaXcNG8rQ_oe2iCkvF0vdSGiQHcKoVlSoDOe6Xofq_YsZrETZtx-5w4ZbBaWctxAehCvBnwMGJk0UUXDv6aNzNRDm65PEESc_kf2pbfMTKCZ9FqsMb8otOOkFGJhq8of2C0PtrpEI_4PhHcq-yftPxjB45E1rVmSYxJaR6Y5mBZTpcEKOs8pO6j-tH5engK2qdVROGBucQBPuUowwd_KPLujKZbnDBrHF68Cze0vAgMBAAGgbDBqBgkqhkiG9w0BCQ4xXTBbMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAcBgNVHREEFTATghFsb2dpbi5hbHVtc3VtLmNvbTAJBgNVHRMEAjAAMBEGCCsGAQUFBwEYBAUwAwIBBTANBgkqhkiG9w0BAQsFAAOCAQEAOVK0OL0wixrZZCfQACuOiDKABx_pVkV7oQRyp1yySjq6K3LDr7stA_qNBwdiWypNCrOyNclkvQwk6WZMD8sG6PXPWmkO5EoAar8OtxYxvflE3xGEgAV9wQDLbm8oCez0eKagpvKnS2Ppv3hnDti0qFw3NpRVPoTddhR8M4kxVQB8cXakx6Ohdx0ZDYuG2vft3j1Eo4xIyl_zO4t9NQJUMYBj2r0zCyGy4lmrG1tDINZepBy4psvy9Uc3KAOmt6n17dQjzXa_GLTUvgFdvT4OYKe71QpnUJb4H9OCaKYNEW6PWYXpvXhKSUmKssIgpHRC4PbuLnI7w8syjd7SrooDEg"}'
[Fri May  9 21:24:27 UTC 2025] Use cached jwk for file: /root/.acme.sh/ca/acme-v02.api.letsencrypt.org/directory/account.key
[Fri May  9 21:24:27 UTC 2025] Use _CACHED_NONCE='NUDoTsQw_4Nc9sWC4tDQ3unNmteR47ql3iaEJh7Q4HGhbNCaESo'
[Fri May  9 21:24:27 UTC 2025] nonce='NUDoTsQw_4Nc9sWC4tDQ3unNmteR47ql3iaEJh7Q4HGhbNCaESo'
[Fri May  9 21:24:27 UTC 2025] POST
[Fri May  9 21:24:27 UTC 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/finalize/1582474947/382477046777'
[Fri May  9 21:24:27 UTC 2025] body='{"protected": "eyJub25jZSI6ICJOVURvVHNRd180TmM5c1dDNHREUTN1bk5tdGVSNDdxbDNpYUVKaDdRNEhHaGJOQ2FFU28iLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2ZpbmFsaXplLzE1ODI0NzQ5NDcvMzgyNDc3MDQ2Nzc3IiwgImFsZyI6ICJFUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8xNTgyNDc0OTQ3In0", "payload": "eyJjc3IiOiAiTUlJQ3pUQ0NBYlVDQVFBd0hERWFNQmdHQTFVRUF3d1JiRzluYVc0dVlXeDFiWE4xYlM1amIyMHdnZ0VpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFEa1pKOGp4SXFLYnE5UWFrTUk5WEJQQlJWN3g2RDJtemRqYzJEdFBLc2NDQjA2S1B3X1ZhOXA3RWstaGE1VTZzVFJfWmEwNmxodmsyYkpJMzNtaGJwSjQxS2h2YlBlTWtfeUVidzM4c3pXQ1BwRVRhWGNORzhyUV9vZTJpQ2t2RjB2ZFNHaVFIY0tvVmxTb0RPZTZYb2ZxX1lzWnJFVFp0eC01dzRaYkJhV2N0eEFlaEN2Qm53TUdKazBVVVhEdjZhTnpOUkRtNjVQRUVTY19rZjJwYmZNVEtDWjlGcXNNYjhvdE9Pa0ZHSmhxOG9mMkMwUHRycEVJXzRQaEhjcS15ZnRQeGpCNDVFMXJWbVNZeEphUjZZNW1CWlRwY0VLT3M4cE82ai10SDVlbmdLMnFkVlJPR0J1Y1FCUHVVb3d3ZF9LUEx1aktaYm5EQnJIRjY4Q3plMHZBZ01CQUFHZ2JEQnFCZ2txaGtpRzl3MEJDUTR4WFRCYk1CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFjQmdOVkhSRUVGVEFUZ2hGc2IyZHBiaTVoYkhWdGMzVnRMbU52YlRBSkJnTlZIUk1FQWpBQU1CRUdDQ3NHQVFVRkJ3RVlCQVV3QXdJQkJUQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FRRUFPVkswT0wwd2l4clpaQ2ZRQUN1T2lES0FCeF9wVmtWN29RUnlwMXl5U2pxNkszTERyN3N0QV9xTkJ3ZGlXeXBOQ3JPeU5jbGt2UXdrNldaTUQ4c0c2UFhQV21rTzVFb0FhcjhPdHhZeHZmbEUzeEdFZ0FWOXdRRExibThvQ2V6MGVLYWdwdktuUzJQcHYzaG5EdGkwcUZ3M05wUlZQb1RkZGhSOE00a3hWUUI4Y1hha3g2T2hkeDBaRFl1RzJ2ZnQzajFFbzR4SXlsX3pPNHQ5TlFKVU1ZQmoycjB6Q3lHeTRsbXJHMXRESU5aZXBCeTRwc3Z5OVVjM0tBT210Nm4xN2RRanpYYV9HTFRVdmdGZHZUNE9ZS2U3MVFwblVKYjRIOU9DYUtZTkVXNlBXWVhwdlhoS1NVbUtzc0lncEhSQzRQYnVMbkk3dzhzeWpkN1Nyb29ERWcifQ", "signature": "ceK5Em9UKGddyF6LS_YQAxPNCYjE2smzl7_pXcNqrfOL18HmKMckSMAlLu3HfGnueNstMp3bgTDxc3-i4rNMng"}'
[Fri May  9 21:24:27 UTC 2025] _postContentType='application/jose+json'
[Fri May  9 21:24:27 UTC 2025] Http already initialized.
[Fri May  9 21:24:27 UTC 2025] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.Dsn4qLoJVi  -g '
[Fri May  9 21:24:27 UTC 2025] _ret='0'
[Fri May  9 21:24:27 UTC 2025] responseHeaders='HTTP/2 403
server: nginx
date: Fri, 09 May 2025 21:24:27 GMT
content-type: application/problem+json
content-length: 215
boulder-requester: 1582474947
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: yPpvzgaDjV-uvG7vZ14jZjyIvgMfvelTC0ZTPbwt6MSZavDgXe8
'
[Fri May  9 21:24:27 UTC 2025] code='403'
[Fri May  9 21:24:27 UTC 2025] original='{
  "type": "urn:ietf:params:acme:error:unauthorized",
  "detail": "Error finalizing order :: OCSP must-staple extension is no longer available: see https://letsencrypt.org/2024/12/05/ending-ocsp",
  "status": 403
}'
[Fri May  9 21:24:27 UTC 2025] response='{
  "type": "urn:ietf:params:acme:error:unauthorized",
  "detail": "Error finalizing order :: OCSP must-staple extension is no longer available: see https://letsencrypt.org/2024/12/05/ending-ocsp",
  "status": 403
}'
[Fri May  9 21:24:27 UTC 2025] Sign failed, finalize code is not 200.
[Fri May  9 21:24:27 UTC 2025] {
  "type": "urn:ietf:params:acme:error:unauthorized",
  "detail": "Error finalizing order :: OCSP must-staple extension is no longer available: see https://letsencrypt.org/2024/12/05/ending-ocsp",
  "status": 403
}
[Fri May  9 21:24:27 UTC 2025] _on_issue_err
[Fri May  9 21:24:27 UTC 2025] Please add '--debug' or '--log' to check more details.
[Fri May  9 21:24:27 UTC 2025] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Fri May  9 21:24:27 UTC 2025] _chk_vlist
[Fri May  9 21:24:27 UTC 2025] 'no' does not contain 'dns'
[Fri May  9 21:24:27 UTC 2025] Diagnosis versions:
openssl:openssl
OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.4.2 on Feb  2 2023 00:00:00
   running on Linux version #1 SMP PREEMPT_DYNAMIC Wed Jan 31 01:01:59 UTC 2024, release 6.1.75-99.163.amzn2023.x86_64, machine x86_64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #define WITH_ABSTRACT_UNIXSOCKET 1
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #define WITH_INTERFACE 1
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_VSOCK 1
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #define WITH_READLINE 1
  #define WITH_TUN 1
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #undef WITH_LIBWRAP
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/

Can you show the contents of these files:

/root/.acme.sh/login.alumsum.com/login.alumsum.com.csr.conf

and

/root/.acme.sh/login.alumsum.com/login.alumsum.com.conf

login.alumsum.com.conf:

[ec2-user@ip-172-31-15-58 login.alumsum.com]$ cat login.alumsum.com.conf
Le_Domain='login.alumsum.com'
Le_Alt='no'
Le_Webroot='no'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_API='https://acme-v02.api.letsencrypt.org/directory'
Le_Keylength='2048'
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/2389198767/382475527317'
Le_OCSP_Staple='0'

login.alumsum.com.csr.conf:

[ec2-user@ip-172-31-15-58 login.alumsum.com]$ cat login.alumsum.com.csr.conf
[ req_distinguished_name ]
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ v3_req ]
extendedKeyUsage=serverAuth,clientAuth

subjectAltName=DNS:login.alumsum.com[ec2-user@ip-172-31-15-58 login.alumsum.com]$

Okay, that is surprising. acme.sh has disabled OCSP must-staple, it's no longer in the config and has been properly removed from the CSR generator. The only thing left apart from a bug at LE would be that the CSR isn't actually re-regenerated, though acme.sh should have done that according to the log.

Let's check the CSR if it has the must staple or not. Please show this file:

/root/.acme.sh/login.alumsum.com/login.alumsum.com.csr

here it is:

[ec2-user@ip-172-31-15-58 login.alumsum.com]$ cat login.alumsum.com.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICrzCCAZcCAQAwHDEaMBgGA1UEAwwRbG9naW4uYWx1bXN1bS5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCw3hQyDPF+Y12bU0UJyVBIdxBh7opB
6UM9kftj/2vQ6BRx3HNXzXuq5ZwhHNsnwH/ka9vzL4dIAqDupefIt9cdVmi8Oq7w
FPyVXNtr2Bn2ElQkw+AznmuP1BEv0WEdLs/l6x6wt6AbxVCPzxeeevW84me+JC7U
pxQFkB44FixkHUdVhP0lRw+PXN9BBuxeF+0PsyfqTfjRroyiuyvl7AJkwLM4++nG
OTPMgv4Bx1FJI48fo24rK1FHRgE5sb2U8tL+fdXR9L7Q8MAu0PyE1jvIm1q0Irn/
c9Kb65o2Y1SUgNKoRj32y503fpbmL9EbihFWNvSYCDPmb3K2YuRnvE8tAgMBAAGg
TjBMBgkqhkiG9w0BCQ4xPzA9MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD
AjAcBgNVHREEFTATghFsb2dpbi5hbHVtc3VtLmNvbTANBgkqhkiG9w0BAQsFAAOC
AQEAiAd+2gIkxXblia7LVYDonNVLLVbMu5IVMsRq+lAMrWp6nsxzO4SQTwuKkaOA
AF+NNyDp8mxCBKuF6sPkBRoIZPpaLd13qHZt1dATn9+k4fYGBy7Auu5zkOEfMsim
q7/zosCRpfbTpCtGNKKEUd3k32wXsLzcvcNRuefqIKwFWdOCd7cKMeGFxgO3Sa2u
uqn0dsWMCn6rp7IIu6ZAF+YLxBnMgzezAVsen+s6qdaZa/JkFvsFFMZpdvRqmR2+
LeeV1XJf14cqdl1ukPNaZHj5qpFeFq3/daaajh316N29qoihIVcVWoqh7XM4t42Z
dInkfTZLZi2OphkYqd2T16j1Hg==
-----END CERTIFICATE REQUEST-----
[ec2-user@ip-172-31-15-58 login.alumsum.com]$

Yeah, that CSR does not contain an OCSP must-staple request. If Let's Encrypt fails to accept this CSR for finalization, this looks like a bug on LE's side, not acme.sh.

@aarongable I'm at a loss here. All data points to a CSR without must-staple being posted for finalization, yet the API returns Error finalizing order :: OCSP must-staple extension is no longer available: see https://letsencrypt.org/2024/12/05/ending-ocsp", for order URL https://acme-v02.api.letsencrypt.org/acme/order/1582474947/382477046777

That log also prints the CSR it is about to POST to the Finalize endpoint, which is:

MIICzTCCAbUCAQAwHDEaMBgGA1UEAwwRbG9naW4uYWx1bXN1bS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkZJ8jxIqKbq9QakMI9XBPBRV7x6D2mzdjc2DtPKscCB06KPw_Va9p7Ek-ha5U6sTR_Za06lhvk2bJI33mhbpJ41KhvbPeMk_yEbw38szWCPpETaXcNG8rQ_oe2iCkvF0vdSGiQHcKoVlSoDOe6Xofq_YsZrETZtx-5w4ZbBaWctxAehCvBnwMGJk0UUXDv6aNzNRDm65PEESc_kf2pbfMTKCZ9FqsMb8otOOkFGJhq8of2C0PtrpEI_4PhHcq-yftPxjB45E1rVmSYxJaR6Y5mBZTpcEKOs8pO6j-tH5engK2qdVROGBucQBPuUowwd_KPLujKZbnDBrHF68Cze0vAgMBAAGgbDBqBgkqhkiG9w0BCQ4xXTBbMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAcBgNVHREEFTATghFsb2dpbi5hbHVtc3VtLmNvbTAJBgNVHRMEAjAAMBEGCCsGAQUFBwEYBAUwAwIBBTANBgkqhkiG9w0BAQsFAAOCAQEAOVK0OL0wixrZZCfQACuOiDKABx_pVkV7oQRyp1yySjq6K3LDr7stA_qNBwdiWypNCrOyNclkvQwk6WZMD8sG6PXPWmkO5EoAar8OtxYxvflE3xGEgAV9wQDLbm8oCez0eKagpvKnS2Ppv3hnDti0qFw3NpRVPoTddhR8M4kxVQB8cXakx6Ohdx0ZDYuG2vft3j1Eo4xIyl_zO4t9NQJUMYBj2r0zCyGy4lmrG1tDINZepBy4psvy9Uc3KAOmt6n17dQjzXa_GLTUvgFdvT4OYKe71QpnUJb4H9OCaKYNEW6PWYXpvXhKSUmKssIgpHRC4PbuLnI7w8syjd7SrooDEg

And that CSR does contain the MustStaple extension (shown by lapo.it as the "tlsFeature" extension). So I'm not sure what acme.sh is doing but it is definitely requesting the extension.

My question is: What do I suppose to do and how do I fix this. I have "dead" website at this point since Okta needs my certificates in order to continue authenticating users. I have been renewing these certificates for God knows how long and I am now having a problem

Two suggestions:

1. Delete Le_OCSP_Staple='0' from your config file: I'm not super familiar with acme.sh but I know that '0' isn't necessarily the same thing as 0 or null or whatever. It could be interpreting that string as a true-ish value.
2. Update your acme.sh to the latest version. They've removed support for Must-Staple so that should work better for you now.

So I did what you asked:

[Sun May 11 02:04:12 UTC 2025] Already uptodate!
[Sun May 11 02:04:12 UTC 2025] Upgrade success!
[ec2-user@ip-172-31-15-58 ~]$ /etc/letsencrypt/acme.sh --version
https://github.com/acmesh-official/acme.sh
v3.0.8

That comitt is in the version: 3.1.1

https://github.com/acmesh-official/acme.sh/compare/3.1.1...master

So, i can't get that functionality. And I am facing the same problem

acme.sh is a single file bash script. Can't you just download that version of the file and replace the one you have? Save yours under a different name first.

Also, at this point Aaron confirmed it is a problem in acme.sh and not Let's Encrypt. Your better option is to ask on the github for acme.sh about how to fix your request to not have must-staple.

I saw some old threads about ="0" being a problem but not sure how Neil "fixed" it. The poster of that older problem removed that line and stopped getting must-staple.

Perhaps someone else here will know but that github is the most direct way to get attention from their developer.