Acme.sh: Error issuing certificates for *.ru zone

Pijng · March 28, 2023, 12:29pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: todase.smartomato.ru

I ran this command: /root/.acme.sh/acme.sh --debug --force --issue -k 2048 -d todase.smartomato.ru -w /var/www/smartomato/current/public/

It produced this output:

[Tue Mar 28 15:20:45 MSK 2023] Using config home:/root/.acme.sh
https://github.com/acmesh-official/acme.sh
v3.0.6
[Tue Mar 28 15:20:45 MSK 2023] Running cmd: issue
[Tue Mar 28 15:20:45 MSK 2023] _main_domain='todase.smartomato.ru'
[Tue Mar 28 15:20:45 MSK 2023] _alt_domains='no'
[Tue Mar 28 15:20:45 MSK 2023] Using config home:/root/.acme.sh
[Tue Mar 28 15:20:45 MSK 2023] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Tue Mar 28 15:20:45 MSK 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Tue Mar 28 15:20:45 MSK 2023] DOMAIN_PATH='/root/.acme.sh/todase.smartomato.ru'
[Tue Mar 28 15:20:45 MSK 2023] Le_NextRenewTime
[Tue Mar 28 15:20:45 MSK 2023] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Tue Mar 28 15:20:45 MSK 2023] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Tue Mar 28 15:20:45 MSK 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Mar 28 15:20:45 MSK 2023] _on_before_issue
[Tue Mar 28 15:20:45 MSK 2023] _chk_main_domain='todase.smartomato.ru'
[Tue Mar 28 15:20:45 MSK 2023] _chk_alt_domains
[Tue Mar 28 15:20:45 MSK 2023] Le_LocalAddress
[Tue Mar 28 15:20:45 MSK 2023] d='todase.smartomato.ru'
[Tue Mar 28 15:20:45 MSK 2023] Check for domain='todase.smartomato.ru'
[Tue Mar 28 15:20:45 MSK 2023] _currentRoot='/var/www/smartomato/current/public/'
[Tue Mar 28 15:20:45 MSK 2023] d
[Tue Mar 28 15:20:45 MSK 2023] _saved_account_key_hash is not changed, skip register account.
[Tue Mar 28 15:20:45 MSK 2023] Read key length:2048
[Tue Mar 28 15:20:45 MSK 2023] _createcsr
[Tue Mar 28 15:20:45 MSK 2023] Single domain='todase.smartomato.ru'
[Tue Mar 28 15:20:46 MSK 2023] Getting domain auth token for each domain
[Tue Mar 28 15:20:46 MSK 2023] d
[Tue Mar 28 15:20:46 MSK 2023] url='https://acme.zerossl.com/v2/DV90/newOrder'
[Tue Mar 28 15:20:46 MSK 2023] payload='{"identifiers": [{"type":"dns","value":"todase.smartomato.ru"}]}'
[Tue Mar 28 15:20:46 MSK 2023] RSA key
[Tue Mar 28 15:20:46 MSK 2023] HEAD
[Tue Mar 28 15:20:46 MSK 2023] _post_url='https://acme.zerossl.com/v2/DV90/newNonce'
[Tue Mar 28 15:20:46 MSK 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  -I  '
[Tue Mar 28 15:20:46 MSK 2023] _ret='0'
[Tue Mar 28 15:20:46 MSK 2023] POST
[Tue Mar 28 15:20:46 MSK 2023] _post_url='https://acme.zerossl.com/v2/DV90/newOrder'
[Tue Mar 28 15:20:46 MSK 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Tue Mar 28 15:20:47 MSK 2023] _ret='0'
[Tue Mar 28 15:20:47 MSK 2023] code='401'
[Tue Mar 28 15:20:47 MSK 2023] Le_LinkOrder
[Tue Mar 28 15:20:47 MSK 2023] Le_OrderFinalize
[Tue Mar 28 15:20:47 MSK 2023] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:unauthorized","status":401,"detail":"A requested identifier is not permitted [todase.smartomato.ru]"}
[Tue Mar 28 15:20:47 MSK 2023] pid
[Tue Mar 28 15:20:47 MSK 2023] No need to restore nginx, skip.
[Tue Mar 28 15:20:47 MSK 2023] _clearupdns
[Tue Mar 28 15:20:47 MSK 2023] dns_entries
[Tue Mar 28 15:20:47 MSK 2023] skip dns.
[Tue Mar 28 15:20:47 MSK 2023] _on_issue_err
[Tue Mar 28 15:20:47 MSK 2023] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Tue Mar 28 15:20:47 MSK 2023] Diagnosis versions: 
openssl:openssl
OpenSSL 1.0.2g  1 Mar 2016
apache:
apache doesn't exist.
nginx:
nginx version: nginx/1.18.0
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) 
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

My web server is (include version): nginx version: nginx/1.18.0

The operating system my web server runs on is (include version):

Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.6 LTS
Release:	16.04
Codename:	xenial

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

https://github.com/acmesh-official/acme.sh
v3.0.6

Pijng · March 28, 2023, 12:31pm

If I replace todase.smartomato.ru with dostavka-sushi.com then everything is ok.
Also I tried other domains, including other *.smartomato.ru and just *.ru – always getting:
Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:unauthorized","status":401,"detail":"A requested identifier is not permitted [<host>]"}

orangepizza · March 28, 2023, 12:54pm

acme.sh uses zerossl (under setigo) as default ca, which blockes all .ru domain. LE doesn't so change CA

Pijng · March 28, 2023, 2:33pm

@orangepizza uh, changed ca to LE:

acme.sh --set-default-ca --server letencrypt
[Tue Mar 28 17:32:16 MSK 2023] Changed default CA to: letencrypt

For some reason it still uses zerossl at this block:

[Tue Mar 28 17:32:27 MSK 2023] Getting domain auth token for each domain
[Tue Mar 28 17:32:27 MSK 2023] d
[Tue Mar 28 17:32:27 MSK 2023] url='https://acme.zerossl.com/v2/DV90/newOrder'
[Tue Mar 28 17:32:27 MSK 2023] payload='{"identifiers": [{"type":"dns","value":"toda.smartomato.ru"}]}'
[Tue Mar 28 17:32:27 MSK 2023] EC key
[Tue Mar 28 17:32:27 MSK 2023] HEAD
[Tue Mar 28 17:32:27 MSK 2023] _post_url='https://acme.zerossl.com/v2/DV90/newNonce'
[Tue Mar 28 17:32:27 MSK 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  -I  '
[Tue Mar 28 17:32:27 MSK 2023] _ret='0'
[Tue Mar 28 17:32:27 MSK 2023] POST
[Tue Mar 28 17:32:27 MSK 2023] _post_url='https://acme.zerossl.com/v2/DV90/newOrder'
[Tue Mar 28 17:32:27 MSK 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Tue Mar 28 17:32:28 MSK 2023] _ret='0'
[Tue Mar 28 17:32:28 MSK 2023] code='401'
[Tue Mar 28 17:32:28 MSK 2023] Le_LinkOrder
[Tue Mar 28 17:32:28 MSK 2023] Le_OrderFinalize
[Tue Mar 28 17:32:28 MSK 2023] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:unauthorized","status":401,"detail":"A requested identifier is not permitted [toda.smartomato.ru]"}
[Tue Mar 28 17:32:28 MSK 2023] pid

MikeMcQ · March 28, 2023, 2:44pm

Try adding --server letsencrypt on your original command.

If that fails you should ask why it keeps using ZeroSSL on the acme.sh github

orangepizza · April 21, 2023, 6:25am

default ca option doesn't change ca for already configed certificate, edit its config file

petercooperjr · April 21, 2023, 12:09pm

You're missing an "s" in letsencrypt.

Pijng · April 21, 2023, 12:28pm

Sorry, I forgot to write about the solution.

My problem was that within the current terminal session acme.sh had managed to export a number of variables which are responsible for storing CA information.

Technically the command acme.sh --set-default-ca --server lestencrypt worked correctly, it's just that the exported variables override the priority when issuing the certificate.
A new session in the terminal solved the situation.

Pijng · April 21, 2023, 12:29pm

Yes, I also edited configs via command after changing CA. It's ok now)

rg305 · April 21, 2023, 6:41pm

Again a TYPO.

Pijng · April 22, 2023, 12:45pm

Yes, I wrote the command manually in the last comment, I made a mistake, I apologise.
But in production the input was correct later on.

Even with the potential typo, you can see that the default CA has not even changed to the wrong one - Acme.sh: Error issuing certificates for *.ru zone - #4 by Pijng

At the very least I should have seen the following in the logs:
Can not init api for: lestencrypt.
Yet it still used zerossl one.

MikeMcQ · April 22, 2023, 12:53pm

It's a good question. Did you try asking on the acme.sh github? What did Neil (the author) or other experts say about acme.sh?

petercooperjr · April 22, 2023, 1:30pm

Well, that still has a typo in letsencrypt. Maybe you just only keep having typos in what you're typing here, but it makes me think that it's worth double-checking that everything you're typing into the computer is exactly what you intend. Computers can be really picky about spelling.

Pijng · April 22, 2023, 1:56pm

That's for sure. But that's not the point I'm trying to make.

Ok, as there are many ambiguities within the correspondence here, let me summarise:

Yes, there were a typo in production.
Yes, there were typos here when posting logs.
Yes, I fixed a typo at march, 28 on production

But it still didn't work due to:

acme.sh had managed to export a number of env variables which are responsible for storing CA information... the exported variables override the priority when issuing the certificate

And because of that even after I wrote a CA without a typo it still used a default zerossl.
So the solution was to log out of terminal session and log in again.

If you wrote a CA with a typo then this should happen:

$ acme.sh --set-default-ca --server lestencrypt
[Sat Apr 22 16:51:52 MSK 2023] Changed default CA to: lestencrypt

$ /root/.acme.sh/acme.sh --debug --force --issue -k 2048 -d test.smartomato.ru -w /var/www/smartomato/current/public/
[Sat Apr 22 16:52:03 MSK 2023] Lets find script dir.
[Sat Apr 22 16:52:03 MSK 2023] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sat Apr 22 16:52:03 MSK 2023] _script='/root/.acme.sh/acme.sh'
[Sat Apr 22 16:52:03 MSK 2023] _script_home='/root/.acme.sh'
[Sat Apr 22 16:52:03 MSK 2023] Using config home:/root/.acme.sh
[Sat Apr 22 16:52:03 MSK 2023] Running cmd: issue
[Sat Apr 22 16:52:03 MSK 2023] _main_domain='test.smartomato.ru'
[Sat Apr 22 16:52:03 MSK 2023] _alt_domains='no'
[Sat Apr 22 16:52:03 MSK 2023] Using config home:/root/.acme.sh
[Sat Apr 22 16:52:03 MSK 2023] default_acme_server='lestencrypt'
[Sat Apr 22 16:52:03 MSK 2023] ACME_DIRECTORY='lestencrypt'
[Sat Apr 22 16:52:03 MSK 2023] DOMAIN_PATH='/root/.acme.sh/test.smartomato.ru'
[Sat Apr 22 16:52:03 MSK 2023] Le_NextRenewTime='1684093619'
[Sat Apr 22 16:52:03 MSK 2023] Using ACME_DIRECTORY: lestencrypt
[Sat Apr 22 16:52:03 MSK 2023] _init api for server: lestencrypt
[Sat Apr 22 16:52:03 MSK 2023] GET
[Sat Apr 22 16:52:03 MSK 2023] url='lestencrypt'
[Sat Apr 22 16:52:03 MSK 2023] timeout=
[Sat Apr 22 16:52:03 MSK 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Sat Apr 22 16:52:03 MSK 2023] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6

As you can see acme will point at _init api for server: lestencrypt, which stands for you typo.

But in my case acme still used zerossl, as if I hadn't changed CA even with a typo.

So, in brief, the solution was as follows:

$ acme.sh --set-default-ca --server letsencrypt
[Sat Apr 22 16:55:12 MSK 2023] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
> CTRL+D
$ ssh <server>
$ /root/.acme.sh/acme.sh --debug --force --issue -k 2048 -d $(host) -w /var/www/smartomato/current/public/

rg305 · April 22, 2023, 3:15pm

If you had found/known the environment variable, it could have been unset.
[ I don't know acme.sh well enough to advise ]

system · May 22, 2023, 3:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Wildcard sertificates dosn't issueed have timeout (acme.sh) Help	57	4732	October 24, 2019
Wonder why acme.sh loops with wget returning 2 on nonce request Help	13	4101	October 4, 2018
Help for Novice Help	7	639	September 26, 2020
Create certificate by acme.sh / certbot Help	8	1395	January 13, 2020
Acme cert renewal no luck even after following the blog Help	5	514	September 2, 2020

Acme.sh: Error issuing certificates for *.ru zone

Related topics