Acme.sh: Error issuing certificates for *.ru zone

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: todase.smartomato.ru

I ran this command: /root/.acme.sh/acme.sh --debug --force --issue -k 2048 -d todase.smartomato.ru -w /var/www/smartomato/current/public/

It produced this output:

[Tue Mar 28 15:20:45 MSK 2023] Using config home:/root/.acme.sh
https://github.com/acmesh-official/acme.sh
v3.0.6
[Tue Mar 28 15:20:45 MSK 2023] Running cmd: issue
[Tue Mar 28 15:20:45 MSK 2023] _main_domain='todase.smartomato.ru'
[Tue Mar 28 15:20:45 MSK 2023] _alt_domains='no'
[Tue Mar 28 15:20:45 MSK 2023] Using config home:/root/.acme.sh
[Tue Mar 28 15:20:45 MSK 2023] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Tue Mar 28 15:20:45 MSK 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Tue Mar 28 15:20:45 MSK 2023] DOMAIN_PATH='/root/.acme.sh/todase.smartomato.ru'
[Tue Mar 28 15:20:45 MSK 2023] Le_NextRenewTime
[Tue Mar 28 15:20:45 MSK 2023] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Tue Mar 28 15:20:45 MSK 2023] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Tue Mar 28 15:20:45 MSK 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Tue Mar 28 15:20:45 MSK 2023] _on_before_issue
[Tue Mar 28 15:20:45 MSK 2023] _chk_main_domain='todase.smartomato.ru'
[Tue Mar 28 15:20:45 MSK 2023] _chk_alt_domains
[Tue Mar 28 15:20:45 MSK 2023] Le_LocalAddress
[Tue Mar 28 15:20:45 MSK 2023] d='todase.smartomato.ru'
[Tue Mar 28 15:20:45 MSK 2023] Check for domain='todase.smartomato.ru'
[Tue Mar 28 15:20:45 MSK 2023] _currentRoot='/var/www/smartomato/current/public/'
[Tue Mar 28 15:20:45 MSK 2023] d
[Tue Mar 28 15:20:45 MSK 2023] _saved_account_key_hash is not changed, skip register account.
[Tue Mar 28 15:20:45 MSK 2023] Read key length:2048
[Tue Mar 28 15:20:45 MSK 2023] _createcsr
[Tue Mar 28 15:20:45 MSK 2023] Single domain='todase.smartomato.ru'
[Tue Mar 28 15:20:46 MSK 2023] Getting domain auth token for each domain
[Tue Mar 28 15:20:46 MSK 2023] d
[Tue Mar 28 15:20:46 MSK 2023] url='https://acme.zerossl.com/v2/DV90/newOrder'
[Tue Mar 28 15:20:46 MSK 2023] payload='{"identifiers": [{"type":"dns","value":"todase.smartomato.ru"}]}'
[Tue Mar 28 15:20:46 MSK 2023] RSA key
[Tue Mar 28 15:20:46 MSK 2023] HEAD
[Tue Mar 28 15:20:46 MSK 2023] _post_url='https://acme.zerossl.com/v2/DV90/newNonce'
[Tue Mar 28 15:20:46 MSK 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  -I  '
[Tue Mar 28 15:20:46 MSK 2023] _ret='0'
[Tue Mar 28 15:20:46 MSK 2023] POST
[Tue Mar 28 15:20:46 MSK 2023] _post_url='https://acme.zerossl.com/v2/DV90/newOrder'
[Tue Mar 28 15:20:46 MSK 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Tue Mar 28 15:20:47 MSK 2023] _ret='0'
[Tue Mar 28 15:20:47 MSK 2023] code='401'
[Tue Mar 28 15:20:47 MSK 2023] Le_LinkOrder
[Tue Mar 28 15:20:47 MSK 2023] Le_OrderFinalize
[Tue Mar 28 15:20:47 MSK 2023] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:unauthorized","status":401,"detail":"A requested identifier is not permitted [todase.smartomato.ru]"}
[Tue Mar 28 15:20:47 MSK 2023] pid
[Tue Mar 28 15:20:47 MSK 2023] No need to restore nginx, skip.
[Tue Mar 28 15:20:47 MSK 2023] _clearupdns
[Tue Mar 28 15:20:47 MSK 2023] dns_entries
[Tue Mar 28 15:20:47 MSK 2023] skip dns.
[Tue Mar 28 15:20:47 MSK 2023] _on_issue_err
[Tue Mar 28 15:20:47 MSK 2023] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Tue Mar 28 15:20:47 MSK 2023] Diagnosis versions: 
openssl:openssl
OpenSSL 1.0.2g  1 Mar 2016
apache:
apache doesn't exist.
nginx:
nginx version: nginx/1.18.0
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) 
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

My web server is (include version): nginx version: nginx/1.18.0

The operating system my web server runs on is (include version):

Distributor ID:	Ubuntu
Description:	Ubuntu 16.04.6 LTS
Release:	16.04
Codename:	xenial

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

https://github.com/acmesh-official/acme.sh
v3.0.6

If I replace todase.smartomato.ru with dostavka-sushi.com then everything is ok.
Also I tried other domains, including other *.smartomato.ru and just *.ru – always getting:
Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:unauthorized","status":401,"detail":"A requested identifier is not permitted [<host>]"}

acme.sh uses zerossl (under setigo) as default ca, which blockes all .ru domain. LE doesn't so change CA

7 Likes

@orangepizza uh, changed ca to LE:

acme.sh --set-default-ca --server letencrypt
[Tue Mar 28 17:32:16 MSK 2023] Changed default CA to: letencrypt

For some reason it still uses zerossl at this block:

[Tue Mar 28 17:32:27 MSK 2023] Getting domain auth token for each domain
[Tue Mar 28 17:32:27 MSK 2023] d
[Tue Mar 28 17:32:27 MSK 2023] url='https://acme.zerossl.com/v2/DV90/newOrder'
[Tue Mar 28 17:32:27 MSK 2023] payload='{"identifiers": [{"type":"dns","value":"toda.smartomato.ru"}]}'
[Tue Mar 28 17:32:27 MSK 2023] EC key
[Tue Mar 28 17:32:27 MSK 2023] HEAD
[Tue Mar 28 17:32:27 MSK 2023] _post_url='https://acme.zerossl.com/v2/DV90/newNonce'
[Tue Mar 28 17:32:27 MSK 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  -I  '
[Tue Mar 28 17:32:27 MSK 2023] _ret='0'
[Tue Mar 28 17:32:27 MSK 2023] POST
[Tue Mar 28 17:32:27 MSK 2023] _post_url='https://acme.zerossl.com/v2/DV90/newOrder'
[Tue Mar 28 17:32:27 MSK 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Tue Mar 28 17:32:28 MSK 2023] _ret='0'
[Tue Mar 28 17:32:28 MSK 2023] code='401'
[Tue Mar 28 17:32:28 MSK 2023] Le_LinkOrder
[Tue Mar 28 17:32:28 MSK 2023] Le_OrderFinalize
[Tue Mar 28 17:32:28 MSK 2023] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:unauthorized","status":401,"detail":"A requested identifier is not permitted [toda.smartomato.ru]"}
[Tue Mar 28 17:32:28 MSK 2023] pid

Try adding --server letsencrypt on your original command.

If that fails you should ask why it keeps using ZeroSSL on the acme.sh github

7 Likes

default ca option doesn't change ca for already configed certificate, edit its config file

5 Likes

You're missing an "s" in letsencrypt.

7 Likes

Sorry, I forgot to write about the solution.

My problem was that within the current terminal session acme.sh had managed to export a number of variables which are responsible for storing CA information.

Technically the command acme.sh --set-default-ca --server lestencrypt worked correctly, it's just that the exported variables override the priority when issuing the certificate.
A new session in the terminal solved the situation.

Yes, I also edited configs via command after changing CA. It's ok now)

1 Like

Again a TYPO.

4 Likes

Yes, I wrote the command manually in the last comment, I made a mistake, I apologise.
But in production the input was correct later on.

Even with the potential typo, you can see that the default CA has not even changed to the wrong one - Acme.sh: Error issuing certificates for *.ru zone - #4 by Pijng

At the very least I should have seen the following in the logs:
Can not init api for: lestencrypt.
Yet it still used zerossl one.

1 Like

It's a good question. Did you try asking on the acme.sh github? What did Neil (the author) or other experts say about acme.sh?

3 Likes

Well, that still has a typo in letsencrypt. Maybe you just only keep having typos in what you're typing here, but it makes me think that it's worth double-checking that everything you're typing into the computer is exactly what you intend. Computers can be really picky about spelling.

2 Likes

That's for sure. But that's not the point I'm trying to make.

Ok, as there are many ambiguities within the correspondence here, let me summarise:

Yes, there were a typo in production.
Yes, there were typos here when posting logs.
Yes, I fixed a typo at march, 28 on production

But it still didn't work due to:

acme.sh had managed to export a number of env variables which are responsible for storing CA information... the exported variables override the priority when issuing the certificate

And because of that even after I wrote a CA without a typo it still used a default zerossl.
So the solution was to log out of terminal session and log in again.

If you wrote a CA with a typo then this should happen:

$ acme.sh --set-default-ca --server lestencrypt
[Sat Apr 22 16:51:52 MSK 2023] Changed default CA to: lestencrypt

$ /root/.acme.sh/acme.sh --debug --force --issue -k 2048 -d test.smartomato.ru -w /var/www/smartomato/current/public/
[Sat Apr 22 16:52:03 MSK 2023] Lets find script dir.
[Sat Apr 22 16:52:03 MSK 2023] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sat Apr 22 16:52:03 MSK 2023] _script='/root/.acme.sh/acme.sh'
[Sat Apr 22 16:52:03 MSK 2023] _script_home='/root/.acme.sh'
[Sat Apr 22 16:52:03 MSK 2023] Using config home:/root/.acme.sh
[Sat Apr 22 16:52:03 MSK 2023] Running cmd: issue
[Sat Apr 22 16:52:03 MSK 2023] _main_domain='test.smartomato.ru'
[Sat Apr 22 16:52:03 MSK 2023] _alt_domains='no'
[Sat Apr 22 16:52:03 MSK 2023] Using config home:/root/.acme.sh
[Sat Apr 22 16:52:03 MSK 2023] default_acme_server='lestencrypt'
[Sat Apr 22 16:52:03 MSK 2023] ACME_DIRECTORY='lestencrypt'
[Sat Apr 22 16:52:03 MSK 2023] DOMAIN_PATH='/root/.acme.sh/test.smartomato.ru'
[Sat Apr 22 16:52:03 MSK 2023] Le_NextRenewTime='1684093619'
[Sat Apr 22 16:52:03 MSK 2023] Using ACME_DIRECTORY: lestencrypt
[Sat Apr 22 16:52:03 MSK 2023] _init api for server: lestencrypt
[Sat Apr 22 16:52:03 MSK 2023] GET
[Sat Apr 22 16:52:03 MSK 2023] url='lestencrypt'
[Sat Apr 22 16:52:03 MSK 2023] timeout=
[Sat Apr 22 16:52:03 MSK 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Sat Apr 22 16:52:03 MSK 2023] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6

As you can see acme will point at _init api for server: lestencrypt, which stands for you typo.

But in my case acme still used zerossl, as if I hadn't changed CA even with a typo.

So, in brief, the solution was as follows:

$ acme.sh --set-default-ca --server letsencrypt
[Sat Apr 22 16:55:12 MSK 2023] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
> CTRL+D
$ ssh <server>
$ /root/.acme.sh/acme.sh --debug --force --issue -k 2048 -d $(host) -w /var/www/smartomato/current/public/

2 Likes

If you had found/known the environment variable, it could have been unset.
[ I don't know acme.sh well enough to advise ]

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.