ACMEv2 staging new-order sometimes fails with "Error finalizing order"


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mnrd.us, mattnordhoff.net, mattnordhoff.com

I ran this command: sudo -H certbot renew --dry-run

It produced this output: “Attempting to renew cert (mnrd.us) from /etc/letsencrypt/renewal/mnrd.us.conf produced an unexpected error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Error finalizing order. Skipping.” (Or the same for other certificates.)

My web server is (include version): Nginx 1.13.10

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


Certbot 0.22.2, from the PPA, and certbot-auto.

One redacted letsencrypt.log: https://mn0.us/UqaA13Frtn2187V2JwdHPZt/letsencrypt.log

I’ve run certbot renew --dry-run many times yesterday and today. (Testing a manual auth hook, but that’s beside the point.) At a guess, I’ve issued maybe 100-200 staging certificates. From my logs, they’ve failed with the above error 7 times.

I’ve used “certbot certonly --staging” to create or renew about 25 certificates without being able to reproduce the issue, though.

Are there any known weird issues?


Unable to get new certs, "error creating new cert" 500 error
Unable to get new certs, "error creating new cert" 500 error
#2

Could it be this maybe?


#3

Hmm. I think you’re onto something.

At first I dismissed that one because the error message and endpoint are different, but that thread concerned the ACMEv1 API, and this one concerns ACMEv2, and it looks like they present the same kind of underlying issue with slightly different error messages.

I would expect authz reuse to prevent me from having a totally unreasonable number of authorizations… but they said the same thing in that thread. And that person had failures due to domains no longer working, and I had failures due to [insert rant about my hook and a library it uses].


#4

Purely in V2:

Getting this same error on finalizing, and I don’t believe I have a ton of issuance going on (although I am developing client). It seems sporadic.

Thought about adding retry logic, but it sets the request to invalid, so it can’t be finalized without re-doing the challenges on internal server error. Since it has this side-effect, retry logic doesn’t seem wise to add. Please let me know if I can do anything to help test this issue!

Thanks!


#5

@larryboymi How recently have you seen issues? The maybe-the-same-thing thread jmorahan linked to was fixed yesterday.

https://letsencrypt.status.io/pages/maintenance/55957a99e800baa4470002da/5abd11c975b2bd04e3626da1

(And probably fixed Tuesday in staging.)


#6

Experienced it today, against staging. It was mostly sporadically but couldn’t place it. After awhile I couldn’t make it happen, but definitely experienced it some.


Unable to get new certs, "error creating new cert" 500 error
#7

I just ran some "certbot renew --dry-run"s. 19 certificates succeeded, 1 failed with “Error finalizing order”.


Unable to get new certs, "error creating new cert" 500 error
#8

Does that mean someone is trying to look into it?


#9

@larryboymi can you share the domain name you’re having this issue with so we can get a Let’s Encrypt engineer to check their logs? Thanks!


#10

Sure @Patches, it was “larry-a.com” which I have for testing purposes (and experienced these errors last weekend). Thanks!


Unable to get new certs, "error creating new cert" 500 error
#11

I shared this in the other thread. I didn’t notice you mentioned that you haven’t tried since last weekend, though. They’ve tried to fix this issue twice since then, so the log from your domain may not be useful anymore. (If it is the same issue…)

If you can please try again, and let us know if it still doesn’t work for you, so the staff knows to look for a more recent log.


#12

I’ll let you know if I or any of the people using my client has an issue. Thanks!


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.