API returns error "urn:ietf:params:acme:error:malformed"

I am trying to create a certificate with multiple domains in this format:

ssl.domain1.com, domain1.com, *.domain1.com, sub.domain1.com, domain2.com, *.domain2.com, domain3.com, *.domain3.com, domain4.com, *.domain4.com, domain5.com, *.domain5.com, domain6.com, *.domain6.com, domain7.com, *.domain7.com, domain8.com, *.domain8.com, domain9.com, *.domain9.com, domain10.com, *.domain10.com, domain11.com, domain12.com

and I am using yaac but the API returns 400 Bad Request and this error: "urn:ietf:params:acme:error:malformed"

The "malformed" error just means "The request message was malformed" and doesn't give us much to go on. It might be a bug in your ACME client? There should be more detail available in the error message of the exact problem, though perhaps your client doesn't present the error.

Unfortunately PHP limits the error data but here's the full string I get:
{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Error creating new order :: Domain name "

Well, probably the rest of that detail message tells you which domain name you're trying to use has a problem and what the problem is.

I see the beginning of a domain but it's just a random one that changes

Try getting rid of the spaces after the commas in your list.

That is just for reference in the code it is an array

1 Like

Having written my own ACME client CertSage (written entirely in PHP), I can tell you that error is a result of your ACME client formatting the order JSON incorrectly. It's likely not a bug, but a misunderstanding of how to pass your domain names into the ACME client.

The payload of the newOrder request is an associative array with an "identifiers" key that maps to a non-associative array where each element is an associative array with "type" and "value" keys that map to "dns" and a domain name, respectively.

You've got a few SANs in there that overlap with some of the wildcards which is also part of the problem. For instance, you can't have ssl.domain1.com or sub.domain1.com in the same certificate as *.domain1.com. Only include the apex domain1.com in addition to the wildcard name.


Great observation, @rmbolger! :sparkling_heart:

That is most likely the problem, thank you! however sub.domain1.com is mandatory I guess I will have to put it in a separate certificate

sub.domain1.com would be covered by the *.domain1.com wildcard...unless of course you need *.sub.domain1.com which is different and should be ok to include with the existing order.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.