we experienced a problem with a certificate today. It got issued at 09:32:17 CET.
After including it into our server configuration, the server refused to start with the error message in the topic title.
It produced this output:
[…]
[Thu Mar 8 09:32:17 CET 2018] Your cert is in /etc/acme.sh/globaltrends.sef-bonn.org/globaltrends.sef-bonn.org.cer
[Thu Mar 8 09:32:17 CET 2018] Your cert key is in /etc/acme.sh/globaltrends.sef-bonn.org/globaltrends.sef-bonn.org.key
[Thu Mar 8 09:32:17 CET 2018] The intermediate CA cert is in /etc/acme.sh/globaltrends.sef-bonn.org/ca.cer
[Thu Mar 8 09:32:17 CET 2018] And the full chain certs is there: /etc/acme.sh/globaltrends.sef-bonn.org/fullchain.cer
[…]
SSL config in vhost:
SSLEngine on
SSLCertificateFile "/etc/acme.sh/globaltrends.sef-bonn.org/fullchain.cer"
SSLCertificateKeyFile “/etc/acme.sh/globaltrends.sef-bonn.org/globaltrends.sef-bonn.org.key”
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
You could just go get your certificate from https://crt.sh/?d=349971185 and replace the first certificate in the fullchain.cer file with the contents of the downloaded one.
I can’t tell whether the problem is the way you posted your certificate on the forum or not, but when I copy what you pasted into vim, the file leads with 0x20 (which is a space). Check that there is no space at the start of your file:
I wonder if it could be related to this - is it possible that Boulder could return two different Link headers, or one header with multiple values, and acme.sh could pick the wrong one?
the current config has been cleaned up by out automation already, sorry >.<
but I have the suspicion that acme.sh was executed simultaneously multiple times and that led to this behaviour. I found this in the logs:
[Thu Mar 8 09:32:07 CET 2018] Creating domain key
[Thu Mar 8 09:32:09 CET 2018] The domain key is here: /etc/acme.sh/globaltrends.sef-bonn.org/globaltrends.sef-bonn.org.key
[Thu Mar 8 09:32:09 CET 2018] Single domain='globaltrends.sef-bonn.org'
[Thu Mar 8 09:32:10 CET 2018] Getting domain auth token for each domain
[Thu Mar 8 09:32:10 CET 2018] Getting webroot for domain='globaltrends.sef-bonn.org'
[Thu Mar 8 09:32:10 CET 2018] Getting new-authz for domain='globaltrends.sef-bonn.org'
[Thu Mar 8 09:32:11 CET 2018] Single domain='global-trends-info.org'
[Thu Mar 8 09:32:11 CET 2018] Getting domain auth token for each domain
[Thu Mar 8 09:32:11 CET 2018] Getting webroot for domain='global-trends-info.org'
[Thu Mar 8 09:32:11 CET 2018] Single domain='www.global-trends-info.org'
[Thu Mar 8 09:32:11 CET 2018] Getting new-authz for domain='global-trends-info.org'
[Thu Mar 8 09:32:11 CET 2018] Getting domain auth token for each domain
[Thu Mar 8 09:32:11 CET 2018] Getting webroot for domain='www.global-trends-info.org'
[Thu Mar 8 09:32:11 CET 2018] Getting new-authz for domain='www.global-trends-info.org'
[Thu Mar 8 09:32:11 CET 2018] The new-authz request is ok.
[Thu Mar 8 09:32:11 CET 2018] Verifying:globaltrends.sef-bonn.org
[Thu Mar 8 09:32:12 CET 2018] The new-authz request is ok.
[Thu Mar 8 09:32:13 CET 2018] The new-authz request is ok.
[Thu Mar 8 09:32:13 CET 2018] Verifying:global-trends-info.org
[Thu Mar 8 09:32:13 CET 2018] Verifying:www.global-trends-info.org
[Thu Mar 8 09:32:15 CET 2018] Success
[Thu Mar 8 09:32:15 CET 2018] Verify finished, start to sign.
[Thu Mar 8 09:32:17 CET 2018] Cert success.
[Thu Mar 8 09:32:17 CET 2018] Your cert is in /etc/acme.sh/globaltrends.sef-bonn.org/globaltrends.sef-bonn.org.cer
[Thu Mar 8 09:32:17 CET 2018] Your cert key is in /etc/acme.sh/globaltrends.sef-bonn.org/globaltrends.sef-bonn.org.key
[Thu Mar 8 09:32:17 CET 2018] Pending
[Thu Mar 8 09:32:17 CET 2018] www.global-trends-info.org:Verify error:Invalid response from http://www.global-trends-info.org/.well-known/ac
HwrDfmZo:
[Thu Mar 8 09:32:17 CET 2018] Please check log file for more details: /dev/null
[Thu Mar 8 09:32:17 CET 2018] The intermediate CA cert is in /etc/acme.sh/globaltrends.sef-bonn.org/ca.cer
[Thu Mar 8 09:32:17 CET 2018] And the full chain certs is there: /etc/acme.sh/globaltrends.sef-bonn.org/fullchain.cer
[Thu Mar 8 09:32:17 CET 2018] Run reload cmd: /etc/init.d/apache2 reload
[Thu Mar 8 09:32:19 CET 2018] Reload success
See how there are three “Verifying:” lines for different domains at almost the same time.
Could this be the cause of this behaviour, @Neilpang ?
Another try with debug 2 yielded no errors and a correct certificate.