Attempting to renew cert from /etc/letsencrypt/renewal/domain.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

api.skryit.com

I ran this command:

sudo certbot renew --dry-run

It produced this output:

root@ubuntu-s-1vcpu-1gb-python3:~# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/api.skryit.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Attempting to renew cert (api.skryit.com) from /etc/letsencrypt/renewal/api.skryit.com.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/api.skryit.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/api.skryit.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

/var/log/letsencrypt/letsencrypt.log:

...
2020-01-07 00:12:47,475:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Date: Tue, 07 Jan 2020 00:12:47 GMT
Content-Type: application/problem+json
Content-Length: 103
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Method not allowed",
  "status": 405
}
2020-01-07 00:12:47,476:WARNING:certbot.renewal:Attempting to renew cert (api.skryit.com) from /etc/letsencrypt/renewal/api.skryit.com.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
2020-01-07 00:12:47,480:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 369, in obtain_certificate
    cert, chain = self.obtain_certificate_from_csr(csr, orderr)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 301, in obtain_certificate_from_csr
    orderr = self.acme.finalize_order(orderr, deadline)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 908, in finalize_order
    return self.client.finalize_order(orderr, deadline)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 743, in finalize_order
    content_type=DER_CONTENT_TYPE).text
  File "/usr/lib/python3/dist-packages/acme/client.py", line 791, in _post_as_get
    return self.net.get(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1152, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1054, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed

2020-01-07 00:12:47,481:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-01-07 00:12:47,481:ERROR:certbot.renewal:  /etc/letsencrypt/live/api.skryit.com/fullchain.pem (failure)
2020-01-07 00:12:47,482:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

My web server is (include version):

nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):

ubuntu 18.04

My hosting provider, if applicable, is:

DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 0.31.0

2 Likes

Please consider update your certbot, since it’s relatively old and there are changes to Let’s Encrypt after that release.

Thank you

1 Like

Specifically, you need to ensure your python3-acme package is updated to 0.31.0-2, which has a fix backported from a future version, to address this specific issue.

apt update && apt install --only-upgrade python3-acme

(It is probably best if you upgrade all your packages, though).

4 Likes

In Ubuntu 18.04 it shows:
certbot is already the newest version (0.31.0-1+ubuntu18.04.1+certbot+1).

[All packages are up to date.]

2 Likes

python3-acme did it for me. thanks for the info.

2 Likes

Same log as cdrandin, last acme lib. 3 ubuntu servers 16.04, same situation.

python3-acme is already the newest version (0.31.0-2+ubuntu16.04.6+certbot+2)

I have all packages up to date but error still persists.

1 Like

I had exactly the same error running certbot renew --dry-run.

certbot --version
certbot 0.31.0

Ubuntu 18.04, and domains markpea.org are all set up and working perfectly. Only, running the --dry-run option produced the identical error listed at the top of this message. I normally run everything as a regular user with sudo but this time I logged in as root (& yes I do plan to disable root access to the droplet :slight_smile) and ran :

apt update && apt install --only-upgrade python3-acme

giving me a crucial clue that something had been updated

The following packages will be upgraded: python3-acme

But revealing the version of certbot still remains at it’s original version #

certbot --version
certbot 0.31.0

However, certbot renew --dry-run now executes without throwing an error.

!! Conclusion

On the latest Ubuntu v18.04 the installed version of certbot needs attention in order to execute the option “renew --dry-run” without errors. Running the following as root user will fix the problem even though the version of cerbot does not seem to be affected

apt update && apt install --only-upgrade python3-acme

Cheers
Henry Pearson

2 Likes

Correct; it is NOT certbot that needs to be updated.
[that --version will remain unchanged]
It is only the python3-acme that needs to be updated.

2 Likes

Check python --version.

I had 2yrs old server installed by ansible for py2 so i set that as default. Unfortunately didn’t change back to version 3.

In my case fixed problem by:

update-alternatives --install /usr/bin/python python /usr/bin/python3.5 1

2 Likes

@rg305
Thanks for this clarification.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.