As many others I also have this error message as shown in the title. It appears since 9 Feb 2024. It seems to prevent updating any of my certificates so it's a ticking bomb!
I don't understand what the other instances were so I'll have to ask for mine as well. I'm using Certes for .NET to generate those certificates. At one point the Certes.CertificateChainExtensions.ToPem(CertificateChain certificateChain, IKey certKey) method is called and that raises the exception. I don't understand any of this so please help me. I'd expect that a retrieved certificate can be converted to PEM format, but apparently there is some validation also going on and it fails.
My domain is: all (really, every request fails)
I ran this command: Certes.CertificateChainExtensions.ToPem(CertificateChain certificateChain, IKey certKey)
It produced this output: Certes.AcmeException with the message from the title
My web server is (include version): Apache 2.4 (irrelevant here)
The operating system my web server runs on is (include version): Ubuntu Server 20.04
My hosting provider, if applicable, is: self
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): own, it is throwing the error
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): none, not using it
The "Certbot" here is just an example. The question relates to the ACME client used, whichever ACME client. In your case that seems to be Certes, so the question here really is: "The version of Certes".
Sorry, I didn't find solutions in the other threads, only lots of technical comments digging into different directions.
The Certes version I had was 2.3.4. After upgrading to 3.0.4 it works again. Sadly the new Certes version is inofficial, not open source and undocumented. There's no tag for this version in the GitHub repo so it remains unclear what it actually contains. The new version number would also suggest breaking changes, but luckily my application still builds.
Everybody here seems to suggest upgrading to the currently latest 3.0.4, so I just tried that. We probably won't find out which version is necessary until the versions are properly tagged and traceable.
The tone here suggests you feel you were owed some explanation. They may not have tagged the release on github but the "official" certes is this one: NuGet Gallery | Certes 3.0.4 and it doesn't really take much sleuthing to see that the 3.0.4 release date coincidences with the last repo commit: Commits · fszlin/certes · GitHub The 3.0 tagged release did however get the ISRG Root X1 resource embedding and you could choose that specific version via nuget if you wanted.
Being open source doesn't make a package special, it just means you can see and play with the source, there is no obligation for the person who wrote it to maintain it and in this case it's clear to me that it was a work project that got published and just doesn't really get updated now, it has never had a thriving community of contributors.
I note also that users of other Certes-reliant things like GitHub - sjkp/letsencrypt-azure: The easiest way to use lets encrypt certificates on Azure (last updated 5 years ago) are also starting to see failures, including fairly high profile Microsoft developer stuff, so I think this has surprised a few folks. All I can really say is keep your software dependencies up to date or suffer the resulting bit rot.
