Cannot create new certificates. Error 400

SirLouen · August 5, 2024, 12:56pm

I'm using Caddy with their CertMagic client. For some reason, the system cant create new certificates. This is the log with debug activated.

I cannot clearly see anything missing, but an 400 error

All 3 letsdebug tests went well

So I'm a little bit clueless on what could be going on.

caddy  | {"level":"debug","ts":1722861954.0194893,"logger":"http.acme_client","msg":"http request","method":"HEAD","url":"https://acme-v02.api.letsencrypt.org/acme/new-nonce","headers":{"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Cache-Control":["public, max-age=0, no-cache"],"Date":["Mon, 05 Aug 2024 12:45:53 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["VbHcGKwnY9Oqu8dr57wzVLSqd7Hlia3IIoSDmFWnpk75YJqfHqc"],"Server":["nginx"],"Strict-Transport-Security":["max-age=604800"],"X-Frame-Options":["DENY"]},"status_code":200}
caddy  | {"level":"debug","ts":1722861954.1816185,"logger":"http.acme_client","msg":"http request","method":"POST","url":"https://acme-v02.api.letsencrypt.org/acme/new-order","headers":{"Content-Type":["application/jose+json"],"User-Agent":["Caddy/2.8.4 CertMagic acmez (linux; amd64)"]},"response_headers":{"Boulder-Requester":["1873678947"],"Cache-Control":["public, max-age=0, no-cache"],"Content-Length":["107"],"Content-Type":["application/problem+json"],"Date":["Mon, 05 Aug 2024 12:45:54 GMT"],"Link":["<https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\""],"Replay-Nonce":["QYxeyab8GJuVlhvpIi3ln3gEPwQNWXKRwiB8R1OL53JB3RP-O0c"],"Server":["nginx"]},"status_code":400}
caddy  | {"level":"error","ts":1722861954.181795,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"fedora.mcamargo.es","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:malformed - JWS verification error"}
caddy  | {"level":"debug","ts":1722861954.181849,"logger":"events","msg":"event","name":"cert_failed","id":"8b4124e9-6e1f-4615-a957-8c138f08d180","origin":"tls","data":{"error":{},"identifier":"fedora.mcamargo.es","issuers":["acme-v02.api.letsencrypt.org-directory"],"renewal":false}}
caddy  | {"level":"error","ts":1722861954.181875,"logger":"tls.obtain","msg":"will retry","error":"[fedora.mcamargo.es] Obtain: [fedora.mcamargo.es] creating new order: attempt 1: https://acme-v02.api.letsencrypt.org/acme/new-order: HTTP 400 urn:ietf:params:acme:error:malformed - JWS verification error (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":0.808648962,"max_duration":2592000

rg305 · August 5, 2024, 1:03pm

It looks like you may be rate limited:

petercooperjr · August 5, 2024, 1:03pm

@mholt, I'm going to throw this one at you.

mholt · August 5, 2024, 1:09pm

I'm already replying on GitHub, but there's something else going on I can't follow with the limited information provided.

SirLouen · August 5, 2024, 2:17pm

Could be, how can I check this?

mholt · August 5, 2024, 4:46pm

OP has discovered some weird things about their container setup that led to the unusual behavior.

github.com/caddyserver/caddy

Weird broken loop with 308 Permanent Redirect on php_fastcgi

opened 10:53AM - 05 Aug 24 UTC

closed 01:30PM - 05 Aug 24 UTC

SirLouen

needs info

I've noted that `php_fastcgi` directive has a default behaviour that can complet…ely break the Let's Encrypt retrieval process I have this test domain: fedora.mcamargo.es Configured with this Caddyfile ``` fedora.mcamargo.es { root * /usr/share/caddy/fedora file_server php_fastcgi unix//run/php/php-fpm.sock { root /var/www/html } } ``` I'm using a dockerized Caddy (caddy:latest 2.8.4) with an another dockerized PHP-FPM server At some point I deleted the volume where certs were stored. As we can see here this is the response: ``` curl http://fedora.mcamargo.es -v * Host fedora.mcamargo.es:80 was resolved. * IPv6: (none) * IPv4: 135.181.80.106 * Trying 135.181.80.106:80... * Connected to fedora.mcamargo.es (135.181.80.106) port 80 > GET / HTTP/1.1 > Host: fedora.mcamargo.es > User-Agent: curl/8.7.1 > Accept: */* > * Request completely sent off < HTTP/1.1 308 Permanent Redirect < Connection: close < Location: https://fedora.mcamargo.es/ < Server: Caddy < Date: Mon, 05 Aug 2024 10:47:13 GMT < Content-Length: 0 < * Closing connection ``` There is a permanent 308 redirect that inhibits the recreation of the new certificate, just as we can see in the letsdebug error: https://letsdebug.net/fedora.mcamargo.es/2155062 I'm going to research how I can stop that 308 redirect to HTTPS to re-issue the certificates, but the system is broken as-is and I have not idea for now how to sort this out. I'm not sure if this issue is related somehow: https://github.com/caddyserver/caddy/issues/5660 as I cannot relate to the content of it, but maybe there is some relationship If I change the hostname in the Caddyfile to ``` http://fedora.mcamargo.es { root * /usr/share/caddy/fedora file_server php_fastcgi unix//run/php/php-fpm.sock { root /var/www/html } } ``` As we can see here, it's fully compliant again. https://letsdebug.net/fedora.mcamargo.es/2155077 And the site works well (without HTTPS) That pesky 308 is driving me nuts :)

rg305 · August 5, 2024, 4:54pm

I used:
crt.sh | fedora.mcamargo.es

system · September 4, 2024, 4:55pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ACME Challenge Failed: Error 400 Help	8	1912	March 29, 2024
Client receives "Error creating new cert" message from server Help	10	6250	December 5, 2015
Internal Server Error (500) when creating certificates Help	4	2242	April 6, 2017
Error 429 - Too Many Certificates but I don't made any Help	5	2356	July 4, 2018
Certificate renewal suddenly failing Help	4	630	December 10, 2020

Cannot create new certificates. Error 400

Related topics