Certbot 2 subdomains, dry-run, The request message was malformed :: Method not allowed

My subdomains are: ok.domain.com, partage.domain.com

I ran this command:
certbot certonly --dns-cloudflare --dns-cloudflare-credentials ./cloudflare.ini -d ok.domain.com -d partage.domain.com --dry-run

because without dry-run, it failed without showing the malform:
There were too many requests of a given type :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/

With dry-run, it produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
An unexpected error occurred:
The request message was malformed :: Method not allowed
Please see the logfiles in /var/log/letsencrypt for more details.

/var/log/letsencrypt/letsencrypt.log doesn’t ship more information

cloudflare.ini is:
dns_cloudflare_api_token = <token>
<token> is issued by cloudflare with Permission: Zone.DNS, domain.com - DNS:Edit

My web server is (include version):
nginx 1.10.3 on docker
it was working fine for weeks for partage.domain.com and I used http for ok.domain.com with the same nginx server, but since many browsers and links redirect http to https (fr good reasons), "ok was sometimes redirected to partage content" (weird!) and these websites don’t have the same content but are served by the same nginx server.
I need SSL on 2 subdomains for my nginx container.
(Root of domain is static website on github, its SSL is not related to these 2 subdomains)
I changed nginx setup to be easy for certbot to find where to write files:

server {
	listen 80;
	server_name ok.domain.com;

	location / {
		root /var/www/public/;
  }

same for other subdomain, 80 and 443.
and reloaded nginx of course.
There’s no index.html though, so nginx throws a 403, but known static files are accessible.

The operating system my web server runs on is (include version):
Ubuntu 19.10

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.28.0

It hope I can solve it fast, it was running non-profit services to help anxious people during this quarantine.
Thank you for your help.

Do you still have the error message that came before that? That one doesn't say what is wrong, only that something was wrong the last 5 times you tried to validate recently.

Edit: If you don't, it will still be in /var/log/letsencrypt/ somewhere.

You need to upgrade Certbot.

Ubuntu 19.10 has a newer version available. How was Certbot installed? Can you run sudo apt update and sudo apt full-upgrade?

Thank you @mnordhoff

[quote=“mnordhoff, post:2, topic:119122”]
apt full-upgrade
Certbot came within the docker image, apt full-upgrade wants to update packages I’d rather not update right now since it’s a prod container. It doesn’t offer to upgrade certbot though. Maybe repos are old too?

Only python3-acme python3-josepy are related to certbot. Should I update them?

At my first attempts, I naively run with --nginx, it failed.
Since nginx config had some redirects, I progressively changed path to static ones (and burnt attempts).
I also tried with both --dns… + --nginx and it failed.

I have …log.1-10 but first let me know what I shouldn’t post here (I think of “protected”, “signature”, “payload”)

I wonder if this container is ubuntu 19.10. uname -a within it states so but apt update:

Get:1 http://security.debian.org/debian-security stretch/updates InRelease [94.3 kB]
Err:1 http://security.debian.org/debian-security stretch/updates InRelease
  Couldn't create temporary file /tmp/apt.conf.t1mxNV for passing config to apt-key
Ign:2 http://deb.debian.org/debian stretch InRelease
Get:3 http://deb.debian.org/debian stretch-updates InRelease [91.0 kB]
Err:3 http://deb.debian.org/debian stretch-updates InRelease
  Couldn't create temporary file /tmp/apt.conf.cF58TY for passing config to apt-key
Hit:5 http://deb.debian.org/debian stretch Release
Err:6 http://deb.debian.org/debian stretch Release.gpg
  Couldn't create temporary file /tmp/apt.conf.6ZaKK3 for passing config to apt-key
Get:4 http://ftp.debian.org/debian stretch-backports InRelease [91.8 kB]
Err:4 http://ftp.debian.org/debian stretch-backports InRelease
  Couldn't create temporary file /tmp/apt.conf.24mf5f for passing config to apt-key
  Couldn't create temporary file /tmp/apt.conf.ZXWb3k for passing config to apt-key
Fetched 93.7 kB in 0s (213 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
3 packages can be upgraded. Run 'apt list --upgradable' to see them.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.debian.org/debian-security stretch/updates InRelease: Couldn't create temporary file /tmp/apt.conf.t1mxNV for passing config to apt-key
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian stretch-updates InRelease: Couldn't create temporary file /tmp/apt.conf.cF58TY for passing config toapt-key
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian stretch Release: Couldn't create temporary file /tmp/apt.conf.6ZaKK3 for passing config to apt-key
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://ftp.debian.org/debian stretch-backports InRelease: Couldn't create temporary file /tmp/apt.conf.24mf5f for passing config to apt-key
W: Failed to fetch http://security.debian.org/debian-security/dists/stretch/updates/InRelease  Couldn't create temporary file /tmp/apt.conf.t1mxNV for passing config to apt-key
W: Failed to fetch http://deb.debian.org/debian/dists/stretch-updates/InRelease  Couldn't create temporary file /tmp/apt.conf.cF58TY for passing config to apt-key
W: Failed to fetch http://ftp.debian.org/debian/dists/stretch-backports/InRelease  Couldn't create temporary file /tmp/apt.conf.24mf5ffor passing config to apt-key
W: Failed to fetch http://deb.debian.org/debian/dists/stretch/Release.gpg  Couldn't create temporary file /tmp/apt.conf.6ZaKK3 for passing config to apt-key
W: Some index files failed to download. They have been ignored, or old ones used instead.

Thank you again!

The version number makes sense if it's Debian.

(I don't know if Ubuntu 19.10 shipped with an old version and then SRUed a newer one, but I'd be surprised if it was as old as 0.28.0.)

Yes.

Looks like uname is a false friend within a container.
cat /etc/os-release states it’s DEbian 9 (stretch), coherent with packages.

I updated python3 packages.

On the host (my PC), certbot in synaptic is 0.36.0-1
Could I use certbot on the host to update the container?
Or could I wget certbot from container to update the core without updating dependencies?

BTW, I added logs in my 2nd post, sorry if you replied before I added them.
Does it help?

Please @mnordhoff , can you tell me what is wrong so I can fix it?
Thank you!

I’m not sure.

The “method not allowed” error should be fixed by upgrading.

That section of the log doesn’t include the original error about what was causing validation to fail.

FWIW, I don’t think there was anything sensitive in the log. It should just contain signatures, public keys, and encoded data.

But I’m not sure if your Cloudflare API key could get logged, especially if something goes wrong.

And yes … it worked!
Just the update solved it, wonderful!
Thank you very much @mnordhoff
Take care

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.