Certbot-auto gives "The server experienced an internal error :: Error creating new cert"

Hello,

Just used letsencrypt-auto and got

WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.

So upgraded to certbot-auto… requesting a new certifcate (added a new domain name for SNI certificate, 58 in total) results in

The server experienced an internal error :: Error creating new cert

(Got the same issue weeks ago and was fixed… something with timeouts on letsencrypt servers.)

Regards,

Patrick

@jsha, were there known problems with availability yesterday or today?

Yep, we’ve had some issues with serving 500’s related to inefficient use of the DB: https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/574f588573c6e0cd1e000222. We’re working on it.

I don’t see an update on the status page, but we’re getting our domains validated, but when we request the certificate we get the same error: ServerInternal: Error creating new cert

Is there an incident I can subscribe to to follow the progress?

I’ve have also just noticed that I’m receiving this error when trying to create certs.

I’ve also been receiving this error as of around midnight BST, but from the Acme python library with a custom client.
Staging and Production.
Confirmed on new and renewal certificates.

(Test domain output)

{"resource": "new-cert", "csr": "MIIDHDC...kLIvEv_fUAXE"} 
Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-cert. args: (), kwargs: {'headers': {'Accept': 'application/pkix-cert'}, 'data': '{"header": {"alg": "RS25
6", "jwk": {"e": "AQAB", "kty": "RSA", "n": "uYHPs4...SvPP41wQ"}}, "protected": "eyJub25... ...lVBWEUifQ", "signature"
: "WD...O_RZqMjQ3cg"}'}

Received response  (headers: {'Content-Length': '101', 'Boulder-Request-Id': 'ndHeJUM98AYlafeWCoYsbXl_LH2mHzOVcDNF0-V7ScI', 'Expires': 'Fri, 12 Aug 2016 12:30:54 GM
T', 'Server': 'nginx', 'Connection': 'close', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Pragma': 'no-cache', 'Boulder-Requester': '112191', 'Date': 'Fri, 12 Aug 2016 12:30
:54 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'W9220jLsiENZFcZAu16cDxk9W5si1DxHkn1eewIlh1s'}): '{\n  "type": "urn:acme:error:serverInternal",\n  "detail": "
Error creating new cert",\n  "status": 500\n}'

Hi,

the same here right now.

urn:acme:error:serverInternal
Error creating new cert
status: 500

Kind regards,
David

Hi,

we solved this by updating to the latest certbot-auto script. https://certbot.eff.org/

Kind regards,
David

@DavidCDNsun can you tell us from what version to what version. I’m trying to pinpoint the change. We are using an custom client, which issued the last certificate on 9th of August.

Hi,

I can tell only “to version” and it is the current cetbot-auto version.

My tip is that this:
https://letsencrypt.status.io/pages/maintenance/55957a99e800baa4470002da/57abea0b097aa14d7f000d96
caused that our old version stopped working.

Kind regards,
David

Thanks @DavidCDNsun. We nailed it. Leaving here the solution for reference.

We are using a custom client, written in python with the latest pyOpenSSL. By default the version is not set on CSR and with some old versions of openssl this leads to zero-length integers being inserted into the CSR. What we needed to do is to set the version to 2 (req.set_version(2). Here’s the certbot’s related issue: https://github.com/certbot/certbot/issues/2528.

Thanks @calind for posting this!
req.set_version(2) sorted the issue with my custom client too.

Cheers!
Phil

I updatend our client https://github.com/unixcharles/acme-client to the newest version which changed the CSR version: https://github.com/unixcharles/acme-client/commit/c1f35dc3d2a6c6c81387a929f7598491de5fb346 and everything works again.

Thanks!