Certbot: Error 500 when finalizing ACME order

Hey, could it be that the certificate service experiences some issues right now?
I checked on the LetsEncrypt StatusPage, but no outage is currently reported.

My domain is: mail.hammer065.de

I ran this command: /usr/bin/certbot renew --agree-tos --deploy-hook /etc/letsencrypt/deploy-hook.sh

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<other-independant-certificate>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<other-independant-certificate>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<other-independant-certificate>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mail.hammer065.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for mail.hammer065.de and 4 more domains
Failed to renew certificate mail.hammer065.de with error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Error finalizing order
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/<other-independant-certificate>.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/<other-independant-certificate>/fullchain.pem expires on 2025-xx-xx (skipped)
  /etc/letsencrypt/live/<other-independant-certificate>/fullchain.pem expires on 2025-xx-xx (skipped)
  /etc/letsencrypt/live/<other-independant-certificate>/fullchain.pem expires on 2025-xx-xx (skipped)
  /etc/letsencrypt/live/<other-independant-certificate>/fullchain.pem expires on 2025-xx-xx (skipped)
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/mail.hammer065.de/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): nginx version: nginx/1.27.5

The operating system my web server runs on is (include version): Arch Linux

My hosting provider, if applicable, is: Hetzner

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 4.0.0

Relevant log output from /var/log/letsencrypt/letsencrypt.log:

[...]
2025-05-09 12:32:11,078:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/finalize/<some-integer>/<some-integer> HTTP/1.1" 500 112
2025-05-09 12:32:11,078:DEBUG:acme.client:Received response:
HTTP 500
Server: nginx
Date: Fri, 09 May 2025 12:32:11 GMT
Content-Type: application/problem+json
Content-Length: 112
Connection: keep-alive
Boulder-Requester: <some-integer>
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: <the-nonce>
Retry-After: 60

{
  "type": "urn:ietf:params:acme:error:serverInternal",
  "detail": "Error finalizing order",
  "status": 500
}
2025-05-09 12:32:11,078:ERROR:certbot._internal.renewal:Failed to renew certificate mail.hammer065.de with error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Error finalizing order
2025-05-09 12:32:11,082:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3.13/site-packages/certbot/_internal/renewal.py", line 540, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
    ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/certbot/_internal/main.py", line 1528, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3.13/site-packages/certbot/_internal/main.py", line 131, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
    ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/certbot/_internal/renewal.py", line 399, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
                                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/certbot/_internal/client.py", line 447, in obtain_certificate
    cert, chain = self.obtain_certificate_from_csr(csr, orderr)
                  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/certbot/_internal/client.py", line 337, in obtain_certificate_from_csr
    orderr = self.acme.finalize_order(
        orderr, deadline, fetch_alternative_chains=self.config.preferred_chain is not None)
  File "/usr/lib/python3.13/site-packages/acme/client.py", line 279, in finalize_order
    self.begin_finalization(orderr)
    ~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^
  File "/usr/lib/python3.13/site-packages/acme/client.py", line 230, in begin_finalization
    res = self._post(orderr.body.finalize, wrapped_csr)
  File "/usr/lib/python3.13/site-packages/acme/client.py", line 369, in _post
    return self.net.post(*args, **kwargs)
           ~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/acme/client.py", line 741, in post
    return self._post_once(*args, **kwargs)
           ~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.13/site-packages/acme/client.py", line 754, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/usr/lib/python3.13/site-packages/acme/client.py", line 605, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Error finalizing order

Did it only happen once or does it do that reproducibly?

Your client is requesting the must_staple extension for mail.hammer065.de, but that's no longer supported by Let's Encrypt.

The error message you're getting is, uh, suboptimal, and they're looking into it:

Your client is requesting the must_staple extension for mail.hammer065.de , but that's no longer supported by Let's Encrypt.

Looks I apparently forgot to change one domain config, as I already had changed all the other configs after the mail announcement
Thanks for the fast response! ^^

It looks like I have the ability to pin a topic. Given the amount of posts on this so far... If you make a topic about this, I can try to pin it.

I don't know if it will work or not - I've never done this before. But my account seems to have that permission.

Well, the main thing I think needs to be written down somewhere (maybe a pinned forum wiki post, sure), is how to modify the configuration of popular ACME clients accordingly. All the blog post says to do is "change your ACME client configuration", but I know that I don't know how to do that, but hopefully someone does for at least certbot, acme.sh, and hopefully a few others and can write it up. But beyond just the allowing to get a certificate, one would need to make sure that one's web server configuration won't break when given certs without OCSP URLs in them, too, which may be another set of instructions that ought to be somewhere.

Fully agree. And, if we get enough repeats those threads will stay at top of list so future viewers should see them easily enough.

FWIW, I saved the below link for Certbot instructions back in Jan

TL;DR: Re-run your original command without must-staple option. Or, very carefully remove the must-staple line from the Certbot renewal config file. We normally highly recommend not making manual changes to that config file but this seems a fair exception.

I was thinking just a pinned post that says:

Subject:
Important- If you have a 500 error, check your client's must-staple extension

Body:
Some info about the error, and links to some posts

It would be great to have a full workup - but I think just triaging visitors here with a note about "Most 500 errors are because the client has OCSP must-staple configured, please check your client configuration" will help most people.

We will have the 500 error fixed shortly to return a better error