Challenges are successful, but finalization fails

My domain is:
sunnysmile.ru, www.sunnysmile.ru

I ran this command:
acme.sh --renew --force -d sunnysmile.ru

It produced this output:
[Mon Mar 14 22:03:27 MSK 2022] Renew: 'sunnysmile.ru'
[Mon Mar 14 22:03:30 MSK 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Mon Mar 14 22:03:31 MSK 2022] Multi domain='DNS:sunnysmile.ru,DNS:www.sunnysmile.ru'
[Mon Mar 14 22:03:31 MSK 2022] Getting domain auth token for each domain
[Mon Mar 14 22:03:42 MSK 2022] Getting webroot for domain='sunnysmile.ru'
[Mon Mar 14 22:03:42 MSK 2022] Getting webroot for domain='www.sunnysmile.ru'
[Mon Mar 14 22:03:43 MSK 2022] Verifying: sunnysmile.ru
[Mon Mar 14 22:03:46 MSK 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Mon Mar 14 22:03:50 MSK 2022] Success
[Mon Mar 14 22:03:50 MSK 2022] Verifying: www.sunnysmile.ru
[Mon Mar 14 22:03:52 MSK 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Mon Mar 14 22:03:55 MSK 2022] Success
[Mon Mar 14 22:03:55 MSK 2022] Verify finished, start to sign.
[Mon Mar 14 22:03:55 MSK 2022] Lets finalize the order.
[Mon Mar 14 22:03:55 MSK 2022] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/9UaZWBZ6Te4crrmJAiyzog/finalize'
[Mon Mar 14 22:03:57 MSK 2022] Sign error, wrong status
[Mon Mar 14 22:03:57 MSK 2022] {"status":"invalid","expires":"2022-06-12T19:03:37Z","identifiers":[{"type":"dns","value":"sunnysmile.ru"},{"type":"dns","value":"www.sunnysmile.ru"}],"authorizations":["https://acme.zerossl.com/v2/DV90/authz/0FUix6ikgf5GjqXZoph89w","https://acme.zerossl.com/v2/DV90/authz/Pt-uXhlzcwTI2O4DF1aiMg"],"finalize":"https://acme.zerossl.com/v2/DV90/order/9UaZWBZ6Te4crrmJAiyzog/finalize"}
[Mon Mar 14 22:03:57 MSK 2022] Please check log file for more details: /home/acme/.acme.sh/acme.sh.log

My web server is (include version):
nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04.4 LTS

My hosting provider, if applicable, is:
VDS with nic.ru

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
acme.sh --version

v3.0.2

After reinstalling my operation system I can't restore work of my acme.sh client.
Befor Feb 28 I used DNS-01 challenge and account with email sergey@zorin.ru.
After Feb 28 I tried both DNS-01 and HTTP-01 challenge, proofs of control were successful, but finaleze failed.
I also tried to change account but it hadn't help.
I made my last attempt with HTTP-01 challenge and darkest@mail.ru account.
LE server response to finalization was:
{
"status": "invalid",
"expires": "2022-06-12T19:03:37Z",
"identifiers": [{
"type": "dns",
"value": "sunnysmile.ru"
}, {
"type": "dns",
"value": "www.sunnysmile.ru"
}
],
"authorizations": ["https://acme.zerossl.com/v2/DV90/authz/0FUix6ikgf5GjqXZoph89w", "https://acme.zerossl.com/v2/DV90/authz/Pt-uXhlzcwTI2O4DF1aiMg"],
"finalize": "https://acme.zerossl.com/v2/DV90/order/9UaZWBZ6Te4crrmJAiyzog/finalize"
}

Everything works fine at staging environment.
I cant understand what is wrong at production one.

Could you check why the finalization fails?

1 Like

Welcome to the Let's Encrypt Community, Sergey :slightly_smiling_face:

The problems you are facing are with ZeroSSL, which is a completely different certificate authority from Let's Encrypt.

9 Likes

Sadly, when using the staging environment, it uses the LE staging.
[I don't think there is any ZeroSSL staging]

6 Likes

Correct.

6 Likes

ZeroSSL are not issuing certs for .ru sites

6 Likes

Thanks a lot.
It turned out that the my client (acme.sh) changed the default CA.

4 Likes

My problem was solved by running the command
acme.sh --set-default-ca --server letsencrypt

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.