Continuous errors renewing le certs for over 6 days now

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
stiicksandstonesmaybreakmybonesbutnameswillneverhurtme.com

I ran this command: from the terminal:

./dehydrated -c --accept-terms -fc -4 -d sticksandstonesmaybreakmybonesbutnameswillneverhurtme.com -x --force-validation -o /certs/sticksandstonesmaybreakmybonesbutnameswillneverhurtme.com -t http-01 -a secp384r1

It produced this output:

Processing sticksandstonesmaybreakmybonesbutnameswillneverhurtme.com

  • Creating new directory /certs/sticksandstonesmaybreakmybonesbutnameswillneverhurtme.com/sticksandstonesmaybreakmybonesbutnameswillneverhurtme.com ...
  • Signing domains...
  • Generating private key...
  • Generating signing request...
  • Requesting new certificate order from CA...
  • ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 400)

Details:
HTTP/2 400
server: nginx
date: Sat, 28 Sep 2024 13:10:01 GMT
content-type: application/problem+json
content-length: 107
boulder-requester: 1889822956
cache-control: public, max-age=0, no-cache
link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
replay-nonce: mdHBMg8Kl7GlSNVdaOJ_mY3mn2rUxJNt0MY5pTjRqs2uFn1gC3M

{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "JWS verification error",
"status": 400
}

info
My web server is (include version): nginx 1.27.1

The operating system my web server runs on is (include version):
Devuan/chimaera x86_64

My hosting provider, if applicable, is: self-hosetd

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): BOA/AEgir for drupal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): using dehydrated 0.7.2: dehydrated modified · GitHub

Other useful info:
server1:~# curl --version
curl 8.9.1 (x86_64-pc-linux-gnu) libcurl/8.9.1 OpenSSL/3.0.15 zlib/1.2.11 brotli/1.0.9 libidn2/2.3.0 libpsl/0.21.0 nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.4.57
Release-Date: 2024-07-31
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IDN IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP UnixSockets

(curl could be update to 8.10.1 and zstd compression and HTTP/1.1 added - would this help ?)

dehydrated script is here: dehydrated modified · GitHub

Why are you using this option? According to the dehydrated usage help it's for:

Force revalidation of domain names (used in combination with --force)

(emphesis mine)

But there's nothing to REvalidate if it hasn't worked in the first place or it's not useful if validation is not the issue to begin with.

Anyway, the error "urn:ietf:params:acme:error:malformed" in combination with "JWS verification error" to me seems to be something wrong with the ACME client. You may have better luck using a different ACME client.

1 Like

FYI
It seems like you managed to get a cert for the mail subdomain [yesterday].
See: crt.sh | sticksandstonesmaybreakmybonesbutnameswillneverhurtme.com

But is has a completely different IP.
So, I'm not sure if it is even on the same server:

Name:    mail.sticksandstonesmaybreakmybonesbutnameswillneverhurtme.com
Address: 2a01:4f9:c010:203d::1

Name:    sticksandstonesmaybreakmybonesbutnameswillneverhurtme.com
Address: 37.27.53.228
3 Likes

That's right - we have a mail server which runs ISPConfig3.2 latest and it issues LE certs for our mail subdomains without any problems. Could this fact be interfering with our above servers failed renewal of the domain.com cert? Am I issuing a wrong command to renew an expired cert? I don't know why the return says new-order - is that a correct return for a renew expired cert request ? Why does the return say "replay-nonce" - I looked in the dehydrated issues queue and there are many issues about dehydrated not handling correctly encounters when acme or letsencrypt servers are not immediatedly available. Does the "replay-nonce" refer to this issue? Thanks for your help.

1 Like

Thanks for trying to help - please see my comments below to rg305's reply - I am trying to renew a recently expired cert - isn't revalidate of force revalidate the proper command? Also, can you suggest a better ACME client? Do you mean this address when saying "ACME client" : " https://acme-v02.api.letsencrypt.org/acme/new-order" - is there a newer address? What, please? - is "new-order" wrong for a cert renewal? I am lost here. Thanks.

1 Like

No. The ACME server will decide if validation is required or not. This is always the case with just one exception: if a previous successful validation is already cached at the ACME server (which is cached for 30 days currently), a validation is not required. Otherwise the ACME server will require a (new) validation from the ACME client.

Forcing a revalidation is only useful for testing purposes, not for regular usage. For regular usage, a cached valid validation is perfectly fine.

Personally I use Certbot. But there are many ACME clients out there: ACME Client Implementations - Let's Encrypt.

No. Totally not. An ACME client is the software or library used to "talk" to the ACME server. It has nothing to do with very specific API endpoints. You should not be bothered by those URIs to begin with (except perhaps the ACME directory URI, but even that one is usually hardcoded into the ACME client).

If you want to continu using Dehydrated, please show the entire verbose log of an attempt.

1 Like