Error code 3 when issuing certificate

SuSaiGit · July 28, 2021, 7:36pm

The same command was working a couple of days ago.
It starts returning error code 3 constantly today.

My domain is:
eastus-azure.d.development.citrix.cloud

I ran this command:

./acme.sh --issue --dns -d "*.example.com" --yes-I-know-dns-manual-mode-enough-go-ahead-please
After created the DNS TXT record
./acme.sh --renew --dns -d "*.example.com" --yes-I-know-dns-manual-mode-enough-go-ahead-please

It produced this output:

stderr: |-
[Wed Jul 28 18:18:49 UTC 2021] Please refer to libcurl - Error Codes for error code: 3
[Wed Jul 28 18:18:50 UTC 2021] Sign failed, finalize code is not 200.
[Wed Jul 28 18:18:50 UTC 2021]
[Wed Jul 28 18:18:50 UTC 2021] Please add '--debug' or '--log' to check more details.
[Wed Jul 28 18:18:50 UTC 2021] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub
[Wed Jul 28 18:18:50 UTC 2021] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
stdout: |-
[Wed Jul 28 18:18:36 UTC 2021] Renew: '.example.com'
[Wed Jul 28 18:18:37 UTC 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Wed Jul 28 18:18:37 UTC 2021] Single domain='.example.com'
[Wed Jul 28 18:18:37 UTC 2021] Getting domain auth token for each domain
[Wed Jul 28 18:18:37 UTC 2021] Verifying: *.example.com
[Wed Jul 28 18:18:38 UTC 2021] Processing, The CA is processing your order, please just wait. (1/30)
[Wed Jul 28 18:18:41 UTC 2021] Success
[Wed Jul 28 18:18:41 UTC 2021] Verify finished, start to sign.
[Wed Jul 28 18:18:41 UTC 2021] Lets finalize the order.
[Wed Jul 28 18:18:41 UTC 2021] Le_OrderFinalize

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Azure

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh v3.0.0

griffin · July 28, 2021, 8:16pm

Welcome to the Let's Encrypt Community

Unfortunately, acme.sh is now owned by ZeroSSL and defaults to acquiring certificates from ZeroSSL:

If you want to acquire Let's Encrypt certificates, I highly recommend using certbot instead.

rg305 · July 28, 2021, 8:32pm

I wonder why it still shows "Le" there .... ? ? ?
Maybe it's French!

griffin · July 28, 2021, 8:58pm

Seems like acme.sh hasn't made a complete, internal transition yet.

Nummer378 · July 29, 2021, 12:56pm

If you skim through the acme.sh source code, it's everywhere. Every single config object has this prefix. Whatever was the original decision for that prefix, today it's technical debt - it's referenced everywhere and can't be changed without rewriting significant parts and breaking compatibility everywhere.

It's only an internal thing though, the features work as intended.

If you want to continue using acme.sh + Let's Encrypt, this command will suffice:

acme.sh --set-default-ca --server letsencrypt

The documentation promises that user-configured defaults will always be honored. Specifically it says this:

SuSaiGit · July 29, 2021, 2:05pm

The error is gone with acme.sh v2.8.8 https://codeload.github.com/acmesh-official/acme.sh/tar.gz/refs/tags/2.8.8

Thanks everybody.

Osiris · July 29, 2021, 4:54pm

Just a quick note: note that for support regarding ZeroSSL certificates, this Community is not the appropriate place to ask for it.

system · August 28, 2021, 4:54pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.