"Error creating new order"

Getting an odd error message: "The server experienced an internal error :: Error creating new order". Logs at end.

My domain is: www.japaneseartsite.com, among others

I ran this command:
certbot-auto certonly --cert-name membervhosts_1607010872_jkl --webroot -w /data/trocadero/stores/japaneseartsite -d www.japaneseartsite.com -d japaneseartsite.com -w /data/trocadero/groups/estates -d www.junehastings.com -d junehastings.com -w /data/trocadero/groups/justglass -d justglassmall.com -d www.justglassmall.com -w /data/trocadero/stores/kenh -d kensingtonhouseantiques.com -d www.kensingtonhouseantiques.com -w /data/trocadero/stores/leslieant -d www.leslieantiques.com -d leslieantiques.com -w /data/trocadero/stores/koreanartandantiques -d koreanartandantiques.com -d www.koreanartandantiques.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Requesting a certificate for www.japaneseartsite.com and 11 more domains
An unexpected error occurred:
The server experienced an internal error :: Error creating new order
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): Apache 2.2 (I know. Migration is scheduled but has been delayed.)

The operating system my web server runs on is (include version): CentOS 6.10. (I know. Migration is scheduled but has been delayed.)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.10.0

Logs (with some base64 data elided):

020-12-03 10:57:37,012:DEBUG:certbot._internal.main:certbot version: 1.10.0
2020-12-03 10:57:37,016:DEBUG:certbot._internal.main:Arguments: ['--cert-name', 'membervhosts_1607010872_jkl', '--webroot', '-w', '/data/trocadero/stores/japaneseartsite', '-d', 'www.japaneseartsite.com', '-d', 'japaneseartsite.com', '-w', '/data/trocadero/groups/estates', '-d', 'www.junehastings.com', '-d', 'junehastings.com', '-w', '/data/trocadero/groups/justglass', '-d', 'justglassmall.com', '-d', 'www.justglassmall.com', '-w', '/data/trocadero/stores/kenh', '-d', 'kensingtonhouseantiques.com', '-d', 'www.kensingtonhouseantiques.com', '-w', '/data/trocadero/stores/leslieant', '-d', 'www.leslieantiques.com', '-d', 'leslieantiques.com', '-w', '/data/trocadero/stores/koreanartandantiques', '-d', 'koreanartandantiques.com', '-d', 'www.koreanartandantiques.com']
2020-12-03 10:57:37,018:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-12-03 10:57:37,058:DEBUG:certbot._internal.log:Root logging level set at 20
2020-12-03 10:57:37,060:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-12-03 10:57:37,061:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2020-12-03 10:57:37,067:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7fb536364198>
Prep: True
2020-12-03 10:57:37,069:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7fb536364198> and installer None
2020-12-03 10:57:37,069:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2020-12-03 10:57:37,075:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fb532dff9e8>)>), contact=('mailto:tms@trocadero.com',), agreement='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf', status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v01.api.letsencrypt.org/acme/reg/9764049', new_authzr_uri='https://acme-v01.api.letsencrypt.org/acme/new-authz', terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), 0412a7a7f55df4445dd3218c2017b9b4, Meta(creation_dt=datetime.datetime(2017, 2, 18, 23, 42, 44, tzinfo=), creation_host='green.vervendi.com', register_to_eff=None))>
2020-12-03 10:57:37,079:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-12-03 10:57:37,082:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2020-12-03 10:57:37,444:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2020-12-03 10:57:37,445:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 03 Dec 2020 15:57:37 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"0nmFjhJTY1g": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2020-12-03 10:57:37,446:DEBUG:certbot.display.util:Notifying user: Requesting a certificate for www.japaneseartsite.com and 11 more domains
2020-12-03 10:57:37,493:DEBUG:certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0438_key-certbot.pem
2020-12-03 10:57:37,500:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0438_csr-certbot.pem
2020-12-03 10:57:37,501:DEBUG:acme.client:Requesting fresh nonce
2020-12-03 10:57:37,502:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-12-03 10:57:37,592:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2020-12-03 10:57:37,593:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 03 Dec 2020 15:57:37 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0003-tmeCdPsE1jrJGz0o7cW5SNJqG1J-TpEjfYbBorcvgE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2020-12-03 10:57:37,593:DEBUG:acme.client:Storing nonce: 0003-tmeCdPsE1jrJGz0o7cW5SNJqG1J-TpEjfYbBorcvgE
2020-12-03 10:57:37,594:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "www.japaneseartsite.com"\n },\n {\n "type": "dns",\n "value": "japaneseartsite.com"\n },\n {\n "type": "dns",\n "value": "www.junehastings.com"\n },\n {\n "type": "dns",\n "value": "junehastings.com"\n },\n {\n "type": "dns",\n "value": "justglassmall.com"\n },\n {\n "type": "dns",\n "value": "www.justglassmall.com"\n },\n {\n "type": "dns",\n "value": "kensingtonhouseantiques.com"\n },\n {\n "type": "dns",\n "value": "www.kensingtonhouseantiques.com"\n },\n {\n "type": "dns",\n "value": "www.leslieantiques.com"\n },\n {\n "type": "dns",\n "value": "leslieantiques.com"\n },\n {\n "type": "dns",\n "value": "koreanartandantiques.com"\n },\n {\n "type": "dns",\n "value": "www.koreanartandantiques.com"\n }\n ]\n}'
2020-12-03 10:57:37,597:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "...",
"signature": "...",
"payload": "..."
}
2020-12-03 10:57:42,725:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 500 114
2020-12-03 10:57:42,726:DEBUG:acme.client:Received response:
HTTP 500
Server: nginx
Date: Thu, 03 Dec 2020 15:57:42 GMT
Content-Type: application/problem+json
Content-Length: 114
Connection: keep-alive
Boulder-Requester: 9764049
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0003iwLExGGRo2sBDrba8mxQoy7LgquFCB0loz7hdqZRbb8

{
"type": "urn:ietf:params:acme:error:serverInternal",
"detail": "Error creating new order",
"status": 500
}
2020-12-03 10:57:42,726:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in
load_entry_point('letsencrypt==0.7.0', 'console_scripts', 'letsencrypt')()
File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py", line 1412, in main
return config.func(config, plugins)
File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py", line 1293, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py", line 134, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/client.py", line 441, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/client.py", line 406, in _get_order_and_authorizations
orderr = self.acme.new_order(csr_pem)
File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py", line 886, in new_order
return self.client.new_order(csr_pem)
File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py", line 668, in new_order
response = self._post(self.directory['newOrder'], order)
File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py", line 97, in _post
return self.net.post(*args, **kwargs)
File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py", line 1201, in post
return self._post_once(*args, **kwargs)
File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py", line 1214, in _post_once
response = self._check_response(response, content_type=content_type)
File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/acme/client.py", line 1072, in _check_response
raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Error creating new order
2020-12-03 10:57:42,728:ERROR:certbot._internal.log:An unexpected error occurred:
2020-12-03 10:57:42,728:ERROR:certbot._internal.log:The server experienced an internal error :: Error creating new order

Hi @tom_swiss

that's an internal Letsencrypt error you can't fix. Http status 500.

Try it again.

@lestaff : https://letsencrypt.status.io/ is ok. Issues?

No issues to report. To confirm, I looked at the logs and this 500 was caused by a a slow database query counting some rows.

It looks like the next request attempte succeeded.

2 Likes

While some ACME error messages are the same as HTTP, I don't think it's 100 % equal. I'll cross-reference ACME with HTTP just to be sure.
Hm, it seems RFC 8555 mentions HTTP return codes as part as the actual HTTP layer as wel as "status codes" within the JWS return message. It however, as far as I could see, doesn't define the "status" within the JWS message where it is an code. It does mention valid/invalid and sometimes it also says things about status codes within the JWS message which appear to be equal to the HTTP return codes indeed. However, 500 isn't mentioned in the RFC at all..? Anyway, they seem to be equal to HTTP return codes indeed, but the "status" JWS code is nowhere actually defined.

Thanks all. Did a reattempt and it went through. It does seem that requests do just timeout sometimes (I see it with renewals), perhaps timeout values ought to be extended a little? Just meant as a friendly suggestion.

-Tom

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.