Finalize 405 error when renewing previously active certs

Help
1

I have root access to my server, and I'm trying to test to see if I can renew these domains:

buy.ontariospeeddating.ca
clubcatcher.com
www.clubcatcher.com
new.clubcatcher.com
www.buy.ontariospeeddating.ca
ontariospeeddating.ca
secure.ontariospeeddating.ca
www.ontariospeeddating.ca

towards the end of the log, I see that each domain has the message "already verified, skipping http-01"

During finalization, the errors come up. This is the relevant portion of the log:

[Sat Oct 18 01:26:50 EDT 2025] Let's finalize the order.
[Sat Oct 18 01:26:50 EDT 2025] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/2703843311/439139149591'
[Sat Oct 18 01:26:50 EDT 2025] =======Sending Signed Request=======
[Sat Oct 18 01:26:50 EDT 2025] url='https://acme-v02.api.letsencrypt.org/acme/finalize/2703843311/439139149591'
[Sat Oct 18 01:26:50 EDT 2025] payload='{"csr": "MIIB6jCCAY8CAQAwJDEiMCAGA1UEAxMZYnV5Lm9udGFyaW9zcGVlZGRhdGluZy5jYTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABN5FWiYpxtcB6SPnFUv2PstMjbeKqx_vttaeTRaSGii3Dc6z0UDrbEUOEOdTcyccm9pqqsiF-CSxVc4yPpXG8ZCgggEHMIIBAwYJKoZIhvcNAQkOMYH1MIHyMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCB0AYDVR0RBIHIMIHFghlidXkub250YXJpb3NwZWVkZGF0aW5nLmNhgg9jbHViY2F0Y2hlci5jb22CE3d3dy5jbHViY2F0Y2hlci5jb22CE25ldy5jbHViY2F0Y2hlci5jb22CHXd3dy5idXkub250YXJpb3NwZWVkZGF0aW5nLmNhghVvbnRhcmlvc3BlZWRkYXRpbmcuY2GCHHNlY3VyZS5vbnRhcmlvc3BlZWRkYXRpbmcuY2GCGXd3dy5vbnRhcmlvc3BlZWRkYXRpbmcuY2EwCgYIKoZIzj0EAwIDSQAwRgIhAM1IIxV7aGH2XCAEpFHawEbK9OjR_CEieMMBEYJGClpBAiEAonfhURfmqLW9tj_RfRbIE0LxKACZMmdg4nQjFWyMuQg"}'
[Sat Oct 18 01:26:50 EDT 2025] Use cached jwk for file: /root/.acme.sh/ca/acme-v02.api.letsencrypt.org/directory/account.key
[Sat Oct 18 01:26:50 EDT 2025] Use _CACHED_NONCE='qBrIrfeUjtMpVOrRnMKfWGHDe901SPg_qAgqasrYDBLzNOIQ2Q4'
[Sat Oct 18 01:26:50 EDT 2025] nonce='qBrIrfeUjtMpVOrRnMKfWGHDe901SPg_qAgqasrYDBLzNOIQ2Q4'
[Sat Oct 18 01:26:50 EDT 2025] POST
[Sat Oct 18 01:26:50 EDT 2025] _post_url='https://acme-v02.api.letsencrypt.org/acme/finalize/2703843311/439139149591'
[Sat Oct 18 01:26:50 EDT 2025] body='{"protected": "eyJub25jZSI6ICJxQnJJcmZlVWp0TXBWT3JSbk1LZldHSERlOTAxU1BnX3FBZ3Fhc3JZREJMek5PSVEyUTQiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2ZpbmFsaXplLzI3MDM4NDMzMTEvNDM5MTM5MTQ5NTkxIiwgImFsZyI6ICJFUzI1NiIsICJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8yNzAzODQzMzExIn0", "payload": "eyJjc3IiOiAiTUlJQjZqQ0NBWThDQVFBd0pERWlNQ0FHQTFVRUF4TVpZblY1TG05dWRHRnlhVzl6Y0dWbFpHUmhkR2x1Wnk1allUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJONUZXaVlweHRjQjZTUG5GVXYyUHN0TWpiZUtxeF92dHRhZVRSYVNHaWkzRGM2ejBVRHJiRVVPRU9kVGN5Y2NtOXBxcXNpRi1DU3hWYzR5UHBYRzhaQ2dnZ0VITUlJQkF3WUpLb1pJaHZjTkFRa09NWUgxTUlIeU1CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakNCMEFZRFZSMFJCSUhJTUlIRmdobGlkWGt1YjI1MFlYSnBiM053WldWa1pHRjBhVzVuTG1OaGdnOWpiSFZpWTJGMFkyaGxjaTVqYjIyQ0UzZDNkeTVqYkhWaVkyRjBZMmhsY2k1amIyMkNFMjVsZHk1amJIVmlZMkYwWTJobGNpNWpiMjJDSFhkM2R5NWlkWGt1YjI1MFlYSnBiM053WldWa1pHRjBhVzVuTG1OaGdoVnZiblJoY21sdmMzQmxaV1JrWVhScGJtY3VZMkdDSEhObFkzVnlaUzV2Ym5SaGNtbHZjM0JsWldSa1lYUnBibWN1WTJHQ0dYZDNkeTV2Ym5SaGNtbHZjM0JsWldSa1lYUnBibWN1WTJFd0NnWUlLb1pJemowRUF3SURTUUF3UmdJaEFNMUlJeFY3YUdIMlhDQUVwRkhhd0ViSzlPalJfQ0VpZU1NQkVZSkdDbHBCQWlFQW9uZmhVUmZtcUxXOXRqX1JmUmJJRTBMeEtBQ1pNbWRnNG5RakZXeU11UWcifQ", "signature": "kn8LcXsPRPx2fAFKijmTHyk_72p1bOCcLVSoVDxTDTWtf67QJGp1l9vlTcgPg28hYHFzYhTBujDYgdHa28zOiA"}'
[Sat Oct 18 01:26:50 EDT 2025] _postContentType='application/jose+json'
[Sat Oct 18 01:26:50 EDT 2025] Http already initialized.
[Sat Oct 18 01:26:50 EDT 2025] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  --insecure  '
[Sat Oct 18 01:27:26 EDT 2025] _ret='0'
[Sat Oct 18 01:27:26 EDT 2025] responseHeaders='HTTP/1.1 100 Continue

HTTP/1.1 405 Not Allowed
Server: nginx
Date: Sat, 18 Oct 2025 05:27:25 GMT
Content-Type: text/html
Content-Length: 150
Connection: keep-alive

'
[Sat Oct 18 01:27:26 EDT 2025] code='405'
[Sat Oct 18 01:27:26 EDT 2025] original='<html>
<head><title>405 Not Allowed</title></head>
<body>
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx</center>
</body>
</html>
'
[Sat Oct 18 01:27:26 EDT 2025] response='<html>
<head><title>405 Not Allowed</title></head>
<body>
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx</center>
</body>
</html>
'
[Sat Oct 18 01:27:26 EDT 2025] Signing failed. Finalize code was not 200.
[Sat Oct 18 01:27:26 EDT 2025] <html>
<head><title>405 Not Allowed</title></head>
<body>
<center><h1>405 Not Allowed</h1></center>
<hr><center>nginx</center>
</body>
</html>
[Sat Oct 18 01:27:26 EDT 2025] _on_issue_err
[Sat Oct 18 01:27:26 EDT 2025] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Sat Oct 18 01:27:26 EDT 2025] _chk_vlist

This is how I call acme:

sh /root/.acme.sh/acme.sh --force --issue --stateless --insecure --server -d (domain) -d (domain) ...

I changed --issue to --renew with no luck.

Why do I get that error? how do I fix it?

2

SOLVED IN AN AWKWARD WAY

Here's how I managed to solve my issue. naturally I was the first to discover this despite the web supposedly having plenty amount of info.

Reset the config

When I upgraded acme.sh, I left my existing configuration intact, which was the problem.

So to fix my issue, I did the following...

added a --use-wget switch to rule out any problems with curl.

And I resetted my registration step by deleting the contents of the ca subfolder in the acme.sh folder, thereby obtaining a brand new key at the registration step. (using --register-account function in acme.sh)

Then everything worked again.

The letsencrypt team needed to provide a better error, maybe like HTTP code 429 (too many requests) because this was the first time I did a brand new registration in many months that I used the service.

3

It would have been better for you to post on your previous thread:

At that thread the problem was that you were trying to finalize an order that included a domain with a badly broken DNS configuration. You said the first faulty domain was no longer in use and was replaced by another one. Yet, the replaced one also had a badly broken DNS config.

The cert you got today did not include either of those problematic domain names. Those were santamoses.com and santarealbeard.com

It looks like the solution was to quit asking for a cert with those faulty domain names :slight_smile:

The 405 is an unusual error for a "finalize". That is more likely a problem in the ACME Client. You never provided the full logs here or when you posted about it (link here) on the acme.sh github. Without the full logs we couldn't say much.

5 Likes