Hi,

I wonder why a RENEWAL or a CREATION of a certificate with

py27-acme-0.27.1,1
py27-certbot-0.27.1,1

works generally as expected whereas expanding and replacing an existing certificate with a new certificate throws an error "malformed :: Method".

Why does this only work with a newer py37-certbot-client?

Thanks in advance
testit

certbot certonly --dry-run --webroot -w /usr/local/www/apache24/data/domain.tld -d work.domain.tld -d domain.tld -d www.domain.tld

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

---

You have an existing certificate that contains a portion of the domains you requested (ref: /usr/local/etc/letsencrypt/renewal/domain.tld.conf)

It contains these names: domain.tld, www.domain.tld

You requested these names for the new certificate: work.domain.tld, domain.tld, www.domain.tld.

Do you want to expand and replace this existing certificate with the new certificate?

---

> (E)xpand/(C)ancel: E
> Renewing an existing certificate

An unexpected error occurred:

The request message was malformed :: Method not allowed
Please see the logfiles in /var/log/letsencrypt for more details.

Certbot 0.27 was written against a draft version of the ACME protocol. There was a late breaking change before the protocol was finalized, which disallowed an empty POST to query account registration.

Some package maintainers backported this change into their python-acme packages, some didn't. It looks like in your case, py27-acme-0.27.1,1 doesn't contain the required fix.

Indeed - that would be relevant advice for Debian/Ubuntu, where the fix is backported.

I think OP is on FreeBSD, and I'm not sure what the maintainers there did.

Edit: According to https://www.freebsd.org/cgi/ports.cgi?query=py27-acme&stype=all, py27-acme-1.8.0,1 is available. If you use that, and a matching version of py27-certbot, everything should be fine ...

Thanks a lot for your hints!

One more question: Since creating NEW certificates works correctly but EXPANDING existing ones does not: How can I erase existing ones, so that I simply can CREATE new certificates including the additional subdomain?

Thanks in advance and kind greetings
testit

It doesn't make sense to me that creating/expanding would make any difference, from the perspective of the "malformed error".

Both commands basically do the same thing, just with a different user interface on top.

Are you not able to upgrade py27-certbot and py27-acme for some reason? Doing so should entirely resolve this specific error.

Or are you getting a different error now?

That is why I wonder it obviously does!

It is a question of time! I also have to update the OS and I don't have time for that until next week. But I currently need a certificate that also covers another subdomain. As a workaround I can only create this one separately and would have to make an individual Virtual Host entry in Apache conf. I would have liked to avoid this.

Kind regards
testit

Creating a new certificate by specifying all the domain names (old and new) will produce the same certificate in the end as attempting to expand a certificate, so if the new route works, use that.

I actually counsel people against using --expand in favor of --cert-name name, which is so much more versatile.

certbot certonly --cert-name domain.tld --webroot -w /usr/local/www/apache24/data/domain.tld -d "domain.tld,www.domain.tld,work.domain.tld" --dry-run

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.