Incomplete Authorizations error when trying to renew

I’m on Ubuntu 18.04 running nginx. Tried renewing an existing valid cert and got an error I haven’t encountered before. Poked around Google looking for a solution but coming up short.

Here’s what happened:

ubuntu@ip-177-77-77-77:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mydomain.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Incomplete authorizations. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)

What exactly is going on here and how do I resolve this so I can renew my cert which expires in 2 weeks?

Thanks.

p.s. here’s more detail from the log:

2019-06-17 14:09:48,267:WARNING:certbot.renewal:Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Incomplete authorizations. Skipping.
2019-06-17 14:09:48,269:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 85, in handle_authorizations
    self.verify_authzr_complete(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 345, in verify_authzr_complete
    raise errors.AuthorizationError("Incomplete authorizations")
certbot.errors.AuthorizationError: Incomplete authorizations

2019-06-17 14:09:48,269:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-06-17 14:09:48,269:ERROR:certbot.renewal:  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
2019-06-17 14:09:48,270:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

Hi @EdGeis,

Can you please provide your domain so we can better assist you? I am assuming that mydomain.com isn’t actually the domain you’re attempting to re-issue for. Which version of certbot are you running?

1 Like

Thanks for your prompt reply.

Domain is barredislands.com.

ubuntu@ip-177-77-77-77:~$ apt-cache policy certbot | grep Installed
  Installed: 0.31.0-1+ubuntu18.04.1+certbot+1

That’s an interesting one. From what I could dig up it appears this can happen during times of high LE service load. What happens if you attempt a renewal now?

Same thing.

What does “Incomplete authorization” mean in this context?

Can you post the rest of the log?

And without redacting things (except your email address)?

And, I’m not sure if this matters, but what does “dpkg -l python3-certbot” show? Edit: Never mind, I was curious about the error message, but it just changed in 0.32.0.

Here’s the last part of the log couldn’t fit the whole thing:

2019-06-17 14:09:37,838:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Content-Type: application/json
    Content-Length: 825
    Boulder-Requester: 9633353
    Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: Zh9sx8FJjmLYZjllOX6Wiqgmarnu5gCPBIfu-L4rLoc
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Mon, 17 Jun 2019 14:09:37 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Mon, 17 Jun 2019 14:09:37 GMT
    Connection: keep-alive

    {
      "identifier": {
        "type": "dns",
        "value": "barredislands.org"
      },
      "status": "pending",
      "expires": "2019-06-24T13:52:34Z",
      "challenges": [
        {
          "type": "http-01",
          "status": "pending",
          "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/v2/234855/K2lcmw==",
          "token": "6tRxNSp9INYJzER1cs5Yj-ipefCyQiTDPy5S0DGxt8k"
        },
        {
          "type": "dns-01",
          "status": "pending",
          "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/v2/234855/pYENRw==",
          "token": "6tRxNSp9INYJzER1cs5Yj-ipefCyQiTDPy5S0DGxt8k"
        },
        {
          "type": "tls-alpn-01",
          "status": "pending",
          "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/v2/234855/uWbxow==",
          "token": "6tRxNSp9INYJzER1cs5Yj-ipefCyQiTDPy5S0DGxt8k"
        }
      ]
    }
    2019-06-17 14:09:37,838:DEBUG:acme.client:Storing nonce: Zh9sx8FJjmLYZjllOX6Wiqgmarnu5gCPBIfu-L4rLoc
    2019-06-17 14:09:40,841:DEBUG:acme.client:JWS payload:
    b''
    2019-06-17 14:09:40,843:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/v2/234855:
    {
      "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85NjMzMzUzIiwgIm5vbmNlIjogIlpoOXN4OEZKam1MWVpqbGxPWDZXaXFnbWFybnU1Z0NQQklmdS1MNHJMb2MiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovdjIvMjM0ODU1In0",
      "signature": "Gj7rI3WJ_F1mwo0ROYwiTLk_2_BJLSZmHhxL0qhBP5FKE_OPtTUAeQq_gFZ0Rsqx2jos4RXQublLNT1vyTx7PtgrjA2F-njg5A_86OwqnDFXb4A7FRJ7lCT2xCxiJRuKyUZpSk-iylp5YDjIzRd3kikIRrOmhnCN4ukPRmdzqQHzue4B2fpaejbTDMK5GTn-ZxvpAQtviT7tzhoi7vaLkJqegz5035UOPMnLpHJyWYs632WIokHCeLQLz9488Jy3ORJhOECMfRNz8iGDXIuIhcRHDVNRohGq-OQA8hYk7S-PFTR1t5E34XY_RZAV7soHZmC2a208ji4S-jym9EXT4Q",
      "payload": ""
    }
    2019-06-17 14:09:40,934:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/v2/234855 HTTP/1.1" 200 825
    2019-06-17 14:09:40,935:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Content-Type: application/json
    Content-Length: 825
    Boulder-Requester: 9633353
    Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: puvRZUl_NSV_eko8onWIKMdURPdELzuXo2fuX1gavZY
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Mon, 17 Jun 2019 14:09:40 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Mon, 17 Jun 2019 14:09:40 GMT
    Connection: keep-alive

    {
      "identifier": {
        "type": "dns",
        "value": "barredislands.org"
      },
      "status": "pending",
      "expires": "2019-06-24T13:52:34Z",
      "challenges": [
        {
          "type": "http-01",
          "status": "pending",
          "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/v2/234855/K2lcmw==",
          "token": "6tRxNSp9INYJzER1cs5Yj-ipefCyQiTDPy5S0DGxt8k"
        },
        {
          "type": "dns-01",
          "status": "pending",
          "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/v2/234855/pYENRw==",
          "token": "6tRxNSp9INYJzER1cs5Yj-ipefCyQiTDPy5S0DGxt8k"
        },
        {
          "type": "tls-alpn-01",
          "status": "pending",
          "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/v2/234855/uWbxow==",
          "token": "6tRxNSp9INYJzER1cs5Yj-ipefCyQiTDPy5S0DGxt8k"
        }
      ]
    }
    2019-06-17 14:09:40,935:DEBUG:acme.client:Storing nonce: puvRZUl_NSV_eko8onWIKMdURPdELzuXo2fuX1gavZY
    2019-06-17 14:09:43,938:DEBUG:acme.client:JWS payload:
    b''
    2019-06-17 14:09:43,941:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/v2/234855:
    {
      "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85NjMzMzUzIiwgIm5vbmNlIjogInB1dlJaVWxfTlNWX2VrbzhvbldJS01kVVJQZEVMenVYbzJmdVgxZ2F2WlkiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovdjIvMjM0ODU1In0",
      "signature": "X_r2laA0-QOIhmMm_1WXl0KcI2m8MXbt73pwUq4YlROgZpPJYkJsG6gxvM_CIch87ZCbYyNb4y0wDPmHtdWfisdy7mXR2Rd5ie1-FMeoK-e1T23zV6m_LsjR_5TavBUwypijcYepE9cAXz8BivVBLDzNUuWOoONhNJcWnA8LHzNPBgCXQbBoLyVv0kXXhhLtq7Zz6lxEIx-LvbBjiogT_YZ-jVbHSN3WXWSydLb_ofD85pjaz5Q88D90MTtv3RRbdphWVtfHOrlhu6GNgcApUnEH02lcQT04ih98Jb0nOB07C4ufpa4LMLyH9tKfUseuoUKyOM2yOdYLwox17WvLeQ",
      "payload": ""
    }
    2019-06-17 14:09:44,076:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/v2/234855 HTTP/1.1" 200 825
    2019-06-17 14:09:44,077:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Content-Type: application/json
    Content-Length: 825
    Boulder-Requester: 9633353
    Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: 7taJLsQT6niBhpkYb_U9cGVOtasN1tT7ErxEKY5PSV0
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Mon, 17 Jun 2019 14:09:44 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Mon, 17 Jun 2019 14:09:44 GMT
    Connection: keep-alive

    {
      "identifier": {
        "type": "dns",
        "value": "barredislands.org"
      },
      "status": "pending",
      "expires": "2019-06-24T13:52:34Z",
      "challenges": [
        {
          "type": "http-01",
          "status": "pending",
          "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/v2/234855/K2lcmw==",
          "token": "6tRxNSp9INYJzER1cs5Yj-ipefCyQiTDPy5S0DGxt8k"
        },
        {
          "type": "dns-01",
          "status": "pending",
          "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/v2/234855/pYENRw==",
          "token": "6tRxNSp9INYJzER1cs5Yj-ipefCyQiTDPy5S0DGxt8k"
        },
        {
          "type": "tls-alpn-01",
          "status": "pending",
          "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/v2/234855/uWbxow==",
          "token": "6tRxNSp9INYJzER1cs5Yj-ipefCyQiTDPy5S0DGxt8k"
        }
      ]
    }
    2019-06-17 14:09:44,077:DEBUG:acme.client:Storing nonce: 7taJLsQT6niBhpkYb_U9cGVOtasN1tT7ErxEKY5PSV0
    2019-06-17 14:09:47,081:DEBUG:acme.client:JWS payload:
    b''
    2019-06-17 14:09:47,083:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz/v2/234855:
    {
      "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85NjMzMzUzIiwgIm5vbmNlIjogIjd0YUpMc1FUNm5pQmhwa1liX1U5Y0dWT3Rhc04xdFQ3RXJ4RUtZNVBTVjAiLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYXV0aHovdjIvMjM0ODU1In0",
      "signature": "fndE-csa9cLyC8EdSHLd2GuH7PSDbIYowqH-CPT44f68k3C4iAiAVMbY0-tFl2B5beQZ2B95CVrltfs-1LT_FVwBjUbyIUGJwiZSxgOmQGnBB7fmyEvouCqyP8zHfxpIx44cBoTmSOgsy5ZKupuF8HNJFR75-YkR4LzRVTBO2T-MQ928NkD9Mxca4EEEYgRAkOva96XXs7zBtC2Dd1Jhb1W5c5nAqTBlPUOXZEo4i9shvlV8HHbVCTf1fVYheS_N1M8x9XOjibh1921arpb7cnnf6_MkfspgBroaPgvX--FMfrCkE-522mn-tt89k-AnF8VjlAuxCBcKP4LthP41Eg",
      "payload": ""
    }
    2019-06-17 14:09:47,139:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/authz/v2/234855 HTTP/1.1" 200 825
    2019-06-17 14:09:47,139:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Content-Type: application/json
    Content-Length: 825
    Boulder-Requester: 9633353
    Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: iB-WhtIQN4hnHZHR-7Nokl04a_luR1NpxIR_9tJECTA
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Mon, 17 Jun 2019 14:09:47 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Mon, 17 Jun 2019 14:09:47 GMT
    Connection: keep-alive

    {
      "identifier": {
        "type": "dns",
        "value": "barredislands.org"
      },
      "status": "pending",
      "expires": "2019-06-24T13:52:34Z",
      "challenges": [
        {
          "type": "http-01",
          "status": "pending",
          "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/v2/234855/K2lcmw==",
          "token": "6tRxNSp9INYJzER1cs5Yj-ipefCyQiTDPy5S0DGxt8k"
        },
        {
          "type": "dns-01",
          "status": "pending",
          "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/v2/234855/pYENRw==",
          "token": "6tRxNSp9INYJzER1cs5Yj-ipefCyQiTDPy5S0DGxt8k"
        },
        {
          "type": "tls-alpn-01",
          "status": "pending",
          "url": "https://acme-staging-v02.api.letsencrypt.org/acme/challenge/v2/234855/uWbxow==",
          "token": "6tRxNSp9INYJzER1cs5Yj-ipefCyQiTDPy5S0DGxt8k"
        }
      ]
    }
    2019-06-17 14:09:47,140:DEBUG:acme.client:Storing nonce: iB-WhtIQN4hnHZHR-7Nokl04a_luR1NpxIR_9tJECTA
    2019-06-17 14:09:47,140:DEBUG:certbot.error_handler:Calling registered functions
    2019-06-17 14:09:47,140:INFO:certbot.auth_handler:Cleaning up challenges
    2019-06-17 14:09:48,267:WARNING:certbot.renewal:Attempting to renew cert (barredislands.com) from /etc/letsencrypt/renewal/barredislands.com.conf produced an unexpected error: Incomplete authorizations. Skipping.
    2019-06-17 14:09:48,269:DEBUG:certbot.renewal:Traceback was:
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
        main.renew_cert(lineage_config, plugins, renewal_candidate)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
        renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
        renewal.renew_cert(config, domains, le_client, lineage)
      File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
        new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
        orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
        authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 85, in handle_authorizations
        self.verify_authzr_complete(aauthzrs)
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 345, in verify_authzr_complete
        raise errors.AuthorizationError("Incomplete authorizations")
    certbot.errors.AuthorizationError: Incomplete authorizations

    2019-06-17 14:09:48,269:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
    2019-06-17 14:09:48,269:ERROR:certbot.renewal:  /etc/letsencrypt/live/barredislands.com/fullchain.pem (failure)
    2019-06-17 14:09:48,270:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
      File "/usr/bin/certbot", line 11, in <module>
        load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
        return config.func(config, plugins)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
        renewal.handle_renewal_request(config)
      File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
        len(renew_failures), len(parse_failures)))
    certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

This isn’t a very good answer, but the most likely explanations are:

  1. The CA was slow, didn’t perform the validations quickly, and Certbot gave up waiting, or

  2. Something weird went wrong.

Does it work if you try again?

Just tried it for a fifth time today, same result.

Do you have any insight as to what might be going on here?

I don’t have any, sorry.

I’m able to successfully issue certificates using the staging environment.

For that matter, I issued a couple certificates in the production environment a few hours ago.

Does the production environment also have problems for you?

This is a production web server. Or do you mean I should try the renew without the --dry-run?

At what stage in the process is Cerbot choking? It’s not clear to me from the log where things are breaking down.

@mnordhoff means Let’s Encrypt’s production environment.

--dry-run causes Certbot to use acme-staging-v02.api.letsencrypt.org , whereas “production” is acme-v02.api.letsencrypt.org .

What other posters suspect to be happening is not that Certbot is choking, but Let’s Encrypt’s backend service is misbehaving for your ACME orders.

1 Like

Your domain’s DNS seems to be misconfigured right now. It is pointing at some AWS Route53 nameservers, but those Route53 nameservers return REFUSED when queried for your domain.

I would try fixing your nameserver situation first and then seeing what happens with another --dry-run.

There have been some instances in the past where issues like network timeouts were a little racey and caused weird errors to be spit out of Let’s Encrypt/Certbot, but they were masking underlying issues with the domain name or webserver being issued.

So hopefully fixing your DNS should either fix everything, or unmask the underlying problem.

Late Edit: I believe this thread is a report of the same issue.

So I’ll change a domain name to do this test.

I experience a similar problem when running the certbot with the --dry-run option. It worked a few days ago but since yesterday it returns an error

Any idea what this is and how to fix it?

2019-06-20 19:18:40,082:DEBUG:acme.client:Requesting fresh nonce
2019-06-20 19:18:40,083:DEBUG:acme.client:Sending HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce.
2019-06-20 19:18:40,261:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2019-06-20 19:18:40,262:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 5-uH6dpypjIcyp2SAeFWeTCqaw-TY9DevJMtqgRlWVo
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 0
Expires: Thu, 20 Jun 2019 11:18:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 20 Jun 2019 11:18:40 GMT
Connection: keep-alive


2019-06-20 19:18:40,263:DEBUG:acme.client:Storing nonce: 5-uH6dpypjIcyp2SAeFWeTCqaw-TY9DevJMtqgRlWVo
2019-06-20 19:18:40,264:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "vserver-vie01.beowulf.at"\n    }\n  ]\n}'
2019-06-20 19:18:40,270:DEBUG:acme.client:Sending POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC85NjIwNDIyIiwgIm5vbmNlIjogIjUtdUg2ZHB5cGpJY3lwMlNBZUZXZVRDcWF3LVRZOURldkpNdHFnUmxXVm8iLCAidXJsIjogImh0dHBzOi8vYWNtZS1zdGFnaW5nLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LW9yZGVyIn0",
  "signature": "N6bevE4kPTiVGjG-7sx1RujTLm_2OZgPkG8ChHbcJ33BDHGKrs69XxD6c3d_8x0MhBjONjMzbhVmbT0HaH1yF0QnEJbPEtWDdWqwZ-N5hSK7ZGdRzDQ8oAnK4zRDd8G4lriw8wpg59-e2hPzJGOTG7ZHqfTugJIBED5-y7QfwRJMQuD_I7HuhiieWizwY5vTlWaSpJ-RS4lXdTbKjAnyaM4MivDOqtnOHcz_W8WoTUcN9Tk8Y4-pRHoj_UeoWpmlOTzvOuLDW43fKhQfdcGolFqrPx_Z25_ecuWuHndYWcYSgM2OvWiszufVDwakAHUo84mONXZq_MIWMAwzW8Qr6w",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogInZzZXJ2ZXItdmllMDEuYmVvd3VsZi5hdCIKICAgIH0KICBdCn0"
}
2019-06-20 19:18:40,455:DEBUG:urllib3.connectionpool:https://acme-staging-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 500 114
2019-06-20 19:18:40,457:DEBUG:acme.client:Received response:
HTTP 500
Server: nginx
Content-Type: application/problem+json
Content-Length: 114
Boulder-Requester: 9620422
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: WwiiaEzYVONkIlqY8tSA4eJaELRUczd7FTmUhSPQ39E
Expires: Thu, 20 Jun 2019 11:18:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 20 Jun 2019 11:18:40 GMT
Connection: close

{
  "type": "urn:ietf:params:acme:error:serverInternal",
  "detail": "Error creating new order",
  "status": 500
}
2019-06-20 19:18:40,458:WARNING:certbot.renewal:Attempting to renew cert (vserver-vie01.beowulf.at) from /etc/letsencrypt/renewal/vserver-vie01.beowulf.at.conf produced an unexpected error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Error creating new order. Skipping.
2019-06-20 19:18:40,463:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 385, in _get_order_and_authorizations
    orderr = self.acme.new_order(csr_pem)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 870, in new_order
    return self.client.new_order(csr_pem)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 652, in new_order
    response = self._post(self.directory['newOrder'], order)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 95, in _post
    return self.net.post(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1185, in post
    return self._post_once(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1202, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1054, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Error creating new order

2019-06-20 19:18:40,467:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-06-20 19:18:40,470:ERROR:certbot.renewal:  /etc/letsencrypt/live/vserver-vie01.beowulf.at/fullchain.pem (failure)
2019-06-20 19:18:40,472:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

:wave: Hi @beowulf222, welcome to the community forum.

This is fallout from a staging environment disruption the other day. Apologies for the disruption.

I recommend you delete your staging ACME account and recreate it, change the certificate order to add/remove a domain, or wait 7 days from the time you first created this order in staging. Any of the above should resolve your problem.

Hmmm. I just reviewed everything and don’t see any DNS issues. It certainly seems to be resolving to the correct IP address. I know for a fact people have been visiting the site.

I just tried again and got a completely different error. WTF?

Attempting to renew cert (barredislands.com) from /etc/letsencrypt/renewal/barredislands.com.conf produced an unexpected error: urn:ietf:params:acme:error:serverInterna l :: The server experienced an internal error :: Error creating new order. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/barredislands.com/fullchain.pem (failure)
ubuntu@ip-172-31-14-63:~$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

We’re talking about
barredislands.org or .com ?

I was talking about barredislands.com–but I think I see the issue now. The cert is for that domain name AND barredislands.org, even though I’m really only using the .com. And there was no DNS A record listed for .org–I just added it. For some reason I thought the cert was only for the .com domain name.

ubuntu@ip-177-77-77-77:~$ sudo certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: barredislands.com
    Domains: barredislands.com barredislands.org
    Expiry Date: 2019-07-03 17:37:39+00:00 (VALID: 12 days)
    Certificate Path: /etc/letsencrypt/live/barredislands.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/barredislands.com/privkey.pem

Failed again, but I may just need to wait a few hours for the DNS to propagate. Will try later tonight.

Thanks a lot for your help. I’ll report back one way or another.

Where did you add the A record?

barredislands.org doesn’t resolve because it’s configured to use a group of Route 53 nameservers that return REFUSED for the domain. You need to check what the correct NS records are at the DNS host and set them at the registrar.

(One or both of them might be Route 53.)