Is the ACME v2 server working?

I keep getting a 500 error when trying to issue using the acme v2 server.

Is it up? BTW - this appears to be the exact scenario described here: Is the ACME v2 staging server working?

Here’s the log:

[Thu Nov 21 16:38:03 UTC 2019] RSA key
[Thu Nov 21 16:38:03 UTC 2019] HEAD
[Thu Nov 21 16:38:03 UTC 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Nov 21 16:38:03 UTC 2019] _CURL='curl -L --silent --dump-header /home/sslService/.acme.sh/http.header  -g '
[Thu Nov 21 16:38:03 UTC 2019] _ret='0'
[Thu Nov 21 16:38:04 UTC 2019] POST
[Thu Nov 21 16:38:04 UTC 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Nov 21 16:38:04 UTC 2019] _CURL='curl -L --silent --dump-header /home/sslService/.acme.sh/http.header  -g '
[Thu Nov 21 16:38:04 UTC 2019] _ret='0'
[Thu Nov 21 16:38:04 UTC 2019] code='500'
[Thu Nov 21 16:38:04 UTC 2019] Le_LinkOrder
[Thu Nov 21 16:38:04 UTC 2019] Le_OrderFinalize
[Thu Nov 21 16:38:04 UTC 2019] Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:serverInternal",
  "detail": "Error creating new order",
  "status": 500
}
1 Like

Hi @claytonrothschild,

Your log shows POSTs against the production v2 API, not staging. What version of acme.sh are you using?

1 Like

Hi @Phil - apologies - I did not mean staging. Updated title to reflect this.

Acme.sh v2.8.3

1 Like

Would you mind posting a domain you’re attempting to issue for so we can dig into some log files?

1 Like

@Phil its a SAN cert, but one of the domains is: app.cloudpano.com

The basic command structure is:

acme.sh --issue --debug -w [homedir] -k 4096 -d app.cloudpano.com -d [...]
1 Like

@claytonrothschild,

The order cannot contain more than 100 DNS names and your orders have 102 according to my sed and jq-fu.

3 Likes

That's the correct root cause here. Thanks for digging in @Phil!

This shouldn't be reported as a 500 error. We have a bug on our side. I've filed an issue (Over-sized orders generate 500 responses · Issue #4571 · letsencrypt/boulder · GitHub) to get this fixed so that orders with more than 100 names get a descriptive malformed problem document in response instead of a generic 500 error problem.

3 Likes

This should be fixed in Boulder master shortly (https://github.com/letsencrypt/boulder/pull/4572) and will be fixed in staging/production with next week’s deploy based on our usual schedule.

Thanks again for reporting the problem @claytonrothschild

2 Likes

Thanks guy, this makes sense. My domain list grows each week - I knew I was getting close to the limit but to be honest it felt like I only had approx ~50 in my list. Im bad at estimating! This new error reporting will be helpful.

Closing ticket.

3 Likes

:laughing: Or perhaps your ACME client is automatically including the www subdomain for each of your domains? That would explain hitting the error with 50 domains, it would be 2x as many order identifiers.

2 Likes

Thank you. I will keep up look out for this www. additions problem!

I don’t suppose that there is a switch to turn this “feature” off?

But I would suppose that this ‘would be’ more of a configuration error on the part of the person requesting certs and lack of www. redirect configuration, instead of a software issue.

I’m not saying that this is what’s happening, just good information to know and think about.

2 Likes

It should be possible but how to do it would depend on your ACME client.

1 Like

Hi folks,

Just a quick follow-up to say this is now fixed in production. It took a little bit longer than usual due to the US Thanksgiving holiday last week. An order with more than 100 names should return the correct error now instead of a vague 500 internal server error.

Thanks!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.