Is the ACME v2 server working?

Help
1

I keep getting a 500 error when trying to issue using the acme v2 server.

Is it up? BTW - this appears to be the exact scenario described here: Is the ACME v2 staging server working?

Here’s the log:

[Thu Nov 21 16:38:03 UTC 2019] RSA key
[Thu Nov 21 16:38:03 UTC 2019] HEAD
[Thu Nov 21 16:38:03 UTC 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Thu Nov 21 16:38:03 UTC 2019] _CURL='curl -L --silent --dump-header /home/sslService/.acme.sh/http.header  -g '
[Thu Nov 21 16:38:03 UTC 2019] _ret='0'
[Thu Nov 21 16:38:04 UTC 2019] POST
[Thu Nov 21 16:38:04 UTC 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Thu Nov 21 16:38:04 UTC 2019] _CURL='curl -L --silent --dump-header /home/sslService/.acme.sh/http.header  -g '
[Thu Nov 21 16:38:04 UTC 2019] _ret='0'
[Thu Nov 21 16:38:04 UTC 2019] code='500'
[Thu Nov 21 16:38:04 UTC 2019] Le_LinkOrder
[Thu Nov 21 16:38:04 UTC 2019] Le_OrderFinalize
[Thu Nov 21 16:38:04 UTC 2019] Create new order error. Le_OrderFinalize not found. {
  "type": "urn:ietf:params:acme:error:serverInternal",
  "detail": "Error creating new order",
  "status": 500
}
1 Like
2

Hi @claytonrothschild,

Your log shows POSTs against the production v2 API, not staging. What version of acme.sh are you using?

1 Like
3

Hi @Phil - apologies - I did not mean staging. Updated title to reflect this.

Acme.sh v2.8.3

1 Like
4

Would you mind posting a domain you’re attempting to issue for so we can dig into some log files?

1 Like
5

@Phil its a SAN cert, but one of the domains is: app.cloudpano.com

The basic command structure is:

acme.sh --issue --debug -w [homedir] -k 4096 -d app.cloudpano.com -d [...]
1 Like
6

@claytonrothschild,

The order cannot contain more than 100 DNS names and your orders have 102 according to my sed and jq-fu.

3 Likes
7

That's the correct root cause here. Thanks for digging in @Phil!

This shouldn't be reported as a 500 error. We have a bug on our side. I've filed an issue (Over-sized orders generate 500 responses · Issue #4571 · letsencrypt/boulder · GitHub) to get this fixed so that orders with more than 100 names get a descriptive malformed problem document in response instead of a generic 500 error problem.

3 Likes
8

This should be fixed in Boulder master shortly (RA: fix error returned through WFE2 for too big NewOrders. by cpu · Pull Request #4572 · letsencrypt/boulder · GitHub) and will be fixed in staging/production with next week's deploy based on our usual schedule.

Thanks again for reporting the problem @claytonrothschild

2 Likes
9

Thanks guy, this makes sense. My domain list grows each week - I knew I was getting close to the limit but to be honest it felt like I only had approx ~50 in my list. Im bad at estimating! This new error reporting will be helpful.

Closing ticket.

3 Likes
10

:laughing: Or perhaps your ACME client is automatically including the www subdomain for each of your domains? That would explain hitting the error with 50 domains, it would be 2x as many order identifiers.

1 Like
12

It should be possible but how to do it would depend on your ACME client.

1 Like
13

Hi folks,

Just a quick follow-up to say this is now fixed in production. It took a little bit longer than usual due to the US Thanksgiving holiday last week. An order with more than 100 names should return the correct error now instead of a vague 500 internal server error.

Thanks!

2 Likes
14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.