Malformed account ID in KeyID header URL: "

My domain is:

I ran this command:
dehydrated -c -x

It produced this output:

dehydrated -c -x

INFO: Using main config file /etc/dehydrated/config


  • Checking domain name(s) of existing cert… unchanged.
  • Checking expire date of existing cert…
  • Valid till Nov 11 09:57:21 2019 GMT Certificate will not expire
    (Longer than 30 days). Ignoring because renew was forced!
  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting new certificate order from CA…
  • ERROR: An error occurred while sending post-request to (Status 400)

HTTP/1.1 100 Continue
Expires: Tue, 13 Aug 2019 12:58:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 178
Replay-Nonce: m9nYxf8F6gPvMpXo9H_vQHq7nFhkPQL8rNtQj2EnV6c
Expires: Tue, 13 Aug 2019 12:58:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 13 Aug 2019 12:58:16 GMT
Connection: close

“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Malformed account ID in KeyID header URL: “””,
“status”: 400

The staging environment works all fine. I only experienced this issue today and it has not occurred so far.

My web server is (include version):
debian buster uptodate:
apache2 2.4.38-3

The operating system my web server runs on is (include version):
Debian buster

My hosting provider, if applicable, is:
my ip address is

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
this is dehydrated version: 0.6.2-2

Please help if I miss something or anything I ca do to debug this any further.

1 Like

Hi @cstamas.

You need to update your Dehydrated version to v0.6.4 or newer. There was a change with the Let’s Encrypt ACME API that required a bug-fix in Dehydrated.

1 Like

Thanks @cpu indeed this fixed the issue:
now I even found the debian bugreport , possibly my google ability is failing today. (or this is hard to google, dunno)

Now I have a working cert.


Great! :slight_smile: Glad to hear that the upgrade process was painless. Thanks for reporting back.

1 Like

fwiw. it is going to take some effort to get the patched client out to all the hosts we have as this is not yet in debian buster (currently I got it from debian sid manually)

Hopefully it will get into the next debian point release.

@cpu please clarify that all cert request are going to fail and require a new dehydrated client or if the registration is already complete it does not require immediate upgrade?

1 Like

Sorry, I’m not familiar enough with dehydrated to know for sure. I recommend you ask the project maintainers or experiment with your other hosts.

1 Like

My limited tests suggest that already registered accounts are fine and can request new certs.