Malformed account ID in KeyID header URL: "

My domain is:

I ran this command:
dehydrated -c -x

It produced this output:

dehydrated -c -x

INFO: Using main config file /etc/dehydrated/config


  • Checking domain name(s) of existing cert… unchanged.
  • Checking expire date of existing cert…
  • Valid till Nov 11 09:57:21 2019 GMT Certificate will not expire
    (Longer than 30 days). Ignoring because renew was forced!
  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting new certificate order from CA…
  • ERROR: An error occurred while sending post-request to (Status 400)

HTTP/1.1 100 Continue
Expires: Tue, 13 Aug 2019 12:58:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 178
Replay-Nonce: m9nYxf8F6gPvMpXo9H_vQHq7nFhkPQL8rNtQj2EnV6c
Expires: Tue, 13 Aug 2019 12:58:16 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 13 Aug 2019 12:58:16 GMT
Connection: close

“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Malformed account ID in KeyID header URL: “””,
“status”: 400

The staging environment works all fine. I only experienced this issue today and it has not occurred so far.

My web server is (include version):
debian buster uptodate:
apache2 2.4.38-3

The operating system my web server runs on is (include version):
Debian buster

My hosting provider, if applicable, is:
my ip address is

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
this is dehydrated version: 0.6.2-2

Please help if I miss something or anything I ca do to debug this any further.

1 Like

Hi @cstamas.

You need to update your Dehydrated version to v0.6.4 or newer. There was a change with the Let's Encrypt ACME API that required a bug-fix in Dehydrated.

1 Like

Thanks @cpu indeed this fixed the issue:
now I even found the debian bugreport , possibly my google ability is failing today. (or this is hard to google, dunno)

Now I have a working cert.


Great! :slight_smile: Glad to hear that the upgrade process was painless. Thanks for reporting back.

1 Like

fwiw. it is going to take some effort to get the patched client out to all the hosts we have as this is not yet in debian buster (currently I got it from debian sid manually)

Hopefully it will get into the next debian point release.

@cpu please clarify that all cert request are going to fail and require a new dehydrated client or if the registration is already complete it does not require immediate upgrade?

1 Like

Sorry, I'm not familiar enough with dehydrated to know for sure. I recommend you ask the project maintainers or experiment with your other hosts.

1 Like

My limited tests suggest that already registered accounts are fine and can request new certs.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.