Pebble error : urn:ietf:params:acme:error:serverInternal :: no serial provided

jorgeja · January 14, 2026, 5:49am

hi, i was developing an java acme client using "acme4", i tested the client with a locally installed (on same pc) pebble. the client can interact with pebble by login, ordering , choosing challenge, and trigger the validations, i chose "TlsAlpn01Challenge" and intend to implement TLS-ALPN-01. but the pebble somehow invalidated the request. and return an "invalid" status, i check the pebble display, and get these printout from the pebble instance "

Pebble 2026/01/14 13:18:07 GET /dir -> calling handler()
Pebble 2026/01/14 13:18:07 GET /dir -> calling handler()
Pebble 2026/01/14 13:18:07 HEAD /nonce-plz -> calling handler()
Pebble 2026/01/14 13:18:07 POST /sign-me-up -> calling handler()
Pebble 2026/01/14 13:18:07 GET /dir -> calling handler()
Pebble 2026/01/14 13:18:07 POST /sign-me-up -> calling handler()
Pebble 2026/01/14 13:18:07 There are now 1 accounts in memory
Pebble 2026/01/14 13:18:07 GET /dir -> calling handler()
Pebble 2026/01/14 13:18:07 GET /dir -> calling handler()
Pebble 2026/01/14 13:18:07 HEAD /nonce-plz -> calling handler()
Pebble 2026/01/14 13:18:07 POST /sign-me-up -> calling handler()
Pebble 2026/01/14 13:18:08 GET /dir -> calling handler()
Pebble 2026/01/14 13:18:08 POST /order-plz -> calling handler()
Pebble 2026/01/14 13:18:08 There are now 1 authorizations in the db
Pebble 2026/01/14 13:18:08 Added order "nz7_KVMFp8o71TCiJ0G-swooPKa3WUkgPBZ003UncsY" to the db
Pebble 2026/01/14 13:18:08 There are now 1 orders in the db
Pebble 2026/01/14 13:18:08 POST /authZ/ -> calling handler()
Pebble 2026/01/14 13:18:08 POST /chalZ/ -> calling handler()
Pebble 2026/01/14 13:18:08 Pulled a task from the Tasks queue: &va.vaTask{Identifier:acme.Identifier{Type:"dns", Value:"example.test"}, Challenge:(*core.Challenge)(0xc000246000), Account:(*core.Account)(0xc000400180), AccountURL:"https://localhost:14000/my-account/5741bb941f78d320", Wildcard:false}
Pebble 2026/01/14 13:18:08 Starting 3 validations.
Pebble 2026/01/14 13:18:08 Sleeping for 1s seconds before validating
Pebble 2026/01/14 13:18:08 Sleeping for 1s seconds before validating
Pebble 2026/01/14 13:18:08 Sleeping for 1s seconds before validating
Pebble 2026/01/14 13:18:09 POST /chalZ/ -> calling handler()
Pebble 2026/01/14 13:18:10 authz _8KDRcSGpqdnm2Y3qGYU2--jaS21U0VrqhudJve0dD0 set INVALID by completed challenge cZGhu9T99sK_V8ZcjF1lBtXE-BxS8I18-CAAe5rb4Fk
Pebble 2026/01/14 13:18:10 Error updating replacement order: urn:ietf:params:acme:error:serverInternal :: no serial provided
Pebble 2026/01/14 13:18:10 order nz7_KVMFp8o71TCiJ0G-swooPKa3WUkgPBZ003UncsY set INVALID by invalid authz _8KDRcSGpqdnm2Y3qGYU2--jaS21U0VrqhudJve0dD0
Pebble 2026/01/14 13:18:11 POST /chalZ/ -> calling handler()

i was using acme4j-client:3.5.1, and pebbel version v2.6.0

MaxHearnden · January 14, 2026, 7:13am

This appears to have been fixed in pebble v2.9.0 by Don't try to update the parent order if there is none by mkauf · Pull Request #523 · letsencrypt/pebble · GitHub

jorgeja · January 14, 2026, 5:17pm

i have checked out v2.9.0, and rebuild pebble. the build looks fine i start pebble, download the pebble Root CA at "https://127.0.0.1:15000/roots/0" and insert it into java environment, then i started the java client (acme4j 3.5.1), the connection to pebble terminated with pebble display this:

2026/01/15 01:03:47 http: TLS handshake error from 127.0.0.1:42940: EOF

on the client side, the java triggered this exception:

"org.shredzone.acme4j.exception.AcmeNetworkException: Network error"

i dig into the exception cause, it said this

"javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

it seems that pebble server somehow is not distributing the correct Root CA

Nummer378 · January 14, 2026, 5:47pm

The pebble roots used for certificate signing are generated randomly on startup and are not used for the HTTPS endpoint. You tell pebble which cerificate to use for HTTPS through the pebble config. If you're using the test config from pebble/test/config/pebble-config.json at main · letsencrypt/pebble · GitHub, then you'll want to (temporarily) trust this root certificate: pebble/test/certs/pebble.minica.pem at main · letsencrypt/pebble · GitHub

shred · January 15, 2026, 11:16am

Pebble's cert has changed, and does not match the one stored in acme4j.

It has been fixed in the acme4j source already.

As a workaround, you can download the new certificate from here pebble/test/certs/pebble.minica.pem at main · letsencrypt/pebble · GitHub , and store it as resource (e.g. src/main/resource, src/test/resource) or META-INF in your project.

system · February 14, 2026, 11:16am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL cannot get local issuer certificate when querying Pebble server Help	6	126	January 25, 2025
Pebble ACME server fails at the attempt to validate http01 challenges Client dev	26	1297	November 22, 2023
Strange problem with Pebble Client dev	4	665	August 16, 2023
Pebble acme-tls/1 failed to connect on challenge, Jetty shows connections Help	13	1001	January 23, 2023
How to use Certbot with Pebble? Help	5	3682	May 4, 2018

Pebble error : urn:ietf:params:acme:error:serverInternal :: no serial provided

Related topics