Problem updating cert with acme.sh

I've run into a problem updating my cert for a single domain site. Previously, I've been able to renew without many issues at all, but have not run into this error before and not sure how to fix it. Any help is appreciated.

My domain is
pods.jetexpedited.com

I ran this command:
sudo acme.sh --upgrade

It produced this output:
Already uptodate!
Upgrade success!

Then this command
sudo acme.sh --issue --dns --force -d pods.jetexpedited.com --yes-I-know-dns-manual-mode-enough-go-ahead-please

It produced this output:
Using CA: https://acme.zerossl.com/v2/DV90
Single domain='pods.jetexpedited.com'
Getting domain auth token for each domain
Getting webroot for domain='pods.jetexpedited.com'
Add the following TXT record:
Domain: '_acme-challenge.pods.jetexpedited.com'
TXT value: 'hIGR2_F8YBX_oaByDniXjbPRDfguDwGxoziSv-a7hKY'
Please be aware that you prepend _acme-challenge. before your domain
so the resulting subdomain will be: _acme-challenge.pods.jetexpedited.com
Please add the TXT records to the domains, and re-run with --renew.
Please check log file for more details: /var/log/acme_sh/acme.log

Then this command
acme.sh --renew --dns --force -d pods.jetexpedited.com --yes-I-know-dns-manual-mode-enough-go-ahead-please

It produced this output:
Renew: 'pods.jetexpedited.com'
Using CA: https://acme.zerossl.com/v2/DV90
Single domain='pods.jetexpedited.com'
Getting domain auth token for each domain
Verifying: pods.jetexpedited.com
Success
Verify finished, start to sign.
Lets finalize the order.
Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/sdKFIS_2anmjhjIPyKkaWQ/finalize'
Order status is processing, lets sleep and retry.
Retry after: 15
Polling order status: https://acme-v02.api.letsencrypt.org/acme/order/53980856/370911736
Sign error, wrong status
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "KeyID header contained an invalid account URL: "https://acme.zerossl.com/v2/DV90/account/yzxnIR_Z0sKNC4faKIGp_Q"",
"status": 400
}
Please check log file for more details: /var/log/acme_sh/acme.log
The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.

My web server is:
Server version: Apache/2.4.6 (CentOS)

The operating system is:
Linux 3.10.0-1160.15.2.el7.x86_64 #1 SMP 1 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider:
N/A

I can login to a root shell on my machine:
Yes

I do not use a control panel to manage my site.

The version of my client is
GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol v3.0.0

1 Like

You aren't using Let's Encrypt; you're using ZeroSSL. In that case, suggest you ask their support, or raise an issue with acme.sh.

2 Likes

Wait, it looks like this is attempting to use a Let's Encrypt ACME account to request issuance with ZeroSSL? Or a ZeroSSL ACME account to request issuance with Let's Encrypt?

That sounds like an acme.sh bug, if it would use this combination without being asked to (@Neilpang?).

3 Likes

I just found I could see all my cert request history at crt.sh | pods.jetexpedited.com just after I posted my problem and realized acme.sh is not making the request to Let's Encrypt, but ZeroSSL. The only thing that has changed in the process I've been using is that I updated acme.sh yesterday.

2 Likes

acme.sh is supposed to be changing to ZeroSSL by default, but I didn't think it was until August 1 and it was claimed to not impact existing certificates.

2 Likes

Knowing that it's going to zerossl instead, I looked for that and found there was a new subdirectory that was created on 07/20 ---> /root/.acme.sh/ca/acme.zerossl.com.

I changed the name of that directory to 1acme.zerossl.com and reran this command:

acme.sh --issue --dns --force -d pods.jetexpedited.com --yes-I-know-dns-manual-mode-enough-go-ahead-please

This is the result:
Using CA: https://acme.zerossl.com/v2/DV90
Create account key ok.
No EAB credentials found for ZeroSSL, let's get one
Registering account: https://acme.zerossl.com/v2/DV90
Registered
ACCOUNT_THUMBPRINT='5YQNeHZyYhH6FzAnbqTInS2Ke06BiJhPHf8t0gyAl7Q'
Single domain='pods.jetexpedited.com'
Getting domain auth token for each domain
Getting webroot for domain='pods.jetexpedited.com'
Add the following TXT record:
Domain: '_acme-challenge.pods.jetexpedited.com'
TXT value: 'P7uHCs75jR5DtM5BGO9Ry-ZoF6bvYfsLRLUl3dj_Yzg'
Please be aware that you prepend _acme-challenge. before your domain
so the resulting subdomain will be: _acme-challenge.pods.jetexpedited.com
Please add the TXT records to the domains, and re-run with --renew.
Please check log file for more details: /var/log/acme_sh/acme.log

The result is a new /root/.acme.sh/ca/acme.zerossl.com directory was created. in /root/.acme.sh, acme.sh is showing this for size/date:
-rwxr-xr-x. 1 root root 205954 Jun 29 00:22 acme.sh

For anyone else needing help with this, use this command which was successful:

acme.sh --renew --server letsencrypt --dns --force -d pods.jetexpedited.com --yes-I-know-dns-manual-mode-enough-go-ahead-please

So not a bug, but a "feature"!!

1 Like

Thanks for at me.

I'm preparing the 3.0 release on the master branch, so it shows the new default CA feature. It will be release on 1st-Aug, which is 10 days later.

@jeffm

As you are using "--issue", not the "--renew", so it uses the default ca(new), not the current CA of the cert to request a cert.

please use --renew, or just --set-default-ca --server letsencrypt.

Thanks.
-Neil

4 Likes

Sorry for the confusion. The new features are being prepared on the master branch, which is to be relased on 1st-aug.

For anyone who is confused here , please --set-default-ca --server letsencrypt.
that will solve any such problems.

2 Likes

Polling order status: https://acme-v02.api.letsencrypt.org/acme/order/53980856/370911736

Yes, it seems like a bug, I will fix it tonight. We have found and fixed a number of such kinds of bugs recently. Thanks for all those guys.

2 Likes