Problem with renew certificates - The request message was malformed :: Method not allowed

lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial

I installed following DO article here: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

1 Like

Thanks @rahnas.

Ubuntu Xenial should not have this issue, assuming you installed Certbot from the PPA, following the instructions on https://certbot.eff.org/lets-encrypt/ubuntuxenial-other . (The DigitalOcean tutorial seems to largely match).

Could you please post the versions of your installed Certbot packages? In particular python3-acme.

dpkg-query -l | grep certbot

If it is not at 0.31.0-2, perhaps try to forcefully upgrade it:

apt update && apt install --only-upgrade python3-acme
6 Likes

Yes, looks like I have it 0.31.0-1+ubuntu16.04.1+certbot+1

Os version :

No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.2 LTS
Release:	18.04
Codename:	bionic

Package installed

ii  certbot                           0.31.0-1+ubuntu18.04.1+certbot+1   all          automatically configure HTTPS using Let's Encrypt
ii  python-certbot-apache             0.31.0-1+ubuntu18.04.1+certbot+1   all          transitional dummy package
ii  python3-acme                      0.31.0-1+ubuntu18.04.1+certbot+1   all          ACME protocol library for Python 3
ii  python3-augeas                    0.5.0-1+ubuntu18.04.1+certbot+1    all          Python3 bindings for Augeas
ii  python3-certbot                   0.31.0-1+ubuntu18.04.1+certbot+1   all          main library for certbot
ii  python3-certbot-apache            0.31.0-1+ubuntu18.04.1+certbot+1   all          Apache plugin for Certbot
ii  python3-future                    0.15.2-4+ubuntu18.04.1+certbot+3   all          Clean single-source support for Python 3 and 2 - Python 3.x
ii  python3-josepy                    1.1.0-2+ubuntu18.04.1+certbot+1    all          JOSE implementation for Python 3.x
ii  python3-parsedatetime             2.4-3+ubuntu18.04.1+certbot+3      all          Python 3 module to parse human-readable date/time expressions
ii  python3-requests-toolbelt         0.8.0-1+ubuntu18.04.1+certbot+1    all          Utility belt for advanced users of python3-requests
ii  python3-zope.component            4.3.0-1+ubuntu18.04.1+certbot+3    all          Zope Component Architecture
ii  python3-zope.hookable             4.0.4-4+ubuntu18.04.1+certbot+1    amd64        Hookable object support

Thanks to @rahnas we identified a second issue, where Certbot sending the wrong Content-Type when it downloads the certificate during a --dry-run. This was fixed in Certbot v0.32.0.

In Ubuntu, make sure you upgrade Certbot to 0.31.0-2 from the PPA, which has the fix backported.

This should not affect any live renewals or real certificates. It only affects --dry-run.

(@cpu did EnforceV2ContentType get enabled today as well?)

3 Likes

I’ve had a site running on a digitalocean droplet with LEssl setup for a while. I’m trying to change domain names for the site, and have created a second certificate for the new domain name.

I’ve got two folders in /etc/letsencrypt/live now, one for each domain.

I’ve got two nginx server blocks, one for each domain, and i’ve got /var/www/domain1/html and /var/www/domain2/html

Creating a cert for the second domain was no problem, but when I run the dry run, I get the error mentioned above on this page:

Attempting to renew cert (domain1.com) from /etc/letsencrypt/renewal/domain1.com.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.

Attempting to renew cert (domain2.com) from /etc/letsencrypt/renewal/domain2.com.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/domain1.com/fullchain.pem (failure)
/etc/letsencrypt/live/domain2.com/fullchain.pem (failure)

Any advice on how to solve this would be great. I’m only planning on redirecting all pages from domain1 to domain2, so that might be important info too.

Also the system is ubuntu 16.04 running nginx.

I’m running certbot 0.25.0… any other info, just ask. Thank you!

  • EDIT: Does the answer above this one apply to my situation as well, or is this uniquely because I have two certs?
1 Like

Thanks for digging into the root causes here @_az.

Nope, that one has been enabled in prod since the beginning of April 2018. It was the change we announced in this API announcements post: JWS POST Content-Type Header Enforcement

I suspect the breakage was hidden by the fact that Certbot was using GET requests for the certificate fetch until POST-as-GET became mandatory.

4 Likes

Hi there,
I got the same error using a quite old version of cert-manager (0.4.1 - Aug 2018) in a Kubernetes cluster to generate certificates using issuer “letsencrypt-staging”.
Status:
Acme:
Order:
URL: https://acme-staging-v02.api.letsencrypt.org/acme/order/7402274/64583012
Conditions:
Last Transition Time: 2019-12-05T10:24:48Z
Message: Failed to determine authorizations to obtain: acme: urn:ietf:params:acme:error:malformed: Method not allowed
Reason: ValidateError
Status: False
Type: Ready

If it is linked to thoses changes, that means this cert-manager version is now deprecated for staging uses?
I’ll test with the prod issuer.
But it could mean we’ll have at least to updates all K8s clusters using staging with new cert-manager and adapt all deployments configs to use this new version :thinking:

Yes. You’ll need to upgrade. Also note that without an update this version will also not function correctly with the production API after Nov 1st, 2020.

For what it’s worth we frequently block outdated versions of cert-manager. Older versions have bugs that can result in extraordinary amounts of API traffic being sent to Let’s Encrypt. See: Blocking old cert-manager versions

3 Likes

This problem affects you because your version of Certbot is too old. You’ll need to upgrade it. Having two certs isn’t a problem :slight_smile:

4 Likes

Same problem here. certbot renew --dry-run and also certbot certonly --webroot -w /bla/bla/webroot -d somedomain.com --dry-run gives following error:

Attempting to renew cert from/etc/letsencrypt/renewal/somedomain.com.conf produced an unexpected error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed. Skipping.

This happens for 11 sites on the server.
Centos 7, nginx and varnish on the server.
Certbot version: certbot 0.36.0
We need a solution ASAP as one certificate is expiring in 6 hours!!! @JuergenAuer any ideas?

From the logs:

Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 449, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1207, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 115, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 307, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 365, in obtain_certificate
    cert, chain = self.obtain_certificate_from_csr(csr, orderr)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 297, in obtain_certificate_from_csr
    orderr = self.acme.finalize_order(orderr, deadline)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 908, in finalize_order
    return self.client.finalize_order(orderr, deadline)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 743, in finalize_order
    content_type=DER_CONTENT_TYPE).text
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 791, in _post_as_get
    return self.net.get(*args, **kwargs)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 1152, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 1054, in _check_response
    raise messages.Error.from_json(jobj)
Error: urn:ietf:params:acme:error:malformed :: The request message was malformed :: Method not allowed
2019-12-11 10:03:45,614:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.36.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1381, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1286, in renew

Having same issue as well. Unfortunately ubuntu PPA doesn’t include newer versions.

sudo certbot certonly --webroot --webroot-path=/var/www/html -d example.com --dry-run

Looks like we’re F!#$%^, boys.

1 Like

The fix for this issue is in the Ubuntu PPA.

Make sure you have upgraded python-acme to 0.31.0-2 from the PPA.

3 Likes

I solved the isssue updated the package python-acme on centos7
Thanks a lot!

3 Likes

Is python-acme package is not installed by default? Cuz I don’t have it now. Should I be installing this package manually?

I followed the official docs to install certbot.

Check python3-acme instead.

The python-acme package can still be installed if you want to use it, but the current Certbot packages use Python 3, so they depend on the equivalent python3-acme package instead.

3 Likes

Thanks alot _az ! - by upgrading to 0.31.0-2 like this:
sudo apt update && apt install --only-upgrade python3-acme

It worked! jihaa :grinning:

6 Likes

A post was split to a new topic: Certbot not making challenge request

ouch. I have overrun rate limits and am fighting with getting the correct configurations for a complex docker build. And now I find out that this error occurs when I use staging. So I can not use staging?

I guess I will run into rate limiting soon again :frowning:

Probleme resolved by reinstall certbot :

~$ sudo apt-get install certbot python-certbot-apache

Now Im in :

    ~$ certbot --version
    certbot 0.31.0

the renw work correctly

2 Likes