Server 500 but certificate still issued


#1

Hi,

I’m having trouble trying to get a new certificate using letsencrypt-nosudo. When it hits the “Requesting signature” step, it errors out with {"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","status":500}. It does correctly issue and verify challenges for all of my domains. Any ideas? Any additional info I can post?


#2

I just discovered that for whatever reason despite getting an error my certificate was actually generated and uploaded to certificate transparency. Good enough for now :stuck_out_tongue:


#3

@rqou, did you just download the certificate from Certificate Transparency (or crt.sh) and manually install it on your server?

Would you mind telling us (you can tell me by private message if you’d like) what domain this was and approximately when the certificate was issued? It would be good for us to try to dig into what went wrong, because it seems like a pretty significant bug to have a serverInternal error combined with successful issuance of the cert!

Cc @jsha, @riking.


#4

I had that same exact problem yesterday - it generated a cert and uploaded it (https://crt.sh/?id=13503443). Since I did not understand what was happening, I tried a few times. Now it is telling me that too many There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: aptilon.com, aptilonlive.com, drcmeeting.com

Now, I tried to download the cert and apply it (replacing the cert2.pem) by this one and Apache would not start.


#5

FWIW, this can sometimes happen when our write to the database times out. We have fallback logging on the host that generated the signature to ensure we don’t drop the certificate on the floor. And often in these timeout cases, the database did receive the write.

So, yes, we want to find and fix errors like this, but we also have safeties in place.


#6

Yes, I downloaded the certificate from crt.sh and installed it manually. PM to @schoen sent with the list of domains.


#7

FWIW, I had the same problem yesterday (2016-03-03) and ran into the rate limit. Didn’t even think about looking on crt.sh, to my slight embarrassment I have to admit I didn’t even know about it. Downloaded it, works like a charm. Thanks @rqou, you saved my day!


#8

I had the same problem today. It reported an internal server error, but the certificate is on crt.sh (in fact two are, since I ran it again after making some changes in a vain attempt to avoid the error).
https://crt.sh/?id=13580981

The error looked like this:

2016-03-04 19:58:45,396:DEBUG:acme.client:Received response <Response [500]> (headers: {‘Content-Length’: ‘88’, ‘Expires’: ‘Fri, 04 Mar 2016 19:58:45 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘close’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Fri, 04 Mar 2016 19:58:45 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘iuT0HW6bJsgtxpAWNWFHZFW19hhjUAo4BMaBPlkeLGY’}): '{“type”:“urn:acme:error:serverInternal”,“detail”:“Error creating new cert”,“status”:500}'
2016-03-04 19:58:45,397:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “~/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 1993, in main
return config.func(config, plugins)
File “~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 707, in obtain_cert
_, action = _auth_from_domains(le_client, config, domains, lineage)
File “~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 475, in _auth_from_domains
lineage = le_client.obtain_and_enroll_certificate(domains)
File “~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 269, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 252, in obtain_certificate
return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
File “~/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 229, in obtain_certificate_from_csr
authzr)
File “~/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 319, in request_issuance
headers={‘Accept’: content_type})
File “~/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 652, in post
return self._check_response(response, content_type=content_type)
File “~/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 568, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Error creating new cert


#9

Same here several times. Certs are on crt.sh, but not installed to my server. Are these issues temporarily?


#10

Yes, these issues should be temporary and we’re working on fixing them. Could you share the names you attempted to issue for, and what time?


#11

@jsha, @riking filed a bug to track this and has a link to a copy of the original reporter’s experience (maybe @jahir and @levinus can also share their details).


#12

After the error I tried it several times and with different domain names. This should be an listing of all tries, because forum.levinus.de was new in my first try and still there in all other tries.
Also I have here my error log, with beginning in the challenges. (In the logs the time is 22:13 because I am / my server is in UTC+01:00…)


#13

Same issue here since today:

2016-03-05 10:20:44,846:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-03-05 10:20:51,862:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-cert HTTP/1.1” 500 88
2016-03-05 10:20:51,866:DEBUG:root:Received <Response [500]>. Headers: {‘Content-Length’: ‘88’, ‘Expires’: ‘Sat, 05 Mar 2016 10:20:51 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘close’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sat, 05 Mar 2016 10:20:51 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘ySctzTxCDw2NQSqHgjyIHSp339D-xRTsmeCcwk2Ne7o’}. Content: '{“type”:“urn:acme:error:serverInternal”,“detail”:“Error creating new cert”,“status”:500}‘
2016-03-05 10:20:51,867:DEBUG:acme.client:Storing nonce: "\xc9’-\xcd<B\x0f\r\x8dA*\x87\x82<\x88\x1d*w\xdf\xd0\xfe\xc5\x14\xec\x99\xe0\x9c\xc2M\x8d{\xba"
2016-03-05 10:20:51,867:DEBUG:acme.client:Received response <Response [500]> (headers: {‘Content-Length’: ‘88’, ‘Expires’: ‘Sat, 05 Mar 2016 10:20:51 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘close’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Sat, 05 Mar 2016 10:20:51 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘ySctzTxCDw2NQSqHgjyIHSp339D-xRTsmeCcwk2Ne7o’}): ‘{“type”:“urn:acme:error:serverInternal”,“detail”:“Error creating new cert”,“status”:500}’


#14

I’m getting the same error and now hitting the rate limit. These rate limits are quite impractical when such errors occur.


#15

Tried again a few minutes ago. Same error, and the 2nd try was over the limit… You can see this even at the link in my last post.


#16

same error
certificate:
https://crt.sh/?id=13613728


#17

Looks like all of us may be trying to get certificates with a lot of alternative names.


#18

Correct, I have 28 domain names… but the last time I’ve renewed the certificate was Feb 26th with 29 names without a problem (as many times before). Just since a few days I get the 500 server error.


#19

Same here, I have successfully generate a cert with 84 SAN a month ago. Now I am trying to generate a cert with 83 SAN and am unable to do it:

An unexpected error occurred:
The server experienced an internal error :: Error creating new cert
Please see the logfiles in /var/log/letsencrypt for more details.

500 Error signing certificate
#21

Hi folks, thank you all for reporting this!

We may be able to get a more detailed update later, but I talked to some of my colleagues who are working on the server side and they said they’ve been able to understand what’s causing this and are now preparing changes that should clear it up.