The server experienced an internal error :: Error finalizing order

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
pl.id.au

I ran this command:

sudo certbot certonly \
    --agree-tos \
    --manual \
    --preferred-challenges=dns \
    --hsts \
    --email "certificates@pl.id.au" \
    --agree-tos \
    --must-staple \
    --hsts \
    --uir \
    --redirect \
    --preferred-challenges=dns \
    --debug-challenges \
    --force-renewal \
    -d "pl.id.au,*.pl.id.au"

It produced this output:

2025-05-08 00:49:09,753:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/finalize/14159839/381892147697 HTTP/1.1" 500 112
2025-05-08 00:49:09,754:DEBUG:acme.client:Received response:
HTTP 500
Server: nginx
Date: Thu, 08 May 2025 00:49:09 GMT
Content-Type: application/problem+json
Content-Length: 112
Connection: keep-alive
Boulder-Requester: 14159839
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: FIfrddYQhFe330v2L05YR7w7gXUWEL3qUq0RuL_S2eb3P-A5xGY
Retry-After: 60

{ 
  "type": "urn:ietf:params:acme:error:serverInternal",
  "detail": "Error finalizing order",
  "status": 500
}
2025-05-08 00:49:09,755:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.12.0', 'console_scripts', 'certbot')())
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1413, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1293, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 123, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/_internal/renewal.py", line 345, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 390, in obtain_certificate
    cert, chain = self.obtain_certificate_from_csr(csr, orderr)
  File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 291, in obtain_certificate_from_csr
    orderr = self.acme.finalize_order(orderr, deadline,
  File "/usr/lib/python3/dist-packages/acme/client.py", line 925, in finalize_order
    return self.client.finalize_order(orderr, deadline, fetch_alternative_chains)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 752, in finalize_order
    self._post(orderr.body.finalize, wrapped_csr)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 97, in _post
    return self.net.post(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1201, in post
    return self._post_once(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1214, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/usr/lib/python3/dist-packages/acme/client.py", line 1072, in _check_response
    raise messages.Error.from_json(jobj)
acme.messages.Error: urn:ietf:params:acme:error:serverInternal :: The server experienced an internal error :: Error finalizing order
2025-05-08 00:49:09,756:ERROR:certbot._internal.log:An unexpected error occurred:
2025-05-08 00:49:09,756:ERROR:certbot._internal.log:The server experienced an internal error :: Error finalizing order

My web server is (include version):
nginx 1.18
The operating system my web server runs on is (include version):
debian 8
My hosting provider, if applicable, is:
linode
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
lish
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

1 Like
2

Hi, @relwalretep,

There's your problem: must-staple is no longer supported. Please see: Removing OCSP URLs from Certificates

5 Likes
3

Huzzah! Thanks mate. I'm guessing someone will eventually get around to providing a more meaningful error message, or perhaps I'm just in the wrong timezone to get it yet (don't laugh, I've seen that kind of thing before where an error message couldn't be provided because I was one day ahead of when the error message was meant to be used from.... )

4 Likes
4

You're very welcome! Yes, I've just flagged this internally; we'll look into whether this lack of a useful error message was just a temporary edge case, or needs a fix.

6 Likes
5

It just ocurred to me, that yes I had used certbot around 09:50 this morning without error, and it started throwing this after 10:00, and I'm GMT+10. Nice get mate :slight_smile:

2 Likes