Unable to get new certs, "error creating new cert" 500 error

Mine eventually worked.

I should have started a new thread. Though I still can.

Thanks for the reports! We are aware of degraded issuance, and have opened an incident on letsencrypt.status.io while we investigate. Sorry for not doing so sooner.

2 Likes

Hi, Iā€™d like to report another instance of the same problem.

We get the same error message:

{
  "type": "urn:acme:error:serverInternal",
  "detail": "Error creating new cert",
  "status": 500
}

from the service

POST https://acme-v01.api.letsencrypt.org/acme/new-cert

We have been using Lets Encrypt to provision certs for domains for a while without such problems. The problems started appearing when we tried to issue certs for some new domains:

  training5.evidentiae.ca
  training6.evidentiae.ca
  training7.evidentiae.ca
  training8.evidentiae.ca
  training9.evidentiae.ca

  api-training5.evidentiae.ca
  api-training6.evidentiae.ca
  api-training7.evidentiae.ca
  api-training8.evidentiae.ca
  api-training9.evidentiae.ca

  upload-training5.evidentiae.ca
  upload-training6.evidentiae.ca
  upload-training7.evidentiae.ca
  upload-training8.evidentiae.ca
  upload-training9.evidentiae.ca

Weā€™re using simp_le, and it aborts on receiving the error from the server. I donā€™t know on exactly which subset of the above domains the error occurs.

When we removed these domains from the list of domains that we provision using simp_le, the problem disappeared.

I can provide more detailed logs if you want.

Thanks,
David

@jsha, do you know if this is related to the previous problems?

We have noticed that the problem happens when adding another new set of domains (named something else than ā€œtraining-ā€), and actually the problem might simply be triggered when simp_le notices that some domain has changed and starts provisioning certificates for our entire set of domains. So the problematic request could very well trying to request a certificate for one of our pre-existing domains. What Iā€™m really trying to say is we donā€™t know which domain that triggers the problem. But in any case we are still seeing this internal error from the Lets Encrypt server today.

@jsha there are also reports of continied 500s in another thread, which might be related.

From @mnordhoff in production:

and with staging from @larryboymi:

EDIT: I missed that the second reproducer hadn't tried again since last weekend so this one may not be useful (unless it's a totally different issue).

Weā€™ve discovered that the error we see happens when we pass the limit of 100 names per certificate. Sorry for the noise.

1 Like

Precisely what error message do you get? If it's "error creating new cert", it's still a bug that Boulder isn't saying something more specific.

Yes, the fact that we got a 500 Internal Error is what made us confused in the first place. The response body was:

{
  "type": "urn:acme:error:serverInternal",
  "detail": "Error creating new cert",
  "status": 500
}

David

Closing the loop, hereā€™s the corresponding Boulder issue: https://github.com/letsencrypt/boulder/issues/3632. Thanks for all who helped out in this thread!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.