Win-acme (WACS) error "status BadRequest" beginning 2024-05-16

Hello

i am working with Let s Encrypt more than 3 years without any problems, but today i am facing this error on all renewals. I am using latest Win Acme

[HTTP] Request completed with status BadRequest

Error getting renewal information from server
ACMESharp.Protocol.AcmeProtocolException: While parsing ARI CertID an error occurred :: Invalid path
at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync(String relativeUri, HttpMethod method, String message, HttpStatusCode expectedStatuses, String opName)
at ACMESharp.Protocol.AcmeProtocolClient.SendAcmeAsync[TResponse](String uri, JsonTypeInfo1 responseType, String message, HttpMethod method, HttpStatusCode[] expectedStatuses, String opName) at ACMESharp.Protocol.AcmeProtocolClient.GetRenewalInfo(Byte[] certificateId) at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.<>c__DisplayClass1_01.<b__0>d.MoveNext()
--- End of stack trace from previous location ---
at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Backoff[T](AcmeProtocolClient client, Func1 executor, ILogService log, Int32 attempt) at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Backoff[T](AcmeProtocolClient client, Func1 executor, ILogService log, Int32 attempt)
at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Retry[T](AcmeProtocolClient client, Func1 executor, ILogService log, Int32 attempt) at PKISharp.WACS.Clients.Acme.AcmeClientExtensions.Retry[T](AcmeProtocolClient client, Func1 executor, ILogService log, Int32 attempt)
at PKISharp.WACS.Clients.Acme.AcmeClient.GetRenewalInfo(ICertificateInfo certificate)
at PKISharp.WACS.OrderProcessor.PrepareOrders(List1 orderContexts, List1 orderInfos)

Please help

They deployed an update yesterday to no longer accept the older ARI draft 01. It sounds like win-acme needs to be updated. (Though ideally it should have dealt more gracefully with not being able to get the ARI info; a client should be able to make its own decision on whether it's close enough to renewal if it has a failure getting the data.)

Are your certificates actually near expiration, or is this just a message in the logs that it can't tell on its own which certificates are near expiration?

Paging @WouterTinus:

It looks like win-acme is still implementing draft-ietf-acme-ari-01, which they said was going away, and Let's Encrypt's server actually failing on the old requests was released to production yesterday (as far as I can tell, I haven't seen an actual announcement about that).

(I'm going to update the title of this thread to try to direct people here, since I'm guessing other people may run into the same problem.)

Ok thanks for INFO

Just reading through their changelog from when win-acme added ARI, it says that checking "can be disabled using the RenewalDisableServerSchedule setting". Looks like that's in a settings.json file. Might be a workaround for the meantime. (I haven't used win-acme myself, but I have experience poking around documentation. )

I can confirm the Boulder deploy went out yesterday, and it had the ARI change.

Thanks for the confirmation. I was pretty sure from looking through the unofficial version tracker and Boulder's Github that it went out around noon-ish US Eastern Time yesterday, but it seemed a bit odd to me that the official announcement just said "early April" and never specifically said when clients that hadn't updated would start breaking.

We are tracking this in AcmeProtocolException: While parsing ARI CertID an error occurred · Issue #2582 · win-acme/win-acme · GitHub. The errors look scary but otherwise should affect anything.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.