Windows Client Could Not Finalize Order

kitsaptransit · December 7, 2022, 8:01pm

I am trying to renew my exchange certificate, and I am getting a could not finalize an order. Same as the last time I created certificates, but no joy. If I look at the finalize link it shows:

{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Method not allowed",
"status": 405
}

My domain is: kitsaptransit.com

I ran this command:
le64.exe --key AccountKey.key -csr "20221207 renewal request.csr" -crt domain-crt.crt --handle-as dns --generate-missing --live --debug

It produced this output:

2022/12/07 11:30:40 [ Crypt::LE client v0.38 started. ]
2022/12/07 11:30:40 Loading an account key from AccountKey.key
2022/12/07 11:30:40 Account key loaded.
2022/12/07 11:30:40 Loading a CSR from 20221207 renewal request.csr
2022/12/07 11:30:40 Loaded domain names from CSR: kitsaptransit.com, autodiscover.kitsaptransit.com, owa.kitsaptransit.com, webmail.kitsaptransit.com
2022/12/07 11:30:40 CSR loaded.
2022/12/07 11:30:40 Connecting to https://acme-v02.api.letsencrypt.org/directory
2022/12/07 11:30:42 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
2022/12/07 11:30:42 Directory loaded successfully.
2022/12/07 11:30:42 Registering the account key
2022/12/07 11:30:42 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-acct
2022/12/07 11:30:42 Key is already registered, reg path: https://acme-v02.api.letsencrypt.org/acme/acct/70096866.
2022/12/07 11:30:42 Connecting to https://acme-v02.api.letsencrypt.org/acme/acct/70096866
2022/12/07 11:30:42 Account ID: 70096866
2022/12/07 11:30:42 Registration success: TOS change status - 0, new registration flag - 0.
2022/12/07 11:30:42 The key is already registered. ID: 70096866
2022/12/07 11:30:42 TOS has NOT been changed, no need to accept again.
2022/12/07 11:30:42 Current contact details: dono@kitsaptransit.com
2022/12/07 11:30:42 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-order
2022/12/07 11:30:42 Connecting to https://acme-v02.api.letsencrypt.org/acme/finalize/70096866/151302973937
2022/12/07 11:30:42 Could not finalize an order.
2022/12/07 11:30:42 Requesting challenge.
2022/12/07 11:30:42 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188407
2022/12/07 11:30:42 Received challenges for autodiscover.kitsaptransit.com.
2022/12/07 11:30:42 Requesting challenge.
2022/12/07 11:30:42 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188417
2022/12/07 11:30:43 Received challenges for kitsaptransit.com.
2022/12/07 11:30:43 Requesting challenge.
2022/12/07 11:30:43 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188427
2022/12/07 11:30:43 Received challenges for owa.kitsaptransit.com.
2022/12/07 11:30:43 Requesting challenge.
2022/12/07 11:30:43 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188437
2022/12/07 11:30:43 Received challenges for webmail.kitsaptransit.com.
2022/12/07 11:30:43 Requested challenges for 4 domain(s).
2022/12/07 11:30:43 Domain kitsaptransit.com has been already validated, skipping.
2022/12/07 11:30:43 Domain autodiscover.kitsaptransit.com has been already validated, skipping.
2022/12/07 11:30:43 Domain owa.kitsaptransit.com has been already validated, skipping.
2022/12/07 11:30:43 Domain webmail.kitsaptransit.com has been already validated, skipping.
2022/12/07 11:30:43 There are no domains for which challenges need to be accepted.
2022/12/07 11:30:43 Connecting to https://acme-v02.api.letsencrypt.org/directory
2022/12/07 11:30:43 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
2022/12/07 11:30:43 Directory loaded successfully.
2022/12/07 11:30:43 There are no active challenges to verify
2022/12/07 11:30:43 Requesting domain certificate.
2022/12/07 11:30:43 Connecting to https://acme-v02.api.letsencrypt.org/acme/finalize/70096866/151302973937
2022/12/07 11:30:43 Could not finalize an order.
2022/12/07 11:30:43 Could not finalize an order.

My web server is (include version): Exchange 2010

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): le64 v38

_az · December 7, 2022, 8:06pm

The order looks like it's ready for finalization. So I think it's one of these:

Something is wrong with the CSR and the Let's Encrypt server is rejecting it, or
Something is wrong with Let's Encrypt's server.

You could maybe run the program with these extra flags (duplicated intentionally) and it might show the true error response from the server:

--debug --debug

kitsaptransit · December 7, 2022, 8:12pm

Ran with the double debug output below, looks like it doesn't like the CSR, how can I fix this? :

le64.exe --key AccountKey.key -csr "20221207 renewal request.csr" -crt domain-crt.crt --handle-as dns --generate-missing --live --debug --debug
2022/12/07 12:10:05 [ Crypt::LE client v0.38 started. ]
2022/12/07 12:10:05 Loading an account key from AccountKey.key
2022/12/07 12:10:05 Account key loaded.
2022/12/07 12:10:05 Loading a CSR from 20221207 renewal request.csr
2022/12/07 12:10:05 Loaded domain names from CSR: kitsaptransit.com, autodiscover.kitsaptransit.com, owa.kitsaptransit.com, webmail.kitsaptransit.com
2022/12/07 12:10:05 CSR loaded.
2022/12/07 12:10:05 Connecting to https://acme-v02.api.letsencrypt.org/directory
2022/12/07 12:10:07 $VAR1 = {
'reason' => 'OK',
'success' => 1,
'status' => '200',
'content' => '{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
"yaGDRw5eP2M": "Adding random entries to the directory"
}',
'headers' => {
'connection' => 'keep-alive',
'date' => 'Wed, 07 Dec 2022 20:10:07 GMT',
'content-type' => 'application/json',
'content-length' => '659',
'strict-transport-security' => 'max-age=604800',
'x-frame-options' => 'DENY',
'cache-control' => 'public, max-age=0, no-cache',
'server' => 'nginx'
},
'protocol' => 'HTTP/1.1',
'url' => 'https://acme-v02.api.letsencrypt.org/directory'
};
2022/12/07 12:10:07 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
2022/12/07 12:10:07 $VAR1 = {
'x-frame-options' => 'DENY',
'strict-transport-security' => 'max-age=604800',
'server' => 'nginx',
'cache-control' => 'public, max-age=0, no-cache',
'replay-nonce' => 'F9771oxCVMmaaiFUJkE7a88-xi_2GLGFaVAbWjFvOcQ-SXY',
'date' => 'Wed, 07 Dec 2022 20:10:07 GMT',
'connection' => 'keep-alive',
'link' => 'https://acme-v02.api.letsencrypt.org/directory;rel="index"'
};
2022/12/07 12:10:07 Directory loaded successfully.
2022/12/07 12:10:07 Registering the account key
2022/12/07 12:10:07 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-acct
2022/12/07 12:10:07 $VAR1 = {
'url' => 'https://acme-v02.api.letsencrypt.org/acme/new-acct',
'protocol' => 'HTTP/1.1',
'headers' => {
'date' => 'Wed, 07 Dec 2022 20:10:07 GMT',
'connection' => 'keep-alive',
'boulder-requester' => '70096866',
'link' => 'https://acme-v02.api.letsencrypt.org/directory;rel="index"',
'content-type' => 'application/json',
'content-length' => '898',
'strict-transport-security' => 'max-age=604800',
'x-frame-options' => 'DENY',
'cache-control' => 'public, max-age=0, no-cache',
'server' => 'nginx',
'location' => 'https://acme-v02.api.letsencrypt.org/acme/acct/70096866',
'replay-nonce' => 'F977i36GMooWusjl74afSypLmPgVFJ1PpiJ0PMINDm-mBTE'
},
'content' => '{
"key": {
"kty": "RSA",
"n": "jHvzrOGnLuuNAtrlotScfmP7_3NorpFvvgWP0Adhu9xndlKfA5EbFfKLdKJFeSLWZLZ0VQJymg_L41Qa_-x841VIcd0UjETtM-wlP0xDysJUGaDU5Ud71rggy_pLUfgrPjIOnM6voPQl4lskMqVUy_a8lnGKPUbb5aZ4GHtBtpeVUKuCsuJJx5LUQnyuNJe6S8ZYvo-A-SGVUSgMzpWXsKSwWpQItcmUGrrfJ-4jmHG70f9EuXQXnbasrKz349WTXn--QTfCDsrQTL79a9wmWDopYoki3kBuDyiBy095RofD7C7Bq2_jSIm2OGQwaeqgW2WXuah4xBnjqCZebYvF-GTHB6SHDwq9tK2kcOJfqevyZ44E4yeBkhh8xwVJngbCHO88EPyXahHLHhWytJoV2I9qX40xtQ_UMjju-oCjeGwPmd7LdtqWhd3uT-u97psVWq_e9FMdUVW8Wr67j0oPy1Isu1JUGJYKIcSzOf1hdTMVs8UpfXBp0hwCSLAzy3XjDkxdxqBwofFsc2smqKjfXlmKBwdh6-aWesQw-2ouDSAdKrdo8ArSCYhsiZQA2hsQ-hlKsF-h5WxJgRsY85bYgwq4ITk0xBj215NqVpBC9i_KH2gnJ6cZaOgnlyeFj1XzHHCgRRujJpF7O2fz2XC5wBSO6e4f81JDkoPor07Jkq8",
"e": "AQAB"
},
"contact": [
"mailto:dono@kitsaptransit.com"
],
"initialIp": "207.108.221.172",
"createdAt": "2019-10-23T15:08:42Z",
"status": "valid"
}',
'status' => '200',
'success' => 1,
'reason' => 'OK'
};
2022/12/07 12:10:07 Key is already registered, reg path: https://acme-v02.api.letsencrypt.org/acme/acct/70096866.
2022/12/07 12:10:07 Connecting to https://acme-v02.api.letsencrypt.org/acme/acct/70096866
2022/12/07 12:10:07 $VAR1 = {
'headers' => {
'replay-nonce' => 'F977SqPG8wChpTRyi0MTZ440Stxrk29ESr3mJlTbWYhbUW8',
'cache-control' => 'public, max-age=0, no-cache',
'server' => 'nginx',
'strict-transport-security' => 'max-age=604800',
'x-frame-options' => 'DENY',
'content-length' => '898',
'link' => [
'https://acme-v02.api.letsencrypt.org/directory;rel="index"',
'https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf;rel="terms-of-service"'
],
'boulder-requester' => '70096866',
'content-type' => 'application/json',
'connection' => 'keep-alive',
'date' => 'Wed, 07 Dec 2022 20:10:07 GMT'
},
'content' => '{
"key": {
"kty": "RSA",
"n": "jHvzrOGnLuuNAtrlotScfmP7_3NorpFvvgWP0Adhu9xndlKfA5EbFfKLdKJFeSLWZLZ0VQJymg_L41Qa_-x841VIcd0UjETtM-wlP0xDysJUGaDU5Ud71rggy_pLUfgrPjIOnM6voPQl4lskMqVUy_a8lnGKPUbb5aZ4GHtBtpeVUKuCsuJJx5LUQnyuNJe6S8ZYvo-A-SGVUSgMzpWXsKSwWpQItcmUGrrfJ-4jmHG70f9EuXQXnbasrKz349WTXn--QTfCDsrQTL79a9wmWDopYoki3kBuDyiBy095RofD7C7Bq2_jSIm2OGQwaeqgW2WXuah4xBnjqCZebYvF-GTHB6SHDwq9tK2kcOJfqevyZ44E4yeBkhh8xwVJngbCHO88EPyXahHLHhWytJoV2I9qX40xtQ_UMjju-oCjeGwPmd7LdtqWhd3uT-u97psVWq_e9FMdUVW8Wr67j0oPy1Isu1JUGJYKIcSzOf1hdTMVs8UpfXBp0hwCSLAzy3XjDkxdxqBwofFsc2smqKjfXlmKBwdh6-aWesQw-2ouDSAdKrdo8ArSCYhsiZQA2hsQ-hlKsF-h5WxJgRsY85bYgwq4ITk0xBj215NqVpBC9i_KH2gnJ6cZaOgnlyeFj1XzHHCgRRujJpF7O2fz2XC5wBSO6e4f81JDkoPor07Jkq8",
"e": "AQAB"
},
"contact": [
"mailto:dono@kitsaptransit.com"
],
"initialIp": "207.108.221.172",
"createdAt": "2019-10-23T15:08:42Z",
"status": "valid"
}',
'reason' => 'OK',
'success' => 1,
'status' => '200',
'url' => 'https://acme-v02.api.letsencrypt.org/acme/acct/70096866',
'protocol' => 'HTTP/1.1'
};
2022/12/07 12:10:07 Account ID: 70096866
2022/12/07 12:10:07 Registration success: TOS change status - 0, new registration flag - 0.
2022/12/07 12:10:07 The key is already registered. ID: 70096866
2022/12/07 12:10:07 TOS has NOT been changed, no need to accept again.
2022/12/07 12:10:07 Current contact details: dono@kitsaptransit.com
2022/12/07 12:10:07 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-order
2022/12/07 12:10:07 $VAR1 = {
'success' => 1,
'reason' => 'Created',
'status' => '201',
'content' => '{
"status": "ready",
"expires": "2022-12-14T19:16:17Z",
"identifiers": [
{
"type": "dns",
"value": "autodiscover.kitsaptransit.com"
},
{
"type": "dns",
"value": "kitsaptransit.com"
},
{
"type": "dns",
"value": "owa.kitsaptransit.com"
},
{
"type": "dns",
"value": "webmail.kitsaptransit.com"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188407",
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188417",
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188427",
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188437"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/70096866/151302973937"
}',
'headers' => {
'link' => 'https://acme-v02.api.letsencrypt.org/directory;rel="index"',
'boulder-requester' => '70096866',
'content-type' => 'application/json',
'connection' => 'keep-alive',
'date' => 'Wed, 07 Dec 2022 20:10:07 GMT',
'strict-transport-security' => 'max-age=604800',
'x-frame-options' => 'DENY',
'content-length' => '784',
'replay-nonce' => '2712MDKmENbQCr_VReYSS-vDmKVpUqhmR32XOYcd9vQYpM8',
'cache-control' => 'public, max-age=0, no-cache',
'location' => 'https://acme-v02.api.letsencrypt.org/acme/order/70096866/151302973937',
'server' => 'nginx'
},
'protocol' => 'HTTP/1.1',
'url' => 'https://acme-v02.api.letsencrypt.org/acme/new-order'
};
2022/12/07 12:10:07 Connecting to https://acme-v02.api.letsencrypt.org/acme/finalize/70096866/151302973937
2022/12/07 12:10:07 $VAR1 = {
'success' => '',
'reason' => 'Bad Request',
'status' => '400',
'content' => '{
"type": "urn:ietf:params:acme:error:badCSR",
"detail": "Error finalizing order :: signature algorithm not supported",
"status": 400
}',
'headers' => {
'content-type' => 'application/problem+json',
'boulder-requester' => '70096866',
'link' => 'https://acme-v02.api.letsencrypt.org/directory;rel="index"',
'connection' => 'keep-alive',
'date' => 'Wed, 07 Dec 2022 20:10:07 GMT',
'content-length' => '141',
'replay-nonce' => '2712Z7a_gugH24dbb48AmBsRyIOdhwo93U5pWjl8kUTMQ2o',
'server' => 'nginx',
'cache-control' => 'public, max-age=0, no-cache'
},
'protocol' => 'HTTP/1.1',
'url' => 'https://acme-v02.api.letsencrypt.org/acme/finalize/70096866/151302973937'
};
2022/12/07 12:10:07 Could not finalize an order.
2022/12/07 12:10:07 Requesting challenge.
2022/12/07 12:10:07 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188407
2022/12/07 12:10:07 $VAR1 = {
'content' => '{
"identifier": {
"type": "dns",
"value": "autodiscover.kitsaptransit.com"
},
"status": "valid",
"expires": "2023-01-06T19:20:38Z",
"challenges": [
{
"type": "dns-01",
"status": "valid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/185108188407/1rmJ8w",
"token": "1AYnaZT5Kb-MpO8lnslxlyUCJsUtBBeCBP9cOUlcH0M",
"validationRecord": [
{
"hostname": "autodiscover.kitsaptransit.com"
}
],
"validated": "2022-12-07T19:20:35Z"
}
]
}',
'headers' => {
'cache-control' => 'public, max-age=0, no-cache',
'server' => 'nginx',
'replay-nonce' => 'C400YolYKHV9Ov_TiEwIrPuldE9V3GMuTGIuS-IJC_BDF34',
'content-length' => '535',
'strict-transport-security' => 'max-age=604800',
'x-frame-options' => 'DENY',
'connection' => 'keep-alive',
'date' => 'Wed, 07 Dec 2022 20:10:07 GMT',
'link' => 'https://acme-v02.api.letsencrypt.org/directory;rel="index"',
'boulder-requester' => '70096866',
'content-type' => 'application/json'
},
'reason' => 'OK',
'success' => 1,
'status' => '200',
'protocol' => 'HTTP/1.1',
'url' => 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188407'
};
2022/12/07 12:10:07 Received challenges for autodiscover.kitsaptransit.com.
2022/12/07 12:10:07 Requesting challenge.
2022/12/07 12:10:07 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188417
2022/12/07 12:10:07 $VAR1 = {
'reason' => 'OK',
'success' => 1,
'status' => '200',
'content' => '{
"identifier": {
"type": "dns",
"value": "kitsaptransit.com"
},
"status": "valid",
"expires": "2023-01-06T19:20:33Z",
"challenges": [
{
"type": "dns-01",
"status": "valid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/185108188417/xthsAg",
"token": "Atd8whhngGcYX29xVymh59h1Q4azym5hmH-ViUgeJYM",
"validationRecord": [
{
"hostname": "kitsaptransit.com"
}
],
"validated": "2022-12-07T19:20:33Z"
}
]
}',
'headers' => {
'strict-transport-security' => 'max-age=604800',
'x-frame-options' => 'DENY',
'content-length' => '509',
'replay-nonce' => 'A5FENdiUypum4MAgIgr2LcQJQkmRXocH-EIhsF_XSwejxws',
'cache-control' => 'public, max-age=0, no-cache',
'server' => 'nginx',
'link' => 'https://acme-v02.api.letsencrypt.org/directory;rel="index"',
'boulder-requester' => '70096866',
'content-type' => 'application/json',
'date' => 'Wed, 07 Dec 2022 20:10:07 GMT',
'connection' => 'keep-alive'
},
'protocol' => 'HTTP/1.1',
'url' => 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188417'
};
2022/12/07 12:10:07 Received challenges for kitsaptransit.com.
2022/12/07 12:10:07 Requesting challenge.
2022/12/07 12:10:07 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188427
2022/12/07 12:10:07 $VAR1 = {
'url' => 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188427',
'protocol' => 'HTTP/1.1',
'success' => 1,
'status' => '200',
'reason' => 'OK',
'headers' => {
'cache-control' => 'public, max-age=0, no-cache',
'server' => 'nginx',
'replay-nonce' => '271211GqnCBBzP6rLeuYIZDFpsfDeO6LV3EAIUpPoocatJ0',
'content-length' => '517',
'strict-transport-security' => 'max-age=604800',
'x-frame-options' => 'DENY',
'date' => 'Wed, 07 Dec 2022 20:10:07 GMT',
'connection' => 'keep-alive',
'link' => 'https://acme-v02.api.letsencrypt.org/directory;rel="index"',
'boulder-requester' => '70096866',
'content-type' => 'application/json'
},
'content' => '{
"identifier": {
"type": "dns",
"value": "owa.kitsaptransit.com"
},
"status": "valid",
"expires": "2023-01-06T19:20:40Z",
"challenges": [
{
"type": "dns-01",
"status": "valid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/185108188427/zDgcng",
"token": "dhx8S8o7Eut7VyDA7gOWxT_LJuRtDw4KWza9xIT3tpA",
"validationRecord": [
{
"hostname": "owa.kitsaptransit.com"
}
],
"validated": "2022-12-07T19:20:40Z"
}
]
}'
};
2022/12/07 12:10:07 Received challenges for owa.kitsaptransit.com.
2022/12/07 12:10:07 Requesting challenge.
2022/12/07 12:10:07 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188437
2022/12/07 12:10:08 $VAR1 = {
'success' => 1,
'status' => '200',
'reason' => 'OK',
'headers' => {
'link' => 'https://acme-v02.api.letsencrypt.org/directory;rel="index"',
'boulder-requester' => '70096866',
'content-type' => 'application/json',
'connection' => 'keep-alive',
'date' => 'Wed, 07 Dec 2022 20:10:08 GMT',
'replay-nonce' => 'F977fnAs76Oh2afzIZSJsT-3swJ9WKl0EXjdh7xjDMNwLA0',
'cache-control' => 'public, max-age=0, no-cache',
'server' => 'nginx',
'strict-transport-security' => 'max-age=604800',
'x-frame-options' => 'DENY',
'content-length' => '525'
},
'content' => '{
"identifier": {
"type": "dns",
"value": "webmail.kitsaptransit.com"
},
"status": "valid",
"expires": "2023-01-06T19:20:42Z",
"challenges": [
{
"type": "dns-01",
"status": "valid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/185108188437/9tz9LQ",
"token": "tu200AmFP6rKJ0BGmvyQV0TIu2ZlQ1DDwzmNe2y_8mM",
"validationRecord": [
{
"hostname": "webmail.kitsaptransit.com"
}
],
"validated": "2022-12-07T19:20:42Z"
}
]
}',
'url' => 'https://acme-v02.api.letsencrypt.org/acme/authz-v3/185108188437',
'protocol' => 'HTTP/1.1'
};
2022/12/07 12:10:08 Received challenges for webmail.kitsaptransit.com.
2022/12/07 12:10:08 Requested challenges for 4 domain(s).
2022/12/07 12:10:08 Domain kitsaptransit.com has been already validated, skipping.
2022/12/07 12:10:08 Domain autodiscover.kitsaptransit.com has been already validated, skipping.
2022/12/07 12:10:08 Domain owa.kitsaptransit.com has been already validated, skipping.
2022/12/07 12:10:08 Domain webmail.kitsaptransit.com has been already validated, skipping.
2022/12/07 12:10:08 There are no domains for which challenges need to be accepted.
2022/12/07 12:10:08 Connecting to https://acme-v02.api.letsencrypt.org/directory
2022/12/07 12:10:08 $VAR1 = {
'protocol' => 'HTTP/1.1',
'url' => 'https://acme-v02.api.letsencrypt.org/directory',
'content' => '{
"7I4uaY5GNtA": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}',
'headers' => {
'content-type' => 'application/json',
'date' => 'Wed, 07 Dec 2022 20:10:08 GMT',
'connection' => 'keep-alive',
'server' => 'nginx',
'cache-control' => 'public, max-age=0, no-cache',
'x-frame-options' => 'DENY',
'strict-transport-security' => 'max-age=604800',
'content-length' => '659'
},
'reason' => 'OK',
'success' => 1,
'status' => '200'
};
2022/12/07 12:10:08 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
2022/12/07 12:10:08 $VAR1 = {
'link' => 'https://acme-v02.api.letsencrypt.org/directory;rel="index"',
'connection' => 'keep-alive',
'date' => 'Wed, 07 Dec 2022 20:10:08 GMT',
'replay-nonce' => 'C400T2Spj6RKebkPfkJ0SWomykw_ZG_gNXgWYXfq7_36lkQ',
'server' => 'nginx',
'cache-control' => 'public, max-age=0, no-cache',
'x-frame-options' => 'DENY',
'strict-transport-security' => 'max-age=604800'
};
2022/12/07 12:10:08 Directory loaded successfully.
2022/12/07 12:10:08 There are no active challenges to verify
2022/12/07 12:10:08 Requesting domain certificate.
2022/12/07 12:10:08 Connecting to https://acme-v02.api.letsencrypt.org/acme/finalize/70096866/151302973937
2022/12/07 12:10:08 $VAR1 = {
'protocol' => 'HTTP/1.1',
'url' => 'https://acme-v02.api.letsencrypt.org/acme/finalize/70096866/151302973937',
'success' => '',
'reason' => 'Bad Request',
'status' => '400',
'content' => '{
"type": "urn:ietf:params:acme:error:badCSR",
"detail": "Error finalizing order :: signature algorithm not supported",
"status": 400
}',
'headers' => {
'content-length' => '141',
'cache-control' => 'public, max-age=0, no-cache',
'server' => 'nginx',
'replay-nonce' => '2712-J_0HCvyfPWkSPQ5BJ6YxltPKP1kbCQiE2w3Jmki6r4',
'date' => 'Wed, 07 Dec 2022 20:10:08 GMT',
'connection' => 'keep-alive',
'boulder-requester' => '70096866',
'link' => 'https://acme-v02.api.letsencrypt.org/directory;rel="index"',
'content-type' => 'application/problem+json'
}
};
2022/12/07 12:10:08 Could not finalize an order.
2022/12/07 12:10:08 Could not finalize an order.

_az · December 7, 2022, 8:13pm

The problem is the CSR.

You probably have a SHA1 signature on it. Let's Encrypt no longer supports that, per https://community.letsencrypt.org/t/rejecting-sha-1-csrs-and-validation-using-tls-1-0-1-1-urls.

You need to update it to SHA256.

kitsaptransit · December 7, 2022, 8:44pm

Thanks I will look into that. I am not sure how to change the encoding for the Exchange csr to SHa2.

Bruce5051 · December 7, 2022, 9:08pm

And the "signature algorithm not supported".

kitsaptransit · December 7, 2022, 9:12pm

Thanks Bruce, I am having trouble figuring out how to get Exchange to use the SHA2 for its CSR, any insight?

Bruce5051 · December 7, 2022, 9:18pm

I don't have access to any Exchange server, so I do not know if 2010 will allow the Signature to be SHA256 (or even adjusted)

But here is a link to Exchange 2010 Create a certificate request (CSR):

webprofusion · December 8, 2022, 3:19am

Do you need to use a CSR for Exchange 2010? Can't you just generate your own PFX and upload it to the admin console?

system · January 7, 2023, 3:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.