Windows client crypt-le (le64.exe V0.38) cannot finalize an order

My domain is:
mail.nationalcarrierexchange.com

I ran this command:
le64 -key letsencrypt-account.key -csr server6.csr -crt mail-ncx-crt.txt --domains "mail.nationalcarrierexchange.com" --generate-missing --handle-as dns --api 2 --renew 10 --live --debug

It produced this output:

2022/10/11 21:57:09 [ Crypt::LE client v0.38 started. ]
2022/10/11 21:57:09 Loading an account key from letsencrypt-account.key
2022/10/11 21:57:09 Account key loaded.
2022/10/11 21:57:09 Loading a CSR from server6.csr
2022/10/11 21:57:09 Loaded domain names from CSR: mail.nationalcarrierexchange.com
2022/10/11 21:57:09 CSR loaded.
2022/10/11 21:57:09 Checking certificate for expiration (local file).
2022/10/11 21:57:09 Expiration threshold set at 10 days, the certificate expires in 0 days - will be renewing.
2022/10/11 21:57:09 Connecting to https://acme-v02.api.letsencrypt.org/directory
2022/10/11 21:57:10 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
2022/10/11 21:57:10 Directory loaded successfully.
2022/10/11 21:57:10 Registering the account key
2022/10/11 21:57:10 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-acct
2022/10/11 21:57:10 Key is already registered, reg path: https://acme-v02.api.letsencrypt.org/acme/acct/51589873.
2022/10/11 21:57:10 Connecting to https://acme-v02.api.letsencrypt.org/acme/acct/51589873
2022/10/11 21:57:10 Account ID: 51589873
2022/10/11 21:57:10 Registration success: TOS change status - 0, new registration flag - 0.
2022/10/11 21:57:10 The key is already registered. ID: 51589873
2022/10/11 21:57:10 TOS has NOT been changed, no need to accept again.
2022/10/11 21:57:10 Current contact details: root@nationalcarrierexchange.com
2022/10/11 21:57:10 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-order
2022/10/11 21:57:10 Connecting to https://acme-v02.api.letsencrypt.org/acme/finalize/51589873/133782800386
2022/10/11 21:57:10 Could not finalize an order.
2022/10/11 21:57:10 Requesting challenge.
2022/10/11 21:57:10 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz-v3/163598104786
2022/10/11 21:57:10 Received challenges for mail.nationalcarrierexchange.com.
2022/10/11 21:57:10 Requested challenges for 1 domain(s).
2022/10/11 21:57:10 Domain mail.nationalcarrierexchange.com has been already validated, skipping.
2022/10/11 21:57:10 There are no domains for which challenges need to be accepted.
2022/10/11 21:57:10 Connecting to https://acme-v02.api.letsencrypt.org/directory
2022/10/11 21:57:10 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
2022/10/11 21:57:10 Directory loaded successfully.
2022/10/11 21:57:10 There are no active challenges to verify
2022/10/11 21:57:10 Requesting domain certificate.
2022/10/11 21:57:10 Connecting to https://acme-v02.api.letsencrypt.org/acme/finalize/51589873/133782800386
2022/10/11 21:57:11 Could not finalize an order.
2022/10/11 21:57:11 Could not finalize an order.

My web server is (include version):
This is for a mail server, not a web server.

The operating system my web server runs on is (include version):
Windows Server 2003

My hosting provider, if applicable, is:
Vision Online Games

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Crypt::LE client v0.38

Additional Notes:
This is the exact same process I have followed for many prior manual renewals on this server. This is the first time I have encountered the "Could not finalize an order" error. Nothing of significance has changed on the machine.

It's hard to say for sure because Crypt-LE swallowed the error (if any). Try with even more verbose logging:

--debug --debug

Wait, you don't actually have Windows Server 2003 connected to the internet do you? If so, drop everything and migrate your app to the latest version of windows.

The relevant last bits of the very long double-debug are:

2022/10/12 07:41:24 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
2022/10/12 07:41:24 $VAR1 = {
          'link' => '<https://acme-v02.api.letsencrypt.org/directory>;rel="index"',
          'server' => 'nginx',
          'x-frame-options' => 'DENY',
          'strict-transport-security' => 'max-age=604800',
          'replay-nonce' => '1DFAjtAdQ939pyix6reMlTJrkD1ni3TtLAZuNrzVLhW2_0M',
          'cache-control' => 'public, max-age=0, no-cache',
          'connection' => 'keep-alive',
          'date' => 'Wed, 12 Oct 2022 14:41:24 GMT'
        };
2022/10/12 07:41:24 Directory loaded successfully.
2022/10/12 07:41:24 There are no active challenges to verify
2022/10/12 07:41:24 Requesting domain certificate.
2022/10/12 07:41:24 Connecting to https://acme-v02.api.letsencrypt.org/acme/finalize/51589873/133782800386
2022/10/12 07:41:24 $VAR1 = {
          'reason' => 'Bad Request',
          'headers' => {
                         'connection' => 'keep-alive',
                         'date' => 'Wed, 12 Oct 2022 14:41:24 GMT',
                         'boulder-requester' => '51589873',
                         'content-type' => 'application/problem+json',
                         'server' => 'nginx',
                         'link' => '<https://acme-v02.api.letsencrypt.org/directory>;rel="index"',
                         'content-length' => '141',
                         'replay-nonce' => 'C878baV4HCNsNFbDqpsu24NE0ryB-L9T8JNqDCfvOltU9uE',
                         'cache-control' => 'public, max-age=0, no-cache'
                       },
          'content' => '{
  "type": "urn:ietf:params:acme:error:badCSR",
  "detail": "Error finalizing order :: signature algorithm not supported",
  "status": 400
}',
          'success' => '',
          'url' => 'https://acme-v02.api.letsencrypt.org/acme/finalize/51589873/133782800386',
          'status' => '400',
          'protocol' => 'HTTP/1.1'
        };
2022/10/12 07:41:24 Could not finalize an order.
2022/10/12 07:41:24 Could not finalize an order.

It looks like the error is "Signature Algorithm not Supported".

Did something get deprecated at the LetsEncrypt level?

Yes.

You'll need to find a way to generate a CSR that is hashed with SHA-256 instead of SHA-1.

If the Mail Server only supports SHA-1, I am looking at having to tear out and replace the whole mail server with a newer / current one, aren't I.

That sounds unlikely.
I'd try another ACME client.

Not necessarily. The certificates you've previously had were already using SHA-256 signatures which implies your mail server can at least use them. Here's a link to the most recent one.

What changed is that the CSR can no longer be SHA-1 signed and your command line implies that you're self-generating the CSR instead of letting le64 generate it on your behalf. Are you doing that with something like OpenSSL or is the mail server doing it for you? Is there a reason you can't let le64 generate the CSR?

Yes, that did the trick. Created a Key Pair and CRT using OpenSSL.

Thanks for the help, guys.

Still, you probably want to unplug that Windows Server 2003 from the internet... Extended support has ended already more than 6 years ago. That server is a ticking timebomb, if not part of several botnets already.

It's port-restricted and so only responds on a few "safe" ports.

Even so, I keep a watchful eye on it... you never know, after all.

When it finally gets replaced, it will be with the latest and greatest.

I was half-hoping this issue would necessitate the upgrade.

It will happen, sooner or later!

Fortunately (unfortunately?) it's also fairly easy to use a different machine to get your certs, then script the deployment to any other service on any other machine, so your actual server doesn't strictly need to be able to renew it's own certs using ACME. This makes it possible to still apply certs to services on machines which have no outgoing http/https for example.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.