Windows client crypt-le (le64.exe V0.38) could not finalize an order

Hello Community,

Cannot get any certificates and not sure what I am doing wrong.

My domain is: pje1.pjelectrical.com.au

I ran this command using valid email address and complex password:
le64.exe -email "##########" -key pje1.pjelectrical.com.au_2022-05-09.key -csr pje1.pjelectrical.com.au_2022-05-09.csr -csr-key pje1.pjelectrical.com.au_2022-05-09.key -crt pje1.pjelectrical.com.au_2022-05-09.crt -domains "pje1.pjelectrical.com.au" -generate-missing -live -export-pfx "##########" -tag-pfx "pje1.pjelectrical.com.au_2022-05-09" -handle-as dns -api 2 -debug

It produced this output:
2022/05/09 05:02:15 [ Crypt::LE client v0.38 started. ]
2022/05/09 05:02:15 Generating a new account key
2022/05/09 05:02:19 Account key generated.
2022/05/09 05:02:19 Saving generated account key into pje1.pjelectrical.com.au_2022-05-09.key
2022/05/09 05:02:19 Generating a new CSR for domains pje1.pjelectrical.com.au
2022/05/09 05:02:19 CSR key loaded
2022/05/09 05:02:19 New CSR will be based on 'pje1.pjelectrical.com.au_2022-05-09.key' key
2022/05/09 05:02:19 CSR generated.
2022/05/09 05:02:19 Saving a new CSR into pje1.pjelectrical.com.au_2022-05-09.csr
2022/05/09 05:02:19 Account email has been set to 'PAnderson@atecho.com.au'
2022/05/09 05:02:19 Connecting to https://acme-v02.api.letsencrypt.org/directory
2022/05/09 05:02:20 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
2022/05/09 05:02:21 Directory loaded successfully.
2022/05/09 05:02:21 Registering the account key
2022/05/09 05:02:21 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-acct
2022/05/09 05:02:21 New key is now registered, reg path: https://acme-v02.api.letsencrypt.org/acme/acct/534430636. You need to accept TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2022/05/09 05:02:21 Account ID: 534430636
2022/05/09 05:02:21 Registration success: TOS change status - 1, new registration flag - 1.
2022/05/09 05:02:21 The key has been successfully registered. ID: 534430636
2022/05/09 05:02:21 Make sure to check TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2022/05/09 05:02:21 Connecting to https://acme-v02.api.letsencrypt.org/acme/acct/534430636
2022/05/09 05:02:21 Accepted TOS.
2022/05/09 05:02:21 Current contact details: PAnderson@atecho.com.au
2022/05/09 05:02:21 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-order
2022/05/09 05:02:21 Connecting to https://acme-v02.api.letsencrypt.org/acme/finalize/534430636/86934322246
2022/05/09 05:02:22 Could not finalize an order.
2022/05/09 05:02:22 Requesting challenge.
2022/05/09 05:02:22 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz-v3/106485177136
2022/05/09 05:02:22 Received challenges for pje1.pjelectrical.com.au.
2022/05/09 05:02:22 Requested challenges for 1 domain(s).
2022/05/09 05:02:22 Challenge for 'pje1.pjelectrical.com.au' requires the following DNS record to be created:
Host: _acme-challenge.pje1.pjelectrical.com.au, type: TXT, value: aB8Tigpdi3ABmDhcLjbOBOc-afD9zcdSB4vJ59cLTZo
Wait for DNS to update by checking it with the command: nslookup -q=TXT _acme-challenge.pje1.pjelectrical.com.au
When you see a text record returned, press

2022/05/09 05:04:36 Accepted challenges for 1 domain(s).
2022/05/09 05:04:36 Connecting to https://acme-v02.api.letsencrypt.org/directory
2022/05/09 05:04:37 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
2022/05/09 05:04:37 Directory loaded successfully.
2022/05/09 05:04:37 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall-v3/106485177136/ryq4-w
2022/05/09 05:04:39 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall-v3/106485177136/ryq4-w
2022/05/09 05:04:41 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall-v3/106485177136/ryq4-w
2022/05/09 05:04:42 Domain pje1.pjelectrical.com.au has been verified successfully.
2022/05/09 05:04:42 Processing the 'dns' verification for 'pje1.pjelectrical.com.au'
2022/05/09 05:04:42 Domain verification results for 'pje1.pjelectrical.com.au': success.
2022/05/09 05:04:42 You can now delete '_acme-challenge.pje1.pjelectrical.com.au' DNS record
2022/05/09 05:04:42 Verified challenges for 1 domain(s).
2022/05/09 05:04:42 Requesting domain certificate.
2022/05/09 05:04:42 Connecting to https://acme-v02.api.letsencrypt.org/acme/finalize/534430636/86934322246
2022/05/09 05:04:42 Could not finalize an order.
2022/05/09 05:04:42 Could not finalize an order.

My web server is (include version): IIS V8.5.9600.16384

The operating system my web server runs on is (include version): Windows2012R2

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine : YES

I'm using a control panel to manage my site : NO

The version of my client is : le64.exe version 0.38.0.0 .

Please help.

Thanks.

Doesn't le64.exe provide any more verbose logging? The ACME server provides the reason why the order couldn't be finalized and le64.exe should present that to you, the user.

Anyway, we can manually see the reason of the failure when we check https://acme-v02.api.letsencrypt.org/get/order/534430636/86934322246. There we can see:

"detail": "Error finalizing order :: certificate public key must be different than account key"

Probably due to the fact you're manually entering the -key option: do you have a specific reason for that? I have no idea what the -key option does exactly, but it probably is responsible for the error. Do you require that option?

Hello Osiris,

You are correct that the key parameter caused the error because I used the same file name for the account key and the csr key.

There are options to get more verbose logging when using perl interpreter but not sure if can get via windows baked executable.

I have replaced command with: le64.exe -email "##########" -key pje1.pjelectrical.com.au_2022-05-09_account.key -csr pje1.pjelectrical.com.au_2022-05-09.csr -csr-key pje1.pjelectrical.com.au_2022-05-09.key -crt pje1.pjelectrical.com.au_2022-05-09.crt -domains "pje1.pjelectrical.com.au" -generate-missing -live -export-pfx "##########" -tag-pfx "pje1.pjelectrical.com.au_2022-05-09" -handle-as dns -api 2 -debug

Results:
2022/05/09 08:04:35 [ Crypt::LE client v0.38 started. ]
2022/05/09 08:04:35 Generating a new account key
2022/05/09 08:04:38 Account key generated.
2022/05/09 08:04:38 Saving generated account key into pje1.pjelectrical.com.au_2022-05-09_account.key
2022/05/09 08:04:38 Generating a new CSR for domains pje1.pjelectrical.com.au
2022/05/09 08:04:38 New CSR will be based on a generated key
2022/05/09 08:04:39 CSR generated.
2022/05/09 08:04:39 Saving a new CSR into pje1.pjelectrical.com.au_2022-05-09.csr
2022/05/09 08:04:39 Saving a new CSR key into pje1.pjelectrical.com.au_2022-05-09.key
2022/05/09 08:04:39 Account email has been set to 'PAnderson@atecho.com.au'
2022/05/09 08:04:39 Connecting to https://acme-v02.api.letsencrypt.org/directory
2022/05/09 08:04:40 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
2022/05/09 08:04:40 Directory loaded successfully.
2022/05/09 08:04:40 Registering the account key
2022/05/09 08:04:40 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-acct
2022/05/09 08:04:40 New key is now registered, reg path: https://acme-v02.api.letsencrypt.org/acme/acct/534652626. You need to accept TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2022/05/09 08:04:40 Account ID: 534652626
2022/05/09 08:04:40 Registration success: TOS change status - 1, new registration flag - 1.
2022/05/09 08:04:40 The key has been successfully registered. ID: 534652626
2022/05/09 08:04:40 Make sure to check TOS at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
2022/05/09 08:04:40 Connecting to https://acme-v02.api.letsencrypt.org/acme/acct/534652626
2022/05/09 08:04:40 Accepted TOS.
2022/05/09 08:04:40 Current contact details: PAnderson@atecho.com.au
2022/05/09 08:04:40 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-order
2022/05/09 08:04:41 Connecting to https://acme-v02.api.letsencrypt.org/acme/finalize/534652626/86969093216
2022/05/09 08:04:41 Could not finalize an order.
2022/05/09 08:04:41 Requesting challenge.
2022/05/09 08:04:41 Connecting to https://acme-v02.api.letsencrypt.org/acme/authz-v3/106527264896
2022/05/09 08:04:41 Received challenges for pje1.pjelectrical.com.au.
2022/05/09 08:04:41 Requested challenges for 1 domain(s).
2022/05/09 08:04:41 Challenge for 'pje1.pjelectrical.com.au' requires the following DNS record to be created:
Host: _acme-challenge.pje1.pjelectrical.com.au, type: TXT, value: YNwLIurEB0g1jNFrLM5zmy0wiJjHcGe6reMX9e7MJkE
Wait for DNS to update by checking it with the command: nslookup -q=TXT _acme-challenge.pje1.pjelectrical.com.au
When you see a text record returned, press

2022/05/09 08:08:09 Accepted challenges for 1 domain(s).
2022/05/09 08:08:09 Connecting to https://acme-v02.api.letsencrypt.org/directory
2022/05/09 08:08:09 Connecting to https://acme-v02.api.letsencrypt.org/acme/new-nonce
2022/05/09 08:08:09 Directory loaded successfully.
2022/05/09 08:08:09 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall-v3/106527264896/gLPhKw
2022/05/09 08:08:12 Connecting to https://acme-v02.api.letsencrypt.org/acme/chall-v3/106527264896/gLPhKw
2022/05/09 08:08:12 Domain pje1.pjelectrical.com.au has been verified successfully.
2022/05/09 08:08:12 Processing the 'dns' verification for 'pje1.pjelectrical.com.au'
2022/05/09 08:08:12 Domain verification results for 'pje1.pjelectrical.com.au': success.
2022/05/09 08:08:12 You can now delete '_acme-challenge.pje1.pjelectrical.com.au' DNS record
2022/05/09 08:08:12 Verified challenges for 1 domain(s).
2022/05/09 08:08:12 Requesting domain certificate.
2022/05/09 08:08:12 Connecting to https://acme-v02.api.letsencrypt.org/acme/finalize/534652626/86969093216
2022/05/09 08:08:13 The certificate is ready for download at https://acme-v02.api.letsencrypt.org/acme/cert/03349ce34ec66d0b158e95022cb7d11371ce.
2022/05/09 08:08:13 Connecting to https://acme-v02.api.letsencrypt.org/acme/cert/03349ce34ec66d0b158e95022cb7d11371ce
2022/05/09 08:08:13 Certificate is separated from the chain.
2022/05/09 08:08:13 Domain certificate has been received.
2022/05/09 08:08:13 Requesting issuer's certificate.
2022/05/09 08:08:13 Issuer's certificate has been already received.
2022/05/09 08:08:13 Saving the full certificate chain to pje1.pjelectrical.com.au_2022-05-09.crt.
2022/05/09 08:08:13 Exporting certificate to pje1.pjelectrical.com.au_2022-05-09.pfx.
2022/05/09 08:08:13 PFX exported to pje1.pjelectrical.com.au_2022-05-09.pfx.
2022/05/09 08:08:13 The job is done, enjoy your certificate!

Happy days.

Thank you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.