LetsEncrypt: Error finalizing order

ClayRabbit

Verified User
Joined
Jan 3, 2004
Messages
260
Location
Russia
Hello

We have issues with renewing certificate for one of the domains.

According to the error messages in message system first renew failed with "Nonce is empty":
Code:
Requesting new certificate order...
Processing authorization for stagira.ru...
Waiting for domain verification...
Challenge is valid.
Challenge is valid.
Processing authorization for www.stagira.ru...
Waiting for domain verification...
Nonce is empty. Exiting. dig output of acme-v02.api.letsencrypt.org: 
api.letsencrypt.org-ng.edgekey.net.
e14990.dscx.akamaiedge.net.
23.61.220.154
Full nonce request output:

<br>

On the next day renew failed with "Error finalizing order":
Code:
Requesting new certificate order...
Processing authorization for www.stagira.ru...
Challenge is valid.
Processing authorization for stagira.ru...
Challenge is valid.
Generating 2048 bit RSA key for stagira.ru...
openssl genrsa 2048 > "/usr/local/directadmin/data/users/stagirar/domains/stagira.ru.key.new"
Generating RSA private key, 2048 bit long modulus
........................................................+++
................+++
e is 65537 (0x10001)
Unable to find certificate. Something went wrong. Printing response...
Error finalizing order

<br>

And this is repeating every day for 16 days already.

I have added "-v" to the CURL_OPTIONS and tried from command line:
Code:
root@mensa:~/da/scripts# ./letsencrypt.sh renew stagira.ru 2048
Requesting new certificate order...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 184.86.59.247...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.86.59.247) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3190 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: May 25 00:25:19 2018 GMT
*  expire date: Aug 23 00:25:19 2018 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
} [5 bytes data]
> HEAD /acme/new-nonce HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 204 No Content
< Server: nginx
< Replay-Nonce: K1ed9JA8xEFF6PCOF8UpQYHVMELGuaC9GFo7jvNhCJ0
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Fri, 29 Jun 2018 02:58:08 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 29 Jun 2018 02:58:08 GMT
< Connection: keep-alive
<
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Curl_http_done: called premature == 0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
Note: Unnecessary use of -X or --request, POST is already inferred.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 184.86.59.247...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.86.59.247) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3190 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: May 25 00:25:19 2018 GMT
*  expire date: Aug 23 00:25:19 2018 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
} [5 bytes data]
> POST /acme/new-order HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Type: application/jose+json
> Content-Length: 793
>
} [793 bytes data]
* upload completely sent off: 793 out of 793 bytes
{ [5 bytes data]
< HTTP/1.1 201 Created
< Server: nginx
< Content-Type: application/json
< Content-Length: 533
< Boulder-Requester: 35454940
< Location: https://acme-v02.api.letsencrypt.org/acme/order/35454940/11847025
< Replay-Nonce: 7NwKjUVda49T_6Nxv3Cym4ommTtjbM7I183sGUqCAeE
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Fri, 29 Jun 2018 02:58:08 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 29 Jun 2018 02:58:08 GMT
< Connection: keep-alive
<
{ [533 bytes data]
* Curl_http_done: called premature == 0
100  1326  100   533  100   793   1705   2536 --:--:-- --:--:-- --:--:--  2541
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 184.86.59.247...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.86.59.247) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3190 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: May 25 00:25:19 2018 GMT
*  expire date: Aug 23 00:25:19 2018 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
} [5 bytes data]
> GET /acme/authz/xw_w9pCu1sIbuvlMyv_TUVDPX7-nwU39C98XzKvEvQM HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: application/json
< Content-Length: 988
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Fri, 29 Jun 2018 02:58:08 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 29 Jun 2018 02:58:08 GMT
< Connection: keep-alive
<
{ [988 bytes data]
* Curl_http_done: called premature == 0
100   988  100   988    0     0   3320      0 --:--:-- --:--:-- --:--:--  3326
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
Processing authorization for stagira.ru...
Challenge is valid.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 184.86.59.247...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.86.59.247) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3190 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: May 25 00:25:19 2018 GMT
*  expire date: Aug 23 00:25:19 2018 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
} [5 bytes data]
> GET /acme/authz/g88Yz8E2mQM9tdNEFSEkDVBnszPyn39TwV0bx_gSX_8 HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: application/json
< Content-Length: 651
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Fri, 29 Jun 2018 02:58:08 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 29 Jun 2018 02:58:08 GMT
< Connection: keep-alive
<
{ [651 bytes data]
* Curl_http_done: called premature == 0
100   651  100   651    0     0   2225      0 --:--:-- --:--:-- --:--:--  2229
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
Processing authorization for www.stagira.ru...
Challenge is valid.
Generating 2048 bit RSA key for stagira.ru...
openssl genrsa 2048 > "/usr/local/directadmin/data/users/stagirar/domains/stagira.ru.key.new"
Generating RSA private key, 2048 bit long modulus
...........................................................................+++
.............+++
e is 65537 (0x10001)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 184.86.59.247...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.86.59.247) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3190 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: May 25 00:25:19 2018 GMT
*  expire date: Aug 23 00:25:19 2018 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
} [5 bytes data]
> HEAD /acme/new-nonce HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 204 No Content
< Server: nginx
< Replay-Nonce: f6Cmifyzy2GI6ke2J_VY0WJTj8Ugn81OYAljoJFoFh0
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Fri, 29 Jun 2018 02:58:09 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 29 Jun 2018 02:58:09 GMT
< Connection: keep-alive
<
* Curl_http_done: called premature == 0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
Note: Unnecessary use of -X or --request, POST is already inferred.
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 184.86.59.247...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.86.59.247) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /usr/local/share/certs/ca-root-nss.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3190 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=acme-v02.api.letsencrypt.org
*  start date: May 25 00:25:19 2018 GMT
*  expire date: Aug 23 00:25:19 2018 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
} [5 bytes data]
> POST /acme/finalize/35454940/11847025 HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Type: application/jose+json
> Content-Length: 1973
> Expect: 100-continue
>
{ [5 bytes data]
< HTTP/1.1 100 Continue
< Expires: Fri, 29 Jun 2018 02:58:10 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
  0  1973    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0} [5 bytes data]
* We are completely uploaded and fine
{ [5 bytes data]
< HTTP/1.1 500 Internal Server Error
< Server: nginx
< Content-Type: application/problem+json
< Content-Length: 112
< Boulder-Requester: 35454940
< Replay-Nonce: G8Tl0MhrTeWFZvnzpta_WMiQrZ6Nz028A8CSmV10kME
< Expires: Fri, 29 Jun 2018 02:58:10 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 29 Jun 2018 02:58:10 GMT
< Connection: close
<
{ [112 bytes data]
* Curl_http_done: called premature == 0
100  2085  100   112  100  1973    133   2348 --:--:-- --:--:-- --:--:--  2348
* Closing connection 0
} [5 bytes data]
* TLSv1.2 (OUT), TLS alert, Client hello (1):
} [2 bytes data]
Unable to find certificate. Something went wrong. Printing response...
Error finalizing order

So we got "500 Internal Server Error" and "Error finalizing order" from acme-v02.api.letsencrypt.org/acme/finalize/35454940/11847025

I have tried to renew main hostname certificate on this server and it's worked like a charm - so apparently this is not issue with server - just with that particular domain.
Any suggestions?
 
Please try:
Code:
mv /usr/local/directadmin/conf/letsencrypt.key /usr/local/directadmin/conf/letsencrypt.key.backup

letsencrypt.sh 1.1 uses a single key for all the certs, to prevent reaching registration limit.
 
Thank you. I also had to rename letsencrypt.key.json and after that, command "./letsencrypt.sh renew stagira.ru 2048" is worked fine.
 
Please try:
Code:
mv /usr/local/directadmin/conf/letsencrypt.key /usr/local/directadmin/conf/letsencrypt.key.backup

letsencrypt.sh 1.1 uses a single key for all the certs, to prevent reaching registration limit.

my letsencrypt is updated
I renamed both letsencrypt.key and letsencrypt.json
but it didn't work
what should I do?
 
I'd suggest creating a ticket at tickets.directadmin.com with more details, access to the server would also help. Thank you!
 
Back
Top