ClayRabbit
Verified User
Hello
We have issues with renewing certificate for one of the domains.
According to the error messages in message system first renew failed with "Nonce is empty":
On the next day renew failed with "Error finalizing order":
And this is repeating every day for 16 days already.
I have added "-v" to the CURL_OPTIONS and tried from command line:
So we got "500 Internal Server Error" and "Error finalizing order" from acme-v02.api.letsencrypt.org/acme/finalize/35454940/11847025
I have tried to renew main hostname certificate on this server and it's worked like a charm - so apparently this is not issue with server - just with that particular domain.
Any suggestions?
We have issues with renewing certificate for one of the domains.
According to the error messages in message system first renew failed with "Nonce is empty":
Code:
Requesting new certificate order...
Processing authorization for stagira.ru...
Waiting for domain verification...
Challenge is valid.
Challenge is valid.
Processing authorization for www.stagira.ru...
Waiting for domain verification...
Nonce is empty. Exiting. dig output of acme-v02.api.letsencrypt.org:
api.letsencrypt.org-ng.edgekey.net.
e14990.dscx.akamaiedge.net.
23.61.220.154
Full nonce request output:
<br>
On the next day renew failed with "Error finalizing order":
Code:
Requesting new certificate order...
Processing authorization for www.stagira.ru...
Challenge is valid.
Processing authorization for stagira.ru...
Challenge is valid.
Generating 2048 bit RSA key for stagira.ru...
openssl genrsa 2048 > "/usr/local/directadmin/data/users/stagirar/domains/stagira.ru.key.new"
Generating RSA private key, 2048 bit long modulus
........................................................+++
................+++
e is 65537 (0x10001)
Unable to find certificate. Something went wrong. Printing response...
Error finalizing order
<br>
And this is repeating every day for 16 days already.
I have added "-v" to the CURL_OPTIONS and tried from command line:
Code:
root@mensa:~/da/scripts# ./letsencrypt.sh renew stagira.ru 2048
Requesting new certificate order...
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 184.86.59.247...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.86.59.247) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3190 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=acme-v02.api.letsencrypt.org
* start date: May 25 00:25:19 2018 GMT
* expire date: Aug 23 00:25:19 2018 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
} [5 bytes data]
> HEAD /acme/new-nonce HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 204 No Content
< Server: nginx
< Replay-Nonce: K1ed9JA8xEFF6PCOF8UpQYHVMELGuaC9GFo7jvNhCJ0
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Fri, 29 Jun 2018 02:58:08 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 29 Jun 2018 02:58:08 GMT
< Connection: keep-alive
<
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Curl_http_done: called premature == 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
Note: Unnecessary use of -X or --request, POST is already inferred.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 184.86.59.247...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.86.59.247) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3190 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=acme-v02.api.letsencrypt.org
* start date: May 25 00:25:19 2018 GMT
* expire date: Aug 23 00:25:19 2018 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
} [5 bytes data]
> POST /acme/new-order HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Type: application/jose+json
> Content-Length: 793
>
} [793 bytes data]
* upload completely sent off: 793 out of 793 bytes
{ [5 bytes data]
< HTTP/1.1 201 Created
< Server: nginx
< Content-Type: application/json
< Content-Length: 533
< Boulder-Requester: 35454940
< Location: https://acme-v02.api.letsencrypt.org/acme/order/35454940/11847025
< Replay-Nonce: 7NwKjUVda49T_6Nxv3Cym4ommTtjbM7I183sGUqCAeE
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Fri, 29 Jun 2018 02:58:08 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 29 Jun 2018 02:58:08 GMT
< Connection: keep-alive
<
{ [533 bytes data]
* Curl_http_done: called premature == 0
100 1326 100 533 100 793 1705 2536 --:--:-- --:--:-- --:--:-- 2541
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 184.86.59.247...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.86.59.247) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3190 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=acme-v02.api.letsencrypt.org
* start date: May 25 00:25:19 2018 GMT
* expire date: Aug 23 00:25:19 2018 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
} [5 bytes data]
> GET /acme/authz/xw_w9pCu1sIbuvlMyv_TUVDPX7-nwU39C98XzKvEvQM HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: application/json
< Content-Length: 988
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Fri, 29 Jun 2018 02:58:08 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 29 Jun 2018 02:58:08 GMT
< Connection: keep-alive
<
{ [988 bytes data]
* Curl_http_done: called premature == 0
100 988 100 988 0 0 3320 0 --:--:-- --:--:-- --:--:-- 3326
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
Processing authorization for stagira.ru...
Challenge is valid.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 184.86.59.247...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.86.59.247) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3190 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=acme-v02.api.letsencrypt.org
* start date: May 25 00:25:19 2018 GMT
* expire date: Aug 23 00:25:19 2018 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
} [5 bytes data]
> GET /acme/authz/g88Yz8E2mQM9tdNEFSEkDVBnszPyn39TwV0bx_gSX_8 HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: application/json
< Content-Length: 651
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Fri, 29 Jun 2018 02:58:08 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 29 Jun 2018 02:58:08 GMT
< Connection: keep-alive
<
{ [651 bytes data]
* Curl_http_done: called premature == 0
100 651 100 651 0 0 2225 0 --:--:-- --:--:-- --:--:-- 2229
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
Processing authorization for www.stagira.ru...
Challenge is valid.
Generating 2048 bit RSA key for stagira.ru...
openssl genrsa 2048 > "/usr/local/directadmin/data/users/stagirar/domains/stagira.ru.key.new"
Generating RSA private key, 2048 bit long modulus
...........................................................................+++
.............+++
e is 65537 (0x10001)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 184.86.59.247...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.86.59.247) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3190 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=acme-v02.api.letsencrypt.org
* start date: May 25 00:25:19 2018 GMT
* expire date: Aug 23 00:25:19 2018 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
} [5 bytes data]
> HEAD /acme/new-nonce HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/1.1 204 No Content
< Server: nginx
< Replay-Nonce: f6Cmifyzy2GI6ke2J_VY0WJTj8Ugn81OYAljoJFoFh0
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Fri, 29 Jun 2018 02:58:09 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 29 Jun 2018 02:58:09 GMT
< Connection: keep-alive
<
* Curl_http_done: called premature == 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Connection #0 to host acme-v02.api.letsencrypt.org left intact
Note: Unnecessary use of -X or --request, POST is already inferred.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 184.86.59.247...
* TCP_NODELAY set
* Connected to acme-v02.api.letsencrypt.org (184.86.59.247) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [3190 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=acme-v02.api.letsencrypt.org
* start date: May 25 00:25:19 2018 GMT
* expire date: Aug 23 00:25:19 2018 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
} [5 bytes data]
> POST /acme/finalize/35454940/11847025 HTTP/1.1
> Host: acme-v02.api.letsencrypt.org
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Type: application/jose+json
> Content-Length: 1973
> Expect: 100-continue
>
{ [5 bytes data]
< HTTP/1.1 100 Continue
< Expires: Fri, 29 Jun 2018 02:58:10 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
0 1973 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0} [5 bytes data]
* We are completely uploaded and fine
{ [5 bytes data]
< HTTP/1.1 500 Internal Server Error
< Server: nginx
< Content-Type: application/problem+json
< Content-Length: 112
< Boulder-Requester: 35454940
< Replay-Nonce: G8Tl0MhrTeWFZvnzpta_WMiQrZ6Nz028A8CSmV10kME
< Expires: Fri, 29 Jun 2018 02:58:10 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Fri, 29 Jun 2018 02:58:10 GMT
< Connection: close
<
{ [112 bytes data]
* Curl_http_done: called premature == 0
100 2085 100 112 100 1973 133 2348 --:--:-- --:--:-- --:--:-- 2348
* Closing connection 0
} [5 bytes data]
* TLSv1.2 (OUT), TLS alert, Client hello (1):
} [2 bytes data]
Unable to find certificate. Something went wrong. Printing response...
Error finalizing order
So we got "500 Internal Server Error" and "Error finalizing order" from acme-v02.api.letsencrypt.org/acme/finalize/35454940/11847025
I have tried to renew main hostname certificate on this server and it's worked like a charm - so apparently this is not issue with server - just with that particular domain.
Any suggestions?