letsencrypt renew fails with error 400 malformed

WizardX · Mar 11, 2020

At first I was running into slow dns propagation on external hosted dns. After being fixed the letsencdrypt.sh fails on the following error. (snippet from bash -x)

++ /usr/local/bin/curl --connect-timeout 40 -k --silent -i -X POST -H 'Content-Type: application/jose+json' --data '{"protected": "eyJub25jZSI6ICIwMDAyajRsMkFtZTJuTkcyQWRoMDlDcVk4c24zOVBVY1FhWlBYdzdmR3B2MERURSIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTQ2Nzc0MDMiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzMyOTY3NzkwMDcveFZkRm9RIn0", "payload": "eyJrZXlBdXRob3JpemF0aW9uIjogInE4UE9DY1VtNU9lNkhxV25idW9kZjIxOWlUSHdBeU5qcWVVWVFfeU1uSmcuMnZGN0poaHFra3g1M3JEOVY0UnFfOWw1WHJOaVdHa1Jaa3VXZ3VmQ0tkcyJ9", "signature": "bzya50q7q-AHHMEm-c1rR8qWuW5CgVJcZ6xAIsKgOqp_ZXici5N-PypcuI8ijB26Tmc-k3VRD9JChzPe6zE0j6g93IB_BQtWb9PaRJ-ymDvEbn2ySrZyCRryScSgAdBcW5KqYRE-d2Z8f6hOA3ETUSOlivWlr9i2Ij-9d3LQciY_qrBzo8oSRIx6n-SMjLmWC9xCwhgsjwM0_8kHUwZ1PVWS5klzLDGtPt1_DduhPAABCPloew5rBbwFn6xIG9uAiaPJkd9CuBh4SU4rWE-TOLpW6DtmR5Ro7BAJtRrvpRVvK4tLFdzdVOlRAM5WYuAmGrQ04SK9c7wSG8pALFSrMA4KiT7pPXdmCK2YWT1ZczkXMCKvic2AiBniWPK24uqhE_QwReWSxlVDzSi7PcJywPHoCDRDo-Qs7wTHBOBvYWDGbDMAqDV4kBk64ElYrSFs3cnN4FvCmwRiLgirYojRofpVcY17Inz7aAwwUH1Ei6E6zB66iNx3e2e6o65vfoxFU9X_5w5I3ccLAgrX6jQkvZPbql_SOYDkrAY0MRfmS2bUZMSGldym1YZ2bqdUKb20O0zm5zkOqlb9tz9YPhcmEBfyNtcek2G61tnrVJHyxPEFGARkzAsNWzAGNx1zPLvVidOVdChqU32p7E4xNb52VtcA1lcn9mosdZoMtuPrcig"}' https://acme-v02.api.letsencrypt.org/acme/chall-v3/3296779007/xVdFoQ
+ RESPONSE='HTTP/2 400
server: nginx
date: Wed, 11 Mar 2020 12:30:37 GMT
content-type: application/problem+json
content-length: 144
boulder-requester: 54677403
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
replay-nonce: 00012f3nYsRwLAohRL0yPvaOpdmBppTv6A-7fmTjzqhDHBM

{
"type": "urn:ietf

arams:acme:error:malformed",
"detail": "Unable to update challenge :: authorization must be pending",
"status": 400
}'

Other posts at letsencrypt community suggested to upgrade certbot or python acme client, but directadmins latest letsencypt.sh is the only thing installed:
Latest version of Let's Encrypt client: 1.1.40
Installed version of Let's Encrypt client: 1.1.40

Anyone an idea what could be the issue?

smtalk · Mar 11, 2020

Try https://letsdebug.net for the affected domain name.

WizardX · Mar 11, 2020

All OK!
OK
No issues were found with deepmedia.nl. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

WizardX · Mar 11, 2020

@smtalk, Might it help if I send you the complete debug log?

smtalk · Mar 11, 2020

Check DNSSEC validator, if everything is fine there - there might be connectivity issues from Let’s Encrypt servers to your server, as they’re unable to verify the challenge.

zEitEr · Mar 13, 2020

The script /usr/local/directadmin/scripts/letsencrypt.sh removes challenge token too soon?

Code:

trap "rm -f \"${WELLKNOWN_PATH}/${CHALLENGE_TOKEN}\"; exit" INT TERM EXIT

see

Code:

52.15.254.228 - - [14/Mar/2020:06:05:23 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.222.229.130 - - [14/Mar/2020:06:05:24 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.194.58.132 - - [14/Mar/2020:06:05:26 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.209.232.166 - - [14/Mar/2020:06:05:26 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [14/Mar/2020:06:05:27 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [14/Mar/2020:06:05:27 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [14/Mar/2020:06:05:27 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.15.254.228 - - [14/Mar/2020:06:05:27 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.209.232.166 - - [14/Mar/2020:06:05:28 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.222.229.130 - - [14/Mar/2020:06:05:29 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.14.255.131 - - [14/Mar/2020:06:05:30 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.15.254.228 - - [14/Mar/2020:06:05:30 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [14/Mar/2020:06:05:31 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.28.236.88 - - [14/Mar/2020:06:05:31 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [14/Mar/2020:06:05:32 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.15.254.228 - - [14/Mar/2020:06:05:32 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.209.232.166 - - [14/Mar/2020:06:05:32 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [14/Mar/2020:06:05:34 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.15.254.228 - - [14/Mar/2020:06:05:34 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.222.229.130 - - [14/Mar/2020:06:05:35 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.209.232.166 - - [14/Mar/2020:06:05:36 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.15.254.228 - - [14/Mar/2020:06:05:37 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.15.254.228 - - [14/Mar/2020:06:05:38 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [14/Mar/2020:06:05:38 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.222.229.130 - - [14/Mar/2020:06:05:39 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.14.255.131 - - [14/Mar/2020:06:05:41 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.209.232.166 - - [14/Mar/2020:06:05:41 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
64.78.149.164 - - [14/Mar/2020:06:05:41 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
3.14.255.131 - - [14/Mar/2020:06:05:43 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.209.232.166 - - [14/Mar/2020:06:05:43 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.15.254.228 - - [14/Mar/2020:06:05:45 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.209.232.166 - - [14/Mar/2020:06:05:45 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [14/Mar/2020:06:05:46 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.194.58.132 - - [14/Mar/2020:06:05:46 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [14/Mar/2020:06:05:46 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 200 405 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.28.236.88 - - [14/Mar/2020:06:05:48 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 404 514 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.194.58.132 - - [14/Mar/2020:06:05:55 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 404 514 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.28.236.88 - - [14/Mar/2020:06:05:57 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 404 514 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.194.58.132 - - [14/Mar/2020:06:05:59 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 404 514 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
52.28.236.88 - - [14/Mar/2020:06:06:11 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 404 514 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
18.194.58.132 - - [14/Mar/2020:06:06:13 +0100] "GET /.well-known/acme-challenge/q3PoW3a0ZKPVGIBPvq4LZhN8gb5lcZbXDknJynClHWw HTTP/1.0" 404 514 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

The final 6 lines show HTTP/1.0" 404. It is all within the same call.

Tested with the same results on several servers with different domains.

If I change the line in the script to:

Code:

##trap "rm -f \"${WELLKNOWN_PATH}/${CHALLENGE_TOKEN}\"; exit" INT TERM EXIT

a certificate creates fine.

Kindly advice.

letsencrypt renew fails with error 400 malformed

WizardX

Verified User

smtalk

Administrator

WizardX

Verified User

WizardX

Verified User

smtalk

Administrator

zEitEr

Super Moderator