Acme.sh: Force renewing wildcard-cert doesn't work

Thanks for your report. please upgrade to the latest dev branch, and try again, give me a new log.

export BRANCH=dev
acme.sh --upgrade

Just tried with below result. My domain is replaced with example.org
I have not gone through the procedure I went through when I requested a new wildcard-cert. I have only executed acme.sh with the --renew flag.

root@proxy:/srv/acme.sh# export BRANCH=dev
root@proxy:/srv/acme.sh# ./acme.sh --upgrade
[Wed Mar 14 13:41:02 CET 2018] Installing from online archive.
[Wed Mar 14 13:41:02 CET 2018] Downloading https://github.com/Neilpang/acme.sh/archive/dev.tar.gz
[Wed Mar 14 13:41:03 CET 2018] Extracting dev.tar.gz
[Wed Mar 14 13:41:03 CET 2018] It is recommended to install socat first.
[Wed Mar 14 13:41:03 CET 2018] We use socat for standalone server if you use standalone mode.
[Wed Mar 14 13:41:03 CET 2018] If you don't use standalone mode, just ignore this warning.
[Wed Mar 14 13:41:03 CET 2018] Installing to /srv/acme.sh-certs
[Wed Mar 14 13:41:03 CET 2018] Installed to /srv/acme.sh-certs/acme.sh
[Wed Mar 14 13:41:03 CET 2018] Good, bash is found, so change the shebang to use bash as preferred.
[Wed Mar 14 13:41:03 CET 2018] OK
[Wed Mar 14 13:41:03 CET 2018] Install success!
[Wed Mar 14 13:41:03 CET 2018] Upgrade success!
root@proxy:/srv/acme.sh#
root@proxy:/srv/acme.sh#
root@proxy:/srv/acme.sh#
root@proxy:/srv/acme.sh#
root@proxy:/srv/acme.sh#
root@proxy:/srv/acme.sh#
root@proxy:/srv/acme.sh# ./acme.sh --force --home /srv/acme.sh-certs --renew --dns -d example.org -d *.example.org --debug
[Wed Mar 14 13:41:11 CET 2018] Lets find script dir.
[Wed Mar 14 13:41:11 CET 2018] _SCRIPT_='./acme.sh'
[Wed Mar 14 13:41:11 CET 2018] _script='/srv/acme.sh/acme.sh'
[Wed Mar 14 13:41:11 CET 2018] _script_home='/srv/acme.sh'
[Wed Mar 14 13:41:11 CET 2018] Using config home:/srv/acme.sh-certs
https://github.com/Neilpang/acme.sh
v2.7.7
[Wed Mar 14 13:41:11 CET 2018] Using config home:/srv/acme.sh-certs
[Wed Mar 14 13:41:11 CET 2018] DOMAIN_PATH='/srv/acme.sh-certs/example.org'
[Wed Mar 14 13:41:11 CET 2018] Renew: 'example.org'
[Wed Mar 14 13:41:11 CET 2018] Using config home:/srv/acme.sh-certs
[Wed Mar 14 13:41:11 CET 2018] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Wed Mar 14 13:41:11 CET 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Wed Mar 14 13:41:11 CET 2018] GET
[Wed Mar 14 13:41:11 CET 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Wed Mar 14 13:41:11 CET 2018] timeout=
[Wed Mar 14 13:41:11 CET 2018] _CURL='curl -L --silent --dump-header /srv/acme.sh-certs/http.header -g '
[Wed Mar 14 13:41:11 CET 2018] ret='0'
[Wed Mar 14 13:41:11 CET 2018] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Wed Mar 14 13:41:11 CET 2018] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Wed Mar 14 13:41:11 CET 2018] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Wed Mar 14 13:41:11 CET 2018] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Wed Mar 14 13:41:11 CET 2018] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Wed Mar 14 13:41:11 CET 2018] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Wed Mar 14 13:41:11 CET 2018] ACME_NEW_NONCE
[Wed Mar 14 13:41:11 CET 2018] ACME_VERSION='2'
[Wed Mar 14 13:41:11 CET 2018] Le_NextRenewTime='1526115960'
[Wed Mar 14 13:41:12 CET 2018] _on_before_issue
[Wed Mar 14 13:41:12 CET 2018] Le_LocalAddress
[Wed Mar 14 13:41:12 CET 2018] Check for domain='example.org'
[Wed Mar 14 13:41:12 CET 2018] _currentRoot='/usr/share/nginx/challenges'
[Wed Mar 14 13:41:12 CET 2018] Check for domain='www.example.org'
[Wed Mar 14 13:41:12 CET 2018] _currentRoot='/usr/share/nginx/challenges'
[Wed Mar 14 13:41:12 CET 2018] _saved_account_key_hash is not changed, skip register account.
[Wed Mar 14 13:41:12 CET 2018] Read key length:
[Wed Mar 14 13:41:12 CET 2018] _createcsr
[Wed Mar 14 13:41:12 CET 2018] Multi domain='DNS:example.org,DNS:www.example.org'
[Wed Mar 14 13:41:12 CET 2018] Getting domain auth token for each domain
[Wed Mar 14 13:41:12 CET 2018] url='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Wed Mar 14 13:41:12 CET 2018] payload='{"identifiers": [{"type":"dns","value":"example.org"},{"type":"dns","value":"www.example.org"}]}'
[Wed Mar 14 13:41:12 CET 2018] RSA key
[Wed Mar 14 13:41:12 CET 2018] GET
[Wed Mar 14 13:41:12 CET 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Wed Mar 14 13:41:12 CET 2018] timeout=
[Wed Mar 14 13:41:12 CET 2018] _CURL='curl -L --silent --dump-header /srv/acme.sh-certs/http.header -g '
[Wed Mar 14 13:41:12 CET 2018] ret='0'
[Wed Mar 14 13:41:12 CET 2018] POST
[Wed Mar 14 13:41:12 CET 2018] _post_url='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Wed Mar 14 13:41:12 CET 2018] _CURL='curl -L --silent --dump-header /srv/acme.sh-certs/http.header -g -H "Content-Type: application/jose+json" '
[Wed Mar 14 13:41:23 CET 2018] _ret='0'
[Wed Mar 14 13:41:23 CET 2018] code='400'
[Wed Mar 14 13:41:23 CET 2018] Le_OrderFinalize
[Wed Mar 14 13:41:23 CET 2018] Create new order error. Le_OrderFinalize not found. {"type":"urn:acme:error:malformed","detail":"No JWK in JWS header","status": 400}
[Wed Mar 14 13:41:23 CET 2018] pid
[Wed Mar 14 13:41:23 CET 2018] No need to restore nginx, skip.
[Wed Mar 14 13:41:23 CET 2018] _clearupdns
[Wed Mar 14 13:41:23 CET 2018] skip dns.
[Wed Mar 14 13:41:23 CET 2018] _on_issue_err
[Wed Mar 14 13:41:23 CET 2018] Please add '--debug' or '--log' to check more details.
[Wed Mar 14 13:41:23 CET 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Wed Mar 14 13:41:23 CET 2018] socat doesn't exists.
[Wed Mar 14 13:41:23 CET 2018] Diagnosis versions:
openssl:openssl
OpenSSL 1.1.0f 25 May 2017
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.12.2
built by gcc 6.3.0 20170516 (Debian 6.3.0-18)
built with OpenSSL 1.1.0f 25 May 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.12.2/debian/debuild-base/nginx-1.12.2=. -specs=/usr/share/dpkg/no-pie-compile.specs -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-specs=/usr/share/dpkg/no-pie-link.specs -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'
socat:
root@proxy:/srv/acme.sh#

you only need to specify one domain for renew command:

./acme.sh --force --home /srv/acme.sh-certs --renew -d example.org  --debug

try again please.

./acme.sh --force --home /srv/acme.sh-certs --renew --dns -d example.org --debug
<snip>
[Wed Mar 14 13:52:04 CET 2018] Cert success.

That did the trick! Thank you!

It seems like a bug for wildcard domains. I'm examining and fixing.
https://github.com/Neilpang/acme.sh/issues/1360

Actually...this is still sort of an issue. If I issue a wildcard-cert for *.example.org, that cert won't be valid for example.org, so when issuing a wildcard-cert, I need to be able to issue it to both *.example.org and example.org.

Issuing one for *.example.org and example.org gives me a working cert
Renewing both on the same line doesn't work
Renewing just one cert works, but gives me a cert with limited usability

When you renew the cert, -d is just the cert name, acme.sh knows that it contains two domains in the cert: example.org and *.example.org

Yep, you're absolutely right, I'm not sure what the heck I did, but just re-verified, and everything is working perfectly :)

please update to the latest code. If you see the error again, please report to me.
Thanks.

acme.sh --upgrade

$ ./acme.sh --version
https://github.com/Neilpang/acme.sh
v2.7.9

$ ./acme.sh --issue -d home160.com -d .home160.com --dns dns_ali --log --force
[Tue Apr 3 10:07:10 CST 2018] Multi domain='DNS:home160.com,DNS:.home160.com'
[Tue Apr 3 10:07:10 CST 2018] Getting domain auth token for each domain
[Tue Apr 3 10:07:12 CST 2018] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:malformed","detail":"Malformed account ID in KeyID header","status": 400}
[Tue Apr 3 10:07:12 CST 2018] Please check log file for more details: /home/xia/.acme.sh/acme.sh.log

$ ./acme.sh --renew -d home160.com -d .home160.com --dns dns_ali --log --force
[Tue Apr 3 10:07:27 CST 2018] Renew: 'home160.com'
[Tue Apr 3 10:07:28 CST 2018] Multi domain='DNS:home160.com,DNS:.home160.com'
[Tue Apr 3 10:07:29 CST 2018] Getting domain auth token for each domain
[Tue Apr 3 10:07:30 CST 2018] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:malformed","detail":"Malformed account ID in KeyID header","status": 400}
[Tue Apr 3 10:07:30 CST 2018] Please check log file for more details: /home/xia/.acme.sh/acme.sh.log

[Tue Apr 3 10:07:09 CST 2018] _main_domain='home160.com'
[Tue Apr 3 10:07:09 CST 2018] _alt_domains='.home160.com'
[Tue Apr 3 10:07:09 CST 2018] Using config home:/home/xia/.acme.sh
[Tue Apr 3 10:07:09 CST 2018] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Tue Apr 3 10:07:09 CST 2018] DOMAIN_PATH='/home/xia/.acme.sh/home160.com'
[Tue Apr 3 10:07:09 CST 2018] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Tue Apr 3 10:07:09 CST 2018] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Tue Apr 3 10:07:09 CST 2018] GET
[Tue Apr 3 10:07:09 CST 2018] url='https://acme-v02.api.letsencrypt.org/directory'
[Tue Apr 3 10:07:09 CST 2018] timeout=
[Tue Apr 3 10:07:09 CST 2018] _CURL='curl -L --silent --dump-header /home/xia/.acme.sh/http.header -g '
[Tue Apr 3 10:07:10 CST 2018] ret='0'
[Tue Apr 3 10:07:10 CST 2018] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Tue Apr 3 10:07:10 CST 2018] ACME_NEW_AUTHZ
[Tue Apr 3 10:07:10 CST 2018] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue Apr 3 10:07:10 CST 2018] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Tue Apr 3 10:07:10 CST 2018] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Tue Apr 3 10:07:10 CST 2018] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Tue Apr 3 10:07:10 CST 2018] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Apr 3 10:07:10 CST 2018] ACME_VERSION='2'
[Tue Apr 3 10:07:10 CST 2018] Le_NextRenewTime
[Tue Apr 3 10:07:10 CST 2018] _on_before_issue
[Tue Apr 3 10:07:10 CST 2018] _chk_main_domain='home160.com'
[Tue Apr 3 10:07:10 CST 2018] _chk_alt_domains='.home160.com'
[Tue Apr 3 10:07:10 CST 2018] Le_LocalAddress
[Tue Apr 3 10:07:10 CST 2018] d='home160.com'
[Tue Apr 3 10:07:10 CST 2018] Check for domain='home160.com'
[Tue Apr 3 10:07:10 CST 2018] _currentRoot='dns_ali'
[Tue Apr 3 10:07:10 CST 2018] d='.home160.com'
[Tue Apr 3 10:07:10 CST 2018] Check for domain='.home160.com'
[Tue Apr 3 10:07:10 CST 2018] _currentRoot='dns_ali'
[Tue Apr 3 10:07:10 CST 2018] d
[Tue Apr 3 10:07:10 CST 2018] _saved_account_key_hash is not changed, skip register account.
[Tue Apr 3 10:07:10 CST 2018] Read key length:
[Tue Apr 3 10:07:10 CST 2018] _createcsr
[Tue Apr 3 10:07:10 CST 2018] Multi domain='DNS:home160.com,DNS:.home160.com'
[Tue Apr 3 10:07:10 CST 2018] Getting domain auth token for each domain
[Tue Apr 3 10:07:10 CST 2018] d='.home160.com'
[Tue Apr 3 10:07:10 CST 2018] d
[Tue Apr 3 10:07:10 CST 2018] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue Apr 3 10:07:10 CST 2018] payload='{"identifiers": [{"type":"dns","value":"home160.com"},{"type":"dns","value":".home160.com"}]}'
[Tue Apr 3 10:07:10 CST 2018] RSA key
[Tue Apr 3 10:07:11 CST 2018] HEAD
[Tue Apr 3 10:07:11 CST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Apr 3 10:07:11 CST 2018] _CURL='curl -L --silent --dump-header /home/xia/.acme.sh/http.header -g '
[Tue Apr 3 10:07:11 CST 2018] _ret='0'
[Tue Apr 3 10:07:11 CST 2018] POST
[Tue Apr 3 10:07:11 CST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue Apr 3 10:07:11 CST 2018] _CURL='curl -L --silent --dump-header /home/xia/.acme.sh/http.header -g '
[Tue Apr 3 10:07:12 CST 2018] _ret='0'
[Tue Apr 3 10:07:12 CST 2018] code='400'
[Tue Apr 3 10:07:12 CST 2018] Le_OrderFinalize
[Tue Apr 3 10:07:12 CST 2018] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:malformed","detail":"Malformed account ID in KeyID header","status": 400}
[Tue Apr 3 10:07:12 CST 2018] pid
[Tue Apr 3 10:07:12 CST 2018] No need to restore nginx, skip.
[Tue Apr 3 10:07:12 CST 2018] _clearupdns
[Tue Apr 3 10:07:12 CST 2018] skip dns.
[Tue Apr 3 10:07:12 CST 2018] _on_issue_err
[Tue Apr 3 10:07:12 CST 2018] Please check log file for more details: /home/xia/.acme.sh/acme.sh.log
[Tue Apr 3 10:07:27 CST 2018] Using config home:/home/xia/.acme.sh
[Tue Apr 3 10:07:27 CST 2018] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Tue Apr 3 10:07:27 CST 2018] DOMAIN_PATH='/home/xia/.acme.sh/home160.com'
[Tue Apr 3 10:07:27 CST 2018] ESC[1;31;32mRenew: 'home160.com'ESC[0m
[Tue Apr 3 10:07:27 CST 2018] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Tue Apr 3 10:07:27 CST 2018] Using config home:/home/xia/.acme.sh
[Tue Apr 3 10:07:27 CST 2018] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Tue Apr 3 10:07:27 CST 2018] _main_domain='home160.com'
[Tue Apr 3 10:07:27 CST 2018] _alt_domains='.home160.com'
[Tue Apr 3 10:07:27 CST 2018] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Tue Apr 3 10:07:27 CST 2018] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Tue Apr 3 10:07:27 CST 2018] GET
[Tue Apr 3 10:07:27 CST 2018] url='https://acme-v02.api.letsencrypt.org/directory'
[Tue Apr 3 10:07:27 CST 2018] timeout=
[Tue Apr 3 10:07:28 CST 2018] _CURL='curl -L --silent --dump-header /home/xia/.acme.sh/http.header -g '
[Tue Apr 3 10:07:28 CST 2018] ret='0'
[Tue Apr 3 10:07:28 CST 2018] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Tue Apr 3 10:07:28 CST 2018] ACME_NEW_AUTHZ
[Tue Apr 3 10:07:28 CST 2018] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue Apr 3 10:07:28 CST 2018] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Tue Apr 3 10:07:28 CST 2018] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Tue Apr 3 10:07:28 CST 2018] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Tue Apr 3 10:07:28 CST 2018] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Apr 3 10:07:28 CST 2018] ACME_VERSION='2'
[Tue Apr 3 10:07:28 CST 2018] Le_NextRenewTime
[Tue Apr 3 10:07:28 CST 2018] _on_before_issue
[Tue Apr 3 10:07:28 CST 2018] _chk_main_domain='home160.com'
[Tue Apr 3 10:07:28 CST 2018] _chk_alt_domains='.home160.com'
[Tue Apr 3 10:07:28 CST 2018] Le_LocalAddress
[Tue Apr 3 10:07:28 CST 2018] d='home160.com'
[Tue Apr 3 10:07:28 CST 2018] Check for domain='home160.com'
[Tue Apr 3 10:07:28 CST 2018] _currentRoot='dns_ali'
[Tue Apr 3 10:07:28 CST 2018] d='.home160.com'
[Tue Apr 3 10:07:28 CST 2018] Check for domain='.home160.com'
[Tue Apr 3 10:07:28 CST 2018] _currentRoot='dns_ali'
[Tue Apr 3 10:07:28 CST 2018] d
[Tue Apr 3 10:07:28 CST 2018] _saved_account_key_hash is not changed, skip register account.
[Tue Apr 3 10:07:28 CST 2018] Read key length:
[Tue Apr 3 10:07:28 CST 2018] _createcsr
[Tue Apr 3 10:07:28 CST 2018] Multi domain='DNS:home160.com,DNS:.home160.com'
[Tue Apr 3 10:07:29 CST 2018] Getting domain auth token for each domain
[Tue Apr 3 10:07:29 CST 2018] d='.home160.com'
[Tue Apr 3 10:07:29 CST 2018] d
[Tue Apr 3 10:07:29 CST 2018] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue Apr 3 10:07:29 CST 2018] payload='{"identifiers": [{"type":"dns","value":"home160.com"},{"type":"dns","value":".home160.com"}]}'
[Tue Apr 3 10:07:29 CST 2018] RSA key
[Tue Apr 3 10:07:29 CST 2018] HEAD
[Tue Apr 3 10:07:29 CST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Apr 3 10:07:29 CST 2018] _CURL='curl -L --silent --dump-header /home/xia/.acme.sh/http.header -g '
[Tue Apr 3 10:07:29 CST 2018] _ret='0'
[Tue Apr 3 10:07:29 CST 2018] POST
[Tue Apr 3 10:07:29 CST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue Apr 3 10:07:29 CST 2018] _CURL='curl -L --silent --dump-header /home/xia/.acme.sh/http.header -g '
[Tue Apr 3 10:07:30 CST 2018] _ret='0'
[Tue Apr 3 10:07:30 CST 2018] code='400'
[Tue Apr 3 10:07:30 CST 2018] Le_OrderFinalize
[Tue Apr 3 10:07:30 CST 2018] Create new order error. Le_OrderFinalize not found. {"type":"urn:ietf:params:acme:error:malformed","detail":"Malformed account ID in KeyID header","status": 400}
[Tue Apr 3 10:07:30 CST 2018] pid

OpenSSL> version
OpenSSL 1.0.2k-fips 26 Jan 2017

@xiagw aren't you missing a wildcard?

Hello,
I'm trying to force a renewal of an issued certificate using the following syntax:
./acme.sh -r -d *.mydomain.com --force --debug --dns

the verification part seems to be ok (DNS verification against OVH) but at the end i receive the following error:
...
[Wed May 2 16:22:40 CEST 2018] Verify finished, start to sign.
[Wed May 2 16:22:40 CEST 2018] i='2'
[Wed May 2 16:22:40 CEST 2018] j='10'
[Wed May 2 16:22:40 CEST 2018] url='https://acme-v02.api.letsencrypt.org/acme/finalize/31263463/4191986'
[Wed May 2 16:22:40 CEST 2018] payload='{"csr": "MIIBlTCB_wIBADAbMRkwFwYDVQQDDBAqLmlvdGtvbm5lY3QuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClWrWeCRmgh-Wl1TbGTt_6Wx45qN-iL7XA9PNQsx64n7Xqwi0-5D8VL_NzMzZFhX3VMPmkd1eFp_jUWb4pJma0FQ1uqDVuF76EIhK6edTraXJ3JFjpBPmeS46t2iLSbDVWs-XKF39fr0dCi_DA1zUvDvJPCHHQf6YeOaAZPUihtQIDAQABoDswOQYJKoZIhvcNAQkOMSwwKjALBgNVHQ8EBAMCBeAwGwYDVR0RBBQwEoIQKi5pb3Rrb25uZWN0LmNvbTANBgkqhkiG9w0BAQsFAAOBgQAXy8C2P3v4l5DH7-4Z1Auo0fyfYssvE2AHGIAjnJWzmhznqpKUXFre0daGl6NhNchYBCmmokPkxPj7WQf3UqK9bNFITomj05u0CCosH5ZS1sIkEn5EmbR5UUk5ZetBRQuE5LOhpQlN9-JCYRevcq8bnCWS1w_CMjXSr1EVtPhHsw"}'
[Wed May 2 16:22:40 CEST 2018] POST
[Wed May 2 16:22:40 CEST 2018] _post_url='https://acme-v02.api.letsencrypt.org/acme/finalize/31263463/4191986'
[Wed May 2 16:22:40 CEST 2018] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Wed May 2 16:22:41 CEST 2018] _ret='0'
[Wed May 2 16:22:41 CEST 2018] code='400'
[Wed May 2 16:22:41 CEST 2018] Sign failed, code is not 200.
[Wed May 2 16:22:41 CEST 2018] {"type":"urn:ietf:params:acme:error:malformed","detail":"Error finalizing order :: invalid public key in CSR: key too small: 1024","status": 400}
[Wed May 2 16:22:41 CEST 2018] _on_issue_err
[Wed May 2 16:22:41 CEST 2018] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Wed May 2 16:22:41 CEST 2018] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2k-fips 26 Jan 2017
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org

What's wrong?
Thanks!

The weirdest thing is: I tried to issue the very same command for another wilcard certificate on the very same machine and it worked without a single issue.
Any hints?