After getting certificates for about 45 domains, caddy suddenly stopped and I got this error:
[INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
http: TLS handshake error from 127.0.0.1:59836: EOF
[ERROR][mydomain.com] failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url: (attempt 1/3; challenge=tls-alpn-01)
[INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
[ERROR][mydomain.com] failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url: (attempt 2/3; challenge=tls-alpn-01)
[INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
[ERROR][mydomain.com] failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url: (attempt 3/3; challenge=tls-alpn-01)
[INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
[ERROR][mydomain.com] failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url: (attempt 1/3; challenge=http-01)
[INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
[ERROR][mydomain.com] failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url: (attempt 2/3; challenge=http-01)
[INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
[ERROR][mydomain.com] failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url: (attempt 3/3; challenge=http-01)
http: TLS handshake error from 152.115.135.58:55802: failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url:
Happens on all new domains I add.
I'm running caddy 1.0.3.
mxrlkn
All 19 comments
Hello,
I think the error is related to caddy, maybe you are using a corrupted private key.
ldez
on 7 Nov 2019
Interesting, I haven't considered that possibility.
@ldez Is there any way for lego to check if a key is corrupted before trying to use it? For example, parse or validate it?
If the key is replaced, is there way to update an account's key with lego yet?
mholt
on 7 Nov 2019
@ldez The private key and its associated reg resource is confirmed to be valid: https://caddy.community/t/acme-auto-ssl-suddenly-stopped-working/6147/31?u=matt
So there is still something afoot... let me know how you want to go about pinpointing this.
mholt
on 10 Nov 2019
Do you have any logs of the JWS that doesn't validate?
cpu
on 11 Nov 2019
I've pasted all the logs at the top. I don't have anything else regarding the error.
mxrlkn
on 12 Nov 2019
Unfortunately the logs at the top don't contain the JWS object. Perhaps @mholt knows if it's possible to have Caddy log the JWS with a config change or whether it would require changes in Caddy or Lego's code to achieve.
cpu
on 12 Nov 2019
JWS's are abstracted away -- Caddy (and CertMagic) doesn't touch them at all. The logs would have to be emitted from lego.
mholt
on 12 Nov 2019
@mxrlkn Can you keep your account key and metadata handy so that this can continue to be debugged while you use another one in the meantime?
This is interesting, since it's not exactly kosher to share your private key to have others debug it... 馃槄 thanks for your patience.
@ldez where do you recommend adding logs for this?
mholt
on 12 Nov 2019
Yes. It's on my test setup which isn't that important 馃檪
mxrlkn
on 12 Nov 2019
You check the private key in NewJWS and the alg in SignContent
Maybe it's related to the algorithms used to create the private key.
ldez
on 12 Nov 2019
Thanks. Do you think lego could also add more logs in relevant parts of the challenge process so that we can see what the actual errors are?
mholt
on 12 Nov 2019
for now and related to the logger behavior, it will be far too verbose and precise to have a real interest for the majority of users.
ldez
on 13 Nov 2019
It's too verbose to emit logs when there are errors?
mholt
on 13 Nov 2019
Sorry misread, no problem to log the errors.
In this case, I think we already logs the error, and put the private key in a logs seems unsafe.
I don't know what is the safe way to get more information in this case.
ldez
on 13 Nov 2019
I have an idea to improve errors, stay tune.
ldez
on 13 Nov 2019
put the private key in a logs seems unsafe.
To start with I think the JWS and the account public key needed to verify the JWS would be sufficient.
cpu
on 13 Nov 2019
We ran into the same issue with using Caddy 1.0.4. When we requested a new LetsEncrypt account certification requests went through again.
mbardelmeijer
on 21 Nov 2019
Experienced the same thing using Caddy 1.0.4, too. Switched to a new LetsEncrypt user and it worked again.
christianflintrup
on 3 Mar 2020
I experienced the same problem with nginx and creating a new LE account fixed the problem for me as well. Just wondering, is there any reasonable way in lego to catch this kind of error?
Ma27
on 15 Sep 2020
Related issues
mhoran
路
4Comments
kop
路
5Comments
cruscio
路
3Comments
onlyjob
路
3Comments
kuuji
路
4Comments
Most helpful comment
I experienced the same problem with
nginxand creating a new LE account fixed the problem for me as well. Just wondering, is there any reasonable way inlegoto catch this kind of error?