lego: JWS verification error
After getting certificates for about 45 domains, caddy suddenly stopped and I got this error:
[INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
http: TLS handshake error from 127.0.0.1:59836: EOF
[ERROR][mydomain.com] failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url: (attempt 1/3; challenge=tls-alpn-01)
[INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
[ERROR][mydomain.com] failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url: (attempt 2/3; challenge=tls-alpn-01)
[INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
[ERROR][mydomain.com] failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url: (attempt 3/3; challenge=tls-alpn-01)
[INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
[ERROR][mydomain.com] failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url: (attempt 1/3; challenge=http-01)
[INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
[ERROR][mydomain.com] failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url: (attempt 2/3; challenge=http-01)
[INFO] [mydomain.com] acme: Obtaining bundled SAN certificate
[ERROR][mydomain.com] failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url: (attempt 3/3; challenge=http-01)
http: TLS handshake error from 152.115.135.58:55802: failed to obtain certificate: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: JWS verification error, url:
Happens on all new domains I add.
I’m running caddy 1.0.3.
About this issue
- Original URL
- State: open
- Created 5 years ago
- Reactions: 3
- Comments: 21 (15 by maintainers)
I experienced the same problem with
nginxand creating a new LE account fixed the problem for me as well. Just wondering, is there any reasonable way inlegoto catch this kind of error?I have an idea to improve errors, stay tune.
Hi! I have found a way to reproduce this error. I have detailed the instructions here, in the context of NixOS, however the same instructions still apply running lego on its own (just change the paths).
It seems to happen when the account ID and the key in the keys folder are mismatched. Let’s Encrypt makes a 1:1 relation with accounts and keys, as their documentation hints, and this can return the error people are seeing.
Would any of the lego devs know why this would happen, seemingly at random? Would lego be able to deal with this situation and correct the account ID automatically?
JWS’s are abstracted away – Caddy (and CertMagic) doesn’t touch them at all. The logs would have to be emitted from lego.
Thanks. Do you think lego could also add more logs in relevant parts of the challenge process so that we can see what the actual errors are?
You check the private key in
NewJWSand thealginSignContentMaybe it’s related to the algorithms used to create the private key.
Yes. It’s on my test setup which isn’t that important 🙂
Do you have any logs of the JWS that doesn’t validate?
Hello,
I think the error is related to caddy, maybe you are using a corrupted private key.