v2 new-order failure internal error (with log)

We get an internal error message while trying to request a new certificate using acme v2. Do you have any more information on why it failed ?

 

{"code":500,"message":"INTERNAL_SERVER_ERROR","details":"HTTP 500 Internal Server Error"}

 

I'm using DNS-validation with 2 hostnames. Account creation (new-acct) with rsa key goes fine.

 

> could you please provide the command line used to obtain a certificate and an excerpt of the logs located in /var/logs/ where the 500 error was reported

 

This is an automated system with no command line, but here's the posted data:

 

/acme-v02/new-order

{
"payload":"ewogICJpZGVudGlmaWVycyI6IFt7CiAgICAidHlwZSI6ICJkbnMiLAogICAgInZhbHVlIjogImRldi5qY2xvdWQubm8iCiAgfSx7CiAgICAidHlwZSI6ICJkbnMiLAogICAgInZhbHVlIjogInd3dy5kZXYuamNsb3VkLm5vIgogIH1dCn0K",
"protected":"eyJub25jZSI6Ik4yWmpNRGt3WVdVdFpXWTVPQzAwWVdVM0xUaGxOVEV0WVRFNFlUbGtaamMxWkdGaSIsImFsZyI6IlJTMjU2Iiwia2lkIjoiaHR0cHM6Ly9hcGkuYnV5cGFzcy5jb20vYWNtZS9hY2N0L19FNVptNDdhUVR4SzlBIiwidXJsIjoiaHR0cHM6Ly9hcGkuYnV5cGFzcy5jb20vYWNtZS12MDIvbmV3LW9yZGVyIn0",
"signature":"qWH__E8qzc3_oPbv-QCn9pnIKGF4RJJNb47lBOPQNPOVk6Qx76aMiyjma_kdfnJ88EmT_yZtCPqBMH_JHULL9JZoOE2v606tFP5daMa-qCUVFijFU826qTFAkJynvGN0oyv7Old5LMLrXoRUkZy7KCc1fxzmFLwxQQlT5ojtdkj-zZqIFzzVe72wC_PAmT_KP8YErWYBy3EYrpAGn7lCXoymIPtqy66fldnbeMuTAq4mWBE9jHJD0eNqlf-QPH1QSXhIo1aJRZAZYL_UIftTkc5Wh1Jl1dQjZK2EnLSeSKi8--MYoXjDPUEusPcQokMf8ETlWsWwoFA33M8lV6gGDA"
}

 

Cheers,

2replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hi Jay737

     

    Sorry for late reply.

    There happened an internal timeout in our system during CAA resolution, which took considerable time (possibly because of lack of configuration on the domain to be validated).

    We added this to our backlog to be investigated and considered for improvement in the future.

     

    Analysis here https://dnssec-analyzer.verisignlabs.com/ indicates that there was no response from nameserver.

     

    Regards,

    Andriy

    Like
  • Thanks for our reply.

    The nameservers in question respond to DNS and DNS-TLS requests. The domain doesnt have a DS record in parent zone, so DNS-SEC should not be used. EDNS is not accepted and result in rfc-compliant formerr response.

    The dnssec-analyzerverisignlabs.com website doesn't seem to be rfc-compliant, so it will fail saying there was no response.

    Like
Like Follow
  • 3 mths agoLast active
  • 2Replies
  • 55Views
  • 2 Following

Buypass Official Community

This is the official community of Buypass.  A Root CA located in Norway.