Skip to content

Initial cert request for labCA Nginx #222

Open
Open
Initial cert request for labCA Nginx#222
@mahescho

Description

@mahescho
mahescho
opened on Mar 1, 2026

I followed the setup instructions. Every things works but the first ACME request of the labCA Nginx before lat restart:

Sun Mar 1 14:41:33 UTC 2026
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for ca.mt.lan
An unexpected error occurred:
Error finalizing order

bolder log:

boulder-1  | 2026-03-01T14:38:12.785734+00:00Z sfe[322]: 6 sfe ZtKhNA Debug server listening on :8015
boulder-1  | 2026-03-01T14:38:12.785858+00:00Z sfe[322]: 6 sfe ot_3Cw Versions: sfe=(v0.20251216.0 +f3e973a9 Sat Dec 27 16:13:24 UTC 2025) Golang=(go1.25.5) BuildHost=(labca-v25.12)
boulder-1  | 2026-03-01T14:38:12.787761+00:00Z sfe[322]: 6 sfe Gk0Gqw Server running, listening on 0.0.0.0:4003....
boulder-1  | 2026-03-01T14:38:12.990205+00:00Z boulder-wfe2[334]: 6 boulder-wfe2 U3fC3Q Debug server listening on :8013
boulder-1  | 2026-03-01T14:38:12.990366+00:00Z boulder-wfe2[334]: 6 boulder-wfe2 hTS3jw Versions: boulder-wfe2=(v0.20251216.0 +f3e973a9 Sat Dec 27 16:13:24 UTC 2025) Golang=(go1.25.5) BuildHost=(labca-v25.12)
boulder-1  | 2026-03-01T14:38:13.002847+00:00Z boulder-wfe2[334]: 6 boulder-wfe2 DOg8LQ loading identifier policy, sha256: 550a8b440aa2d94ec971e0e158a3f17077e1f4268463b7beac28cd0acdb29f40
boulder-1  | 2026-03-01T14:38:13.003349+00:00Z boulder-wfe2[334]: 6 boulder-wfe2 7351yQ Server running, listening on :4001....
boulder-1  | 2026-03-01T14:38:13.004265+00:00Z boulder-wfe2[334]: 6 boulder-wfe2 BMBqTQ TLS server listening on :4431
boulder-1  | 2026-03-01T14:41:33.445609+00:00Z boulder-wfe2[334]: 6 boulder-wfe2 Mm4QqQ POST /acme/new-order 1 400 21 0.0.0.0 JSON={"InternalErrors":["JWS has a nonce whose prefix matches no nonce service: \"Zy_ps6C1rj9YA2LvaWK1ZROHw8-FKoVTHM3LL65BRTaZwPSBVOs\""],"Error":"400 :: badNonce :: JWS has an invalid anti-replay nonce","ua":"CertbotACMEClient/5.2.2 (certbot; Ubuntu 24.04.3 LTS) Authenticator/webroot Installer/None (certonly; flags: n) Py/3.10.19"}
boulder-1  | 2026-03-01T14:41:33.526909+00:00Z boulder-wfe2[334]: 6 boulder-wfe2 Km9Rgw POST /acme/new-order 1 201 74 0.0.0.0 JSON={"ua":"CertbotACMEClient/5.2.2 (certbot; Ubuntu 24.04.3 LTS) Authenticator/webroot Installer/None (certonly; flags: n) Py/3.10.19","Created":"4","Identifiers":[{"type":"dns","value":"ca.mt.lan"}]}
boulder-1  | 2026-03-01T14:41:33.539319+00:00Z boulder-wfe2[334]: 6 boulder-wfe2 Mr5T5g POST /acme/authz/ 1 200 9 0.0.0.0 JSON={"Slug":"1/3","ua":"CertbotACMEClient/5.2.2 (certbot; Ubuntu 24.04.3 LTS) Authenticator/webroot Installer/None (certonly; flags: n) Py/3.10.19","Status":"valid","Identifiers":[{"type":"dns","value":"ca.mt.lan"}]}
boulder-1  | 2026-03-01T14:41:33.546442+00:00Z boulder-ra[312]: 6 boulder-ra dSRIcw FinalizationCaaCheck JSON={"Requester":1,"Reused":1}
boulder-1  | 2026-03-01T14:41:34.085426+00:00Z boulder-ca[282]: 3 boulder-ca VGohyw [AUDIT] Preparing precert failed: serial=[6e2ccb7108a3d0b0e9b9799ef972bf79b227] err=[tbsCertificate linting failed: failed lint(s): e_pkimetal_lint_cabf_serverauth_cert (got 1 lint findings from pkimetal API: fatal from pkimetal:pkilint:_write_|1:_broken_pipe: pkilint: write |1: broken pipe)]
boulder-1  | 2026-03-01T14:41:34.116423+00:00Z boulder-ra[312]: 6 boulder-ra CVLCJw [AUDIT] Certificate request - error JSON={"ID":"CahMDkGXng604AYWm2nMG0Iu0etRxTb8X87jaR1qtA0","Requester":1,"OrderID":4,"VerifiedFields":["subject.commonName","subjectAltName"],"NotBefore":"0001-01-01T00:00:00Z","NotAfter":"0001-01-01T00:00:00Z","RequestTime":"2026-03-01T14:41:33.543828155Z","ResponseTime":"2026-03-01T14:41:34.116211947Z","Error":"rpc error: code = Unknown desc = failed to prepare precertificate signing: tbsCertificate linting failed: failed lint(s): e_pkimetal_lint_cabf_serverauth_cert (got 1 lint findings from pkimetal API: fatal from pkimetal:pkilint:_write_|1:_broken_pipe: pkilint: write |1: broken pipe)","Authorizations":{"ca.mt.lan":{"ID":"3","ChallengeType":"http-01"}},"PreviousCertificateIssued":"0001-01-01T00:00:00Z","UserAgent":"CertbotACMEClient/5.2.2 (certbot; Ubuntu 24.04.3 LTS) Authenticator/webroot Installer/None (certonly; flags: n) Py/3.10.19"}
boulder-1  | 2026-03-01T14:41:34.116890+00:00Z boulder-wfe2[334]: 6 boulder-wfe2 nAYOzQ POST /acme/finalize/ 1 500 574 0.0.0.0 JSON={"Slug":"1/4","InternalErrors":["rpc error: code = Unknown desc = failed to prepare precertificate signing: tbsCertificate linting failed: failed lint(s): e_pkimetal_lint_cabf_serverauth_cert (got 1 lint findings from pkimetal API: fatal from pkimetal:pkilint:_write_|1:_broken_pipe: pkilint: write |1: broken pipe)"],"Error":"500 :: serverInternal :: Error finalizing order","ua":"CertbotACMEClient/5.2.2 (certbot; Ubuntu 24.04.3 LTS) Authenticator/webroot Installer/None (certonly; flags: n) Py/3.10.19","Extra":{"KeyType":"RSA 2048"},"Identifiers":[{"type":"dns","value":"ca.mt.lan"}]}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions