SOLVED [CPANEL-29596] Let's Encrypt - 400 Bad Request

[cPanelMichael]

Hello Everyone,

Following Let's Encrypt CDN update (New CDN for the Production API), we have received a number of reports regarding 400 Bad Request errors (visible in WHM >> Home >> SSL/TLS >> Manage AutoSSL) on cPanel & WHM servers using the Let's Encrypt plugin. This is blocking the successful installation of new SSL certificates on affected systems. We are currently tracking these reports as part of internal case CPANEL-29596.

To ensure SSL certificates continue to issue successfully, the temporary workaround is to switch from Let's Encrypt to cPanel (Powered by Sectigo) via the "Providers" tab in WHM >> Manage AutoSSL:

Manage AutoSSL - Version 82 Documentation - cPanel Documentation

documentation.cpanel.net

We'll update this thread with more information as it becomes available.

Thank you.

 

[cPanelNick]

We have identified the incompatibility with Let's Encrypt's new CDN and we are working on publishing an update to resolve the issue.

 

[cPanelNick]

We have published cpanel-letsencrypt-2.26 which resolves the incompatibility with Let's Encrypt's new CDN.

The update should be automatically installed tonight. Do force an update right away and enter the following commands on the command line (How to Access the Command Line - cPanel Knowledge Base - cPanel Documentation)

yum clean all
yum update cpanel-letsencrypt

 

[ciao70]

Hello,

This morning the certificate on our server was not renewed due to this error.

5:34:46 PM WARN “Let’s Encrypt™” DCV error (................): The ACME function “[URL]https://acme-v01.api.letsencrypt.org/acme/new-authz”[/URL] indicated an error: “<html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>nginx</center> </body> </html> ” (400, “Bad Request”, ).


WARN “Let’s Encrypt™” DCV error (................): Cpanel::Exception::ACME::Protocol/(XID .....) The ACME function “[URL]https://acme-v01.api.letsencrypt.org/acme/new-authz”[/URL] indicated an error: “<html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>nginx</center> </body> </html> ” (400, “Bad Request”, ).

The Apache server


How can we solve this problem?

I found this report on the support forum letsencrypt

ACME v1 endpoints giving 400?

Hello, We’re suddenly seeing a number of HTTP 400 errors on new-reg requests to the v1 API. Request body (pre-JWS): {"resource":"new-reg"} Response headers (400 Bad Request): Date: Tue, 24 Sep 2019 13:44:29 GMT Server: nginx Connection: close Content-length: 150 Content-type: text/html...

community.letsencrypt.org

Thanks

 

[ciao70]

this problem was born after the CDN change of Let’s Encrypt

New CDN for the Production API

Today we have transitioned to a new CDN for the Production API. The change should already be visible worldwide. We expect that this change will not affect any client software. We had previously made this transition for the Staging API: New CDN for the Staging API With the new CDN, we have the...

community.letsencrypt.org

 

[hjolli]

that explains a lot, been struggling with certificates for 3 hours now. started from scratch several time. Have now installed self signed. Errors I get are very similar (repliced the site with "website" in the error log below:

any solution in sight?

 6:01:29 PM AutoSSL’s configured provider is “Let’s Encrypt™”.
 Checking websites for “u1900902a” …
 6:01:29 PM Analyzing “website" …
 6:01:29 PM User-excluded domains: 4 (mail.website webmail.website.hi.is, cpanel.website.hi.is, webdisk.website.hi.is)
 ERROR TLS Status: Defective
 Certificate expiry: 9/23/20, 5:29 PM UTC (364.98 days from now)
 ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:18:DEPTH_ZERO_SELF_SIGNED_CERT).
 6:01:29 PM Performing DCV (Domain Control Validation) …
 6:01:29 PM Redirection #1 (website): [URL]http://website/.well-known/acme-challenge/AQAX1116H6NKJQAC3XHSIV3NORQIZYT-[/URL] → [URL]https://website/.well-known/acme-challenge/AQAX1116H6NKJQAC3XHSIV3NORQIZYT-[/URL]
 Local HTTP DCV OK: website
 Redirection #1 ([URL="http://www.website"]www.website[/URL]): [URL]http://www.website/.well-known/acme-challenge/QZGVU4TJ97AGYX0A8V_9K4G7IPQJ3-SB[/URL] → [URL]https://www.website/.well-known/acme-challenge/QZGVU4TJ97AGYX0A8V_9K4G7IPQJ3-SB[/URL]
 Local HTTP DCV OK: [URL="http://www.website"]www.website[/URL]
 6:01:29 PM Analyzing “website”’s DCV results …
 6:01:29 PM No CAA record added because there is no CAA record from another provider in the DNS for website.
 6:01:32 PM WARN “Let’s Encrypt™” DCV error (website): The ACME function “[URL]https://acme-v01.api.letsencrypt.org/acme/new-authz”[/URL] indicated an error: “<html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>nginx</center> </body> </html> ” (400, “Bad Request”, ).
 WARN “Let’s Encrypt™” DCV error (website): Cpanel::Exception::ACME::Protocol/(XID y9repz) The ACME function “[URL]https://acme-v01.api.letsencrypt.org/acme/new-authz”[/URL] indicated an error: “<html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>nginx</center> </body> </html> ” (400, “Bad Request”, ).
 WARN “Let’s Encrypt™” DCV error ([URL="http://www.website"]www.website[/URL]): The ACME function “[URL]https://acme-v01.api.letsencrypt.org/acme/new-authz”[/URL] indicated an error: “<html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>nginx</center> </body> </html> ” (400, “Bad Request”, ).
 WARN “Let’s Encrypt™” DCV error ([URL="http://www.website"]www.website[/URL]): Cpanel::Exception::ACME::Protocol/(XID bvg26z) The ACME function “[URL]https://acme-v01.api.letsencrypt.org/acme/new-authz”[/URL] indicated an error: “<html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>nginx</center> </body> </html> ” (400, “Bad Request”, ).
 ERROR Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
 6:01:32 PM The system has completed the AutoSSL check for “u1900902a”.

 

[vacancy]

Try.

yum clean all
yum update cpanel-letsencrypt

 

[hjolli]

Thank you very very much and the solution was the obvious one. Worked like a charm.

What I had already done was to install a wildcard certificate from globalsign (which though does not work for www in front of the domain name, that's why I wanted letsncrypt)

What I had to do was

1. yum clean all
2. yum update cpanel-letsencrypt
3. remove the globalsign certificate
4. run the auto ssl again

thanks again for a super quick reply.

 

[ciao70]

Solved

Thanks

 

[LuizScott]

yum clean all
yum update cpanel-letsencrypt

Thank you. Worked!!!