Cannot use --createDomainKey then --signcsr properly

[daohoangson]

Steps to reproduce

cd /acme.sh
acme.sh --upgrade
acme.sh --staging --createDomainKey --keylength 3072 --domain domain.com
acme.sh --staging --createCSR --domain domain.com --domain www.domain.com

Debug log

acme.sh --debug 2 --staging --signcsr --csr ./domain.com/domain.com.csr -w /var/www/html
[Mon May 15 05:39:47 UTC 2017] Lets find script dir.
[Mon May 15 05:39:47 UTC 2017] _SCRIPT_='/usr/local/bin/acme.sh'
[Mon May 15 05:39:47 UTC 2017] _script='/root/.acme.sh/acme.sh'
[Mon May 15 05:39:47 UTC 2017] _script_home='/root/.acme.sh'
[Mon May 15 05:39:47 UTC 2017] Using default home:/root/.acme.sh
[Mon May 15 05:39:47 UTC 2017] Using config home:/acme.sh
[Mon May 15 05:39:47 UTC 2017] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/Neilpang/acme.sh
v2.6.9
[Mon May 15 05:39:47 UTC 2017] Using config home:/acme.sh
[Mon May 15 05:39:47 UTC 2017] Using stage api:https://acme-staging.api.letsencrypt.org
[Mon May 15 05:39:47 UTC 2017] _csrsubj='domain.com'
[Mon May 15 05:39:47 UTC 2017] _csrsubj='domain.com'
[Mon May 15 05:39:47 UTC 2017] _dnsAltnames='DNS:www.domain.com'
[Mon May 15 05:39:47 UTC 2017] AltNames doesn't contain subject
[Mon May 15 05:39:47 UTC 2017] _csrdomainlist='www.domain.com'
[Mon May 15 05:39:47 UTC 2017] _outcsr='Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (3072 bit)
                Modulus:
                    00:b6:f0:ae:18:3c:b8:cd:31:6f:0e:0a:ac:bb:27:
                    3e:78:71:18:bb:43:40:a9:be:17:cb:9a:a0:66:56:
                    6f:1f:56:db:96:8f:98:cb:04:c2:d2:bf:5b:6f:44:
                    56:75:0f:14:fa:5e:08:04:bb:31:64:43:18:b6:be:
                    4c:e5:8a:2c:5d:0b:86:49:1a:99:40:89:36:b3:47:
                    b5:57:f9:ad:cf:b2:f4:ac:9d:8c:dc:f4:61:28:10:
                    8b:1c:b5:38:74:ed:ad:87:c9:6f:bb:cc:a2:7d:69:
                    ee:94:ef:ce:94:54:7e:9d:27:e2:a0:76:67:5f:5f:
                    25:a1:9d:0e:10:97:2f:58:35:26:09:24:02:af:75:
                    9c:5e:38:31:5a:00:af:79:bb:1b:ed:a2:eb:7a:4d:
                    83:33:52:ac:b2:50:48:fd:91:8b:c6:cf:d2:a5:92:
                    9a:a4:74:bb:f1:f7:8d:93:ad:b8:e5:51:17:76:3c:
                    2d:4a:f9:89:5e:00:96:e5:cf:bb:a8:e6:82:21:ff:
                    c5:12:6e:ad:4d:c5:24:cd:2f:05:28:ca:57:1c:54:
                    fe:48:2e:40:dd:6d:d6:23:af:21:9a:38:39:54:f5:
                    6b:b4:03:d1:d0:58:61:e0:f9:17:9d:ad:cb:07:4a:
                    78:8d:b3:09:71:7c:56:82:3a:f7:c4:0b:2b:5d:78:
                    2b:85:33:e1:c0:db:73:9d:d6:96:2d:5b:1f:ca:07:
                    e5:86:4e:b2:09:ea:68:b7:69:94:fe:c2:6d:90:ab:
                    6b:34:87:14:60:d3:9b:8d:6e:5f:4c:d4:63:0d:86:
                    e5:fc:2f:8d:9a:d5:3e:25:07:62:4d:ce:8e:6d:a8:
                    a2:5b:a3:4a:93:54:9b:fa:9a:26:b4:4c:db:e3:c6:
                    54:fb:41:a0:59:30:ed:40:80:86:ea:e0:04:93:6c:
                    46:d3:2f:c0:6a:28:d1:82:44:fd:a8:40:8f:5a:80:
                    cc:7b:36:c7:57:a6:7b:85:92:3b:cf:66:b3:6d:58:
                    08:b9:52:32:7d:96:ea:1f:9f:eb
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:www.domain.com
    Signature Algorithm: sha256WithRSAEncryption
         45:c1:ba:95:96:4d:b2:3c:cc:dd:ed:a4:65:58:61:12:d4:3b:
         e2:fc:41:29:35:86:5d:1f:6d:09:65:6c:60:f7:aa:ab:ad:06:
         92:73:0e:35:20:cf:9b:75:0f:23:b6:b9:b5:94:ac:b7:0e:e0:
         04:39:4c:07:ae:d4:20:63:e7:47:b3:e6:b5:ab:03:12:fb:ce:
         99:e4:d3:59:c4:04:60:3a:17:1c:7b:82:d4:b1:26:11:0c:74:
         20:38:e1:72:93:50:3e:47:96:b4:80:26:7c:73:2d:b4:e8:91:
         2e:f6:c8:0b:41:cc:2e:bb:58:b5:39:54:0d:7e:c7:24:8c:af:
         82:84:23:77:d5:32:2c:76:b1:91:0a:6e:9a:25:c0:59:67:93:
         39:3c:e2:80:fb:6b:f8:0a:68:83:65:82:23:b0:8a:e7:d0:4b:
         93:f0:48:37:37:40:62:fa:18:e2:6e:70:7e:16:69:a5:30:20:
         ba:39:62:27:44:fb:81:4c:d7:9e:8f:cb:fe:71:97:7d:bf:ed:
         a3:59:a4:63:ff:c4:75:55:21:8a:b4:bd:32:24:83:1b:3f:36:
         4c:32:93:ae:76:8d:dc:9d:e2:0a:a0:83:b7:58:89:03:a5:bc:
         4b:ea:79:cd:80:b5:a0:e1:31:f9:c9:86:ea:40:61:75:b4:92:
         23:8f:68:ec:65:ff:ae:fa:95:7c:90:7c:53:6d:7e:fa:87:74:
         66:d4:ac:2f:9e:8d:93:68:e4:37:a0:47:cc:2f:de:ca:95:49:
         52:db:7e:6e:7f:7d:5e:60:d9:f5:2b:a5:88:6b:7d:64:e2:55:
         4e:3b:a2:65:b8:2a:fc:be:d7:d7:fc:66:2b:19:2c:10:ad:f3:
         ce:7f:3f:9c:60:78:fd:d1:f4:79:48:7e:9e:df:78:94:89:e9:
         28:7e:55:07:d2:64:2f:d2:4b:8d:bc:e7:6e:49:46:20:a9:35:
         81:fa:02:f0:38:ca:25:10:5a:42:86:36:62:89:b8:cc:f4:bf:
         48:fe:c2:b8:ec:0c'
[Mon May 15 05:39:47 UTC 2017] RSA CSR
[Mon May 15 05:39:47 UTC 2017] Using config home:/acme.sh
[Mon May 15 05:39:47 UTC 2017] DOMAIN_PATH='/acme.sh/domain.com'
[Mon May 15 05:39:47 UTC 2017] Copy csr to: /acme.sh/domain.com/domain.com.csr
cp: './domain.com/domain.com.csr' and '/acme.sh/domain.com/domain.com.csr' are the same file
[Mon May 15 05:39:47 UTC 2017] Using api: https://acme-staging.api.letsencrypt.org
[Mon May 15 05:39:47 UTC 2017] Using config home:/acme.sh
[Mon May 15 05:39:47 UTC 2017] _on_before_issue
[Mon May 15 05:39:47 UTC 2017] '/var/www/html' does not contain 'no'
[Mon May 15 05:39:47 UTC 2017] Le_LocalAddress
[Mon May 15 05:39:47 UTC 2017] Check for domain='domain.com'
[Mon May 15 05:39:47 UTC 2017] _currentRoot='/var/www/html'
[Mon May 15 05:39:47 UTC 2017] Check for domain='www.domain.com'
[Mon May 15 05:39:47 UTC 2017] _currentRoot='/var/www/html'
[Mon May 15 05:39:47 UTC 2017] '/var/www/html' does not contain 'apache'
[Mon May 15 05:39:47 UTC 2017] config file is empty, can not read CA_KEY_HASH
[Mon May 15 05:39:47 UTC 2017] _saved_account_key_hash
[Mon May 15 05:39:47 UTC 2017] Using config home:/acme.sh
[Mon May 15 05:39:47 UTC 2017] Use default length 2048
[Mon May 15 05:39:47 UTC 2017] length='2048'
[Mon May 15 05:39:47 UTC 2017] Using config home:/acme.sh
[Mon May 15 05:39:47 UTC 2017] _createkey for file:/acme.sh/ca/acme-staging.api.letsencrypt.org/account.key
[Mon May 15 05:39:47 UTC 2017] Use length 2048
[Mon May 15 05:39:47 UTC 2017] Using RSA: 2048
[Mon May 15 05:39:47 UTC 2017] RSA key
[Mon May 15 05:39:48 UTC 2017] AGREEMENT
[Mon May 15 05:39:48 UTC 2017] Registering account
[Mon May 15 05:39:48 UTC 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Mon May 15 05:39:48 UTC 2017] payload='{"resource": "new-reg", "agreement": ""}'
[Mon May 15 05:39:48 UTC 2017] Use cached jwk for file: /acme.sh/ca/acme-staging.api.letsencrypt.org/account.key
[Mon May 15 05:39:48 UTC 2017] Get nonce.
[Mon May 15 05:39:48 UTC 2017] GET
[Mon May 15 05:39:48 UTC 2017] url='https://acme-staging.api.letsencrypt.org/directory'
[Mon May 15 05:39:48 UTC 2017] timeout
[Mon May 15 05:39:48 UTC 2017] _CURL='curl -L --silent --dump-header /acme.sh/http.header  --trace-ascii /tmp/tmp.OJKfcO '
[Mon May 15 05:39:49 UTC 2017] ret='0'
[Mon May 15 05:39:49 UTC 2017] _headers='HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 372
Boulder-Request-Id: PITg8kzOTJZ2ftfyif9yfNN4hlzLPGZSkalba8Lj2F8
Replay-Nonce: 9lPFslgLVzAwwvnGabgXkdMUVE3FVMk_opjZoftXRyk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 15 May 2017 05:39:39 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 May 2017 05:39:39 GMT
Connection: keep-alive
'
[Mon May 15 05:39:49 UTC 2017] _CACHED_NONCE='9lPFslgLVzAwwvnGabgXkdMUVE3FVMk_opjZoftXRyk'
[Mon May 15 05:39:49 UTC 2017] nonce='9lPFslgLVzAwwvnGabgXkdMUVE3FVMk_opjZoftXRyk'
[Mon May 15 05:39:49 UTC 2017] POST
[Mon May 15 05:39:49 UTC 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Mon May 15 05:39:49 UTC 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "sEstBg3dZBrSYrs2sIUyPQf65ZTy3hax3RS7vXDthjvhXqBp1W_xo9KIPyztBvt3ISscMkvJ6cvmd8ZRkUMBWoyToKp3WCa7qVRTbwFnIEUogWV8Ed0g4WNahmMcgT4bv6cnLRecMJNFr6SQNljt2RwFrc235DhqqXjfOGHuNFFt6bgiTN8guc11UClmeZdlZssMQAKi1RhnxR2SKwpx2SG2cyRlQwyWnWbKJQG7_dhdYtIJhiXIyc8NxxJsrUp3ybuiSq21M0xoHc3ek5TWBPJJJ4ZORQSgwxMkx1nTvreMFuegrha0ghBiExMZPwE7XBoNY4QgtKz4pzLjEd1RCQ"}}, "protected": "eyJub25jZSI6ICI5bFBGc2xnTFZ6QXd3dm5HYWJnWGtkTVVWRTNGVk1rX29walpvZnRYUnlrIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAic0VzdEJnM2RaQnJTWXJzMnNJVXlQUWY2NVpUeTNoYXgzUlM3dlhEdGhqdmhYcUJwMVdfeG85S0lQeXp0QnZ0M0lTc2NNa3ZKNmN2bWQ4WlJrVU1CV295VG9LcDNXQ2E3cVZSVGJ3Rm5JRVVvZ1dWOEVkMGc0V05haG1NY2dUNGJ2NmNuTFJlY01KTkZyNlNRTmxqdDJSd0ZyYzIzNURocXFYamZPR0h1TkZGdDZiZ2lUTjhndWMxMVVDbG1lWmRsWnNzTVFBS2kxUmhueFIyU0t3cHgyU0cyY3lSbFF3eVduV2JLSlFHN19kaGRZdElKaGlYSXljOE54eEpzclVwM3lidWlTcTIxTTB4b0hjM2VrNVRXQlBKSko0Wk9SUVNnd3hNa3gxblR2cmVNRnVlZ3JoYTBnaEJpRXhNWlB3RTdYQm9OWTRRZ3RLejRwekxqRWQxUkNRIn19", "payload": "eyJyZXNvdXJjZSI6ICJuZXctcmVnIiwgImFncmVlbWVudCI6ICIifQ", "signature": "qJgBFPwF71S3WV_ipiT8xgUfz4TZoH3XxjEeXDXYudHlHOk1lyseMzMZmTb2ZvgOsTtsJs5lkDrPtPNTTL7IgTCmLJETeEl1EJabrNL9mgdCwQqOKvL3It-20_G5o1GboIGP8vPPmKSb5sPUbJd60WRqvo9qCHR-jlmWB5RZFdaczL7wkLYkX_uhft0sHiRPMDp2dkoQ_0q5b8nvR64b3arf6HwZ0CPLsSea9p45IWVN6tDku-PlDelfA8iIr1ily6u05yVqFZdLrqjuVR0dy4tTeh-pulhpsJfmubr_s0BwVuKDrfeTwIpgz040-lg_XI77FuQJchZCcGzzA2AdZw"}'
[Mon May 15 05:39:49 UTC 2017] _CURL='curl -L --silent --dump-header /acme.sh/http.header  --trace-ascii /tmp/tmp.DMipdH '
[Mon May 15 05:39:50 UTC 2017] _ret='0'
[Mon May 15 05:39:50 UTC 2017] original='{
  "id": 2251508,
  "key": {
    "kty": "RSA",
    "n": "sEstBg3dZBrSYrs2sIUyPQf65ZTy3hax3RS7vXDthjvhXqBp1W_xo9KIPyztBvt3ISscMkvJ6cvmd8ZRkUMBWoyToKp3WCa7qVRTbwFnIEUogWV8Ed0g4WNahmMcgT4bv6cnLRecMJNFr6SQNljt2RwFrc235DhqqXjfOGHuNFFt6bgiTN8guc11UClmeZdlZssMQAKi1RhnxR2SKwpx2SG2cyRlQwyWnWbKJQG7_dhdYtIJhiXIyc8NxxJsrUp3ybuiSq21M0xoHc3ek5TWBPJJJ4ZORQSgwxMkx1nTvreMFuegrha0ghBiExMZPwE7XBoNY4QgtKz4pzLjEd1RCQ",
    "e": "AQAB"
  },
  "contact": [],
  "initialIp": "14.161.50.198",
  "createdAt": "2017-05-15T05:39:41.223745071Z",
  "Status": "valid"
}'
[Mon May 15 05:39:50 UTC 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Mon, 15 May 2017 05:39:40 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 543
Boulder-Request-Id: 82HPnuZXMX5Y9LCVmKf_N641dM6vbcS-YP_LUteSdSA
Boulder-Requester: 2251508
Link: <https://acme-staging.api.letsencrypt.org/acme/new-authz>;rel="next"
Link: <https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf>;rel="terms-of-service"
Location: https://acme-staging.api.letsencrypt.org/acme/reg/2251508
Replay-Nonce: jCmkxXplmlaNbl_d7N4rA9u_YBRQdw0A8nznkYMhwpg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 15 May 2017 05:39:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 May 2017 05:39:41 GMT
Connection: keep-alive
'
[Mon May 15 05:39:50 UTC 2017] response='{"id": 2251508,"key":{"kty":"RSA","n":"sEstBg3dZBrSYrs2sIUyPQf65ZTy3hax3RS7vXDthjvhXqBp1W_xo9KIPyztBvt3ISscMkvJ6cvmd8ZRkUMBWoyToKp3WCa7qVRTbwFnIEUogWV8Ed0g4WNahmMcgT4bv6cnLRecMJNFr6SQNljt2RwFrc235DhqqXjfOGHuNFFt6bgiTN8guc11UClmeZdlZssMQAKi1RhnxR2SKwpx2SG2cyRlQwyWnWbKJQG7_dhdYtIJhiXIyc8NxxJsrUp3ybuiSq21M0xoHc3ek5TWBPJJJ4ZORQSgwxMkx1nTvreMFuegrha0ghBiExMZPwE7XBoNY4QgtKz4pzLjEd1RCQ","e":"AQAB"},"contact":[],"initialIp":"14.161.50.198","createdAt":"2017-05-15T05:39:41.223745071Z","Status":"valid"}'
[Mon May 15 05:39:50 UTC 2017] code='201'
[Mon May 15 05:39:50 UTC 2017] Registered
[Mon May 15 05:39:50 UTC 2017] _accUri='https://acme-staging.api.letsencrypt.org/acme/reg/2251508'
[Mon May 15 05:39:50 UTC 2017] _tos='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
[Mon May 15 05:39:50 UTC 2017] AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
[Mon May 15 05:39:50 UTC 2017] Update tos: https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
[Mon May 15 05:39:50 UTC 2017] url='https://acme-staging.api.letsencrypt.org/acme/reg/2251508'
[Mon May 15 05:39:50 UTC 2017] payload='{"resource": "reg", "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"}'
[Mon May 15 05:39:50 UTC 2017] Use cached jwk for file: /acme.sh/ca/acme-staging.api.letsencrypt.org/account.key
[Mon May 15 05:39:50 UTC 2017] Use _CACHED_NONCE='jCmkxXplmlaNbl_d7N4rA9u_YBRQdw0A8nznkYMhwpg'
[Mon May 15 05:39:50 UTC 2017] nonce='jCmkxXplmlaNbl_d7N4rA9u_YBRQdw0A8nznkYMhwpg'
[Mon May 15 05:39:50 UTC 2017] POST
[Mon May 15 05:39:50 UTC 2017] url='https://acme-staging.api.letsencrypt.org/acme/reg/2251508'
[Mon May 15 05:39:50 UTC 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "sEstBg3dZBrSYrs2sIUyPQf65ZTy3hax3RS7vXDthjvhXqBp1W_xo9KIPyztBvt3ISscMkvJ6cvmd8ZRkUMBWoyToKp3WCa7qVRTbwFnIEUogWV8Ed0g4WNahmMcgT4bv6cnLRecMJNFr6SQNljt2RwFrc235DhqqXjfOGHuNFFt6bgiTN8guc11UClmeZdlZssMQAKi1RhnxR2SKwpx2SG2cyRlQwyWnWbKJQG7_dhdYtIJhiXIyc8NxxJsrUp3ybuiSq21M0xoHc3ek5TWBPJJJ4ZORQSgwxMkx1nTvreMFuegrha0ghBiExMZPwE7XBoNY4QgtKz4pzLjEd1RCQ"}}, "protected": "eyJub25jZSI6ICJqQ21reFhwbG1sYU5ibF9kN040ckE5dV9ZQlJRZHcwQThuem5rWU1od3BnIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAic0VzdEJnM2RaQnJTWXJzMnNJVXlQUWY2NVpUeTNoYXgzUlM3dlhEdGhqdmhYcUJwMVdfeG85S0lQeXp0QnZ0M0lTc2NNa3ZKNmN2bWQ4WlJrVU1CV295VG9LcDNXQ2E3cVZSVGJ3Rm5JRVVvZ1dWOEVkMGc0V05haG1NY2dUNGJ2NmNuTFJlY01KTkZyNlNRTmxqdDJSd0ZyYzIzNURocXFYamZPR0h1TkZGdDZiZ2lUTjhndWMxMVVDbG1lWmRsWnNzTVFBS2kxUmhueFIyU0t3cHgyU0cyY3lSbFF3eVduV2JLSlFHN19kaGRZdElKaGlYSXljOE54eEpzclVwM3lidWlTcTIxTTB4b0hjM2VrNVRXQlBKSko0Wk9SUVNnd3hNa3gxblR2cmVNRnVlZ3JoYTBnaEJpRXhNWlB3RTdYQm9OWTRRZ3RLejRwekxqRWQxUkNRIn19", "payload": "eyJyZXNvdXJjZSI6ICJyZWciLCAiYWdyZWVtZW50IjogImh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL2RvY3VtZW50cy9MRS1TQS12MS4xLjEtQXVndXN0LTEtMjAxNi5wZGYifQ", "signature": "W9FEOouMJu7XRc47ywHRQzycVFaMGc2GzD9hwhOOzQ8uDHiT2-5TXceLijl5SDWLEEpDSzuv1vF-OTkiEiwLMqM9QG4iiJN-AAetfOZOWfUXNoYpr5cnUuUGnOcz-JJl_6I0ub70bTRTuFSBZkLZcuojcZUjCz3d1cw53hTqo1owhkB-jlgES2AUxP9AVqSLxrySvfWqZoCLf-FUAx280rWq5YhWwxXPwsyr3gqNtBoXj0x_RNXrB0g-vC2VY6aKOMJJfgL5wsyBoV5o-qhzKVwFNqfHp8z99fvTTdd4BXV8pJ2h_BrYguqY4FVvQ06QLFw0elRtPcZuyouaex0ZWg"}'
[Mon May 15 05:39:50 UTC 2017] _CURL='curl -L --silent --dump-header /acme.sh/http.header  --trace-ascii /tmp/tmp.khKNFn '
[Mon May 15 05:39:52 UTC 2017] _ret='0'
[Mon May 15 05:39:52 UTC 2017] original='{
  "id": 2251508,
  "key": {
    "kty": "RSA",
    "n": "sEstBg3dZBrSYrs2sIUyPQf65ZTy3hax3RS7vXDthjvhXqBp1W_xo9KIPyztBvt3ISscMkvJ6cvmd8ZRkUMBWoyToKp3WCa7qVRTbwFnIEUogWV8Ed0g4WNahmMcgT4bv6cnLRecMJNFr6SQNljt2RwFrc235DhqqXjfOGHuNFFt6bgiTN8guc11UClmeZdlZssMQAKi1RhnxR2SKwpx2SG2cyRlQwyWnWbKJQG7_dhdYtIJhiXIyc8NxxJsrUp3ybuiSq21M0xoHc3ek5TWBPJJJ4ZORQSgwxMkx1nTvreMFuegrha0ghBiExMZPwE7XBoNY4QgtKz4pzLjEd1RCQ",
    "e": "AQAB"
  },
  "contact": [],
  "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf",
  "initialIp": "14.161.50.198",
  "createdAt": "2017-05-15T05:39:41Z",
  "Status": "valid"
}'
[Mon May 15 05:39:52 UTC 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Mon, 15 May 2017 05:39:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 202 Accepted
Server: nginx
Content-Type: application/json
Content-Length: 616
Boulder-Request-Id: ATsr6NF6c_jz_pJTawaeyWumv-4YPNp3HMJ1zvySBmY
Boulder-Requester: 2251508
Link: <https://acme-staging.api.letsencrypt.org/acme/new-authz>;rel="next"
Link: <https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf>;rel="terms-of-service"
Replay-Nonce: flXzDyBLTl8uJxfux1fHeq1jmbM39vaP7EYP-N21VgI
Expires: Mon, 15 May 2017 05:39:42 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 15 May 2017 05:39:42 GMT
Connection: keep-alive
'
[Mon May 15 05:39:52 UTC 2017] response='{"id": 2251508,"key":{"kty":"RSA","n":"sEstBg3dZBrSYrs2sIUyPQf65ZTy3hax3RS7vXDthjvhXqBp1W_xo9KIPyztBvt3ISscMkvJ6cvmd8ZRkUMBWoyToKp3WCa7qVRTbwFnIEUogWV8Ed0g4WNahmMcgT4bv6cnLRecMJNFr6SQNljt2RwFrc235DhqqXjfOGHuNFFt6bgiTN8guc11UClmeZdlZssMQAKi1RhnxR2SKwpx2SG2cyRlQwyWnWbKJQG7_dhdYtIJhiXIyc8NxxJsrUp3ybuiSq21M0xoHc3ek5TWBPJJJ4ZORQSgwxMkx1nTvreMFuegrha0ghBiExMZPwE7XBoNY4QgtKz4pzLjEd1RCQ","e":"AQAB"},"contact":[],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf","initialIp":"14.161.50.198","createdAt":"2017-05-15T05:39:41Z","Status":"valid"}'
[Mon May 15 05:39:52 UTC 2017] code='202'
[Mon May 15 05:39:52 UTC 2017] Update success.
[Mon May 15 05:39:52 UTC 2017] Calc CA_KEY_HASH='qhs+eDOSqIJDsVExBAWC7EXNWG0GQYnpemhrmkFjTBY='
[Mon May 15 05:39:52 UTC 2017] ACCOUNT_THUMBPRINT='g7xjIVomNIM7kST-nUdd89EB2W0RiDx3mK6bOiU53Y4'
[Mon May 15 05:39:52 UTC 2017] Read key length:
[Mon May 15 05:39:52 UTC 2017] Creating domain key
[Mon May 15 05:39:52 UTC 2017] Using config home:/acme.sh
[Mon May 15 05:39:52 UTC 2017] Domain key exists, do you want to overwrite the key?
[Mon May 15 05:39:52 UTC 2017] Add '--force', and try again.
[Mon May 15 05:39:52 UTC 2017] Create domain key error.
[Mon May 15 05:39:52 UTC 2017] pid
[Mon May 15 05:39:52 UTC 2017] No need to restore nginx, skip.
[Mon May 15 05:39:52 UTC 2017] _clearupdns
[Mon May 15 05:39:52 UTC 2017] Dns not added, skip.
[Mon May 15 05:39:52 UTC 2017] _on_issue_err
[Mon May 15 05:39:52 UTC 2017] Please add '--debug' or '--log' to check more details.
[Mon May 15 05:39:52 UTC 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Mon May 15 05:39:52 UTC 2017] Diagnosis versions: 
openssl:openssl
OpenSSL 1.0.2k  26 Jan 2017
apache:
apache doesn't exists.
nc:
OpenBSD netcat (Debian patchlevel 4)
usage: nc [-46DdhklnrStUuvzC] [-i interval] [-P proxy_username] [-p source_port]
	  [-s source_ip_address] [-T ToS] [-w timeout] [-X proxy_protocol]
	  [-x proxy_address[:port]] [hostname] [port[s]]
	Command Summary:
		-4		Use IPv4
		-6		Use IPv6
		-D		Enable the debug socket option
		-d		Detach from stdin
		-h		This help text
		-i secs		Delay interval for lines sent, ports scanned
		-k		Keep inbound sockets open for multiple connects
		-l		Listen mode, for inbound connects
		-n		Suppress name/port resolutions
		-P proxyuser	Username for proxy authentication
		-p port		Specify local port for remote connects
		-q secs		quit after EOF on stdin and delay of secs
		-r		Randomize remote ports
 		-S		Enable the TCP MD5 signature option
		-s addr		Local source address
		-T ToS		Set IP Type of Service
		-C		Send CRLF as line-ending
		-t		Answer TELNET negotiation
		-U		Use UNIX domain socket
		-u		UDP mode
		-v		Verbose
		-w secs		Timeout for connects and final net reads
		-X proto	Proxy protocol: "4", "5" (SOCKS) or "connect"
		-x addr[:port]	Specify proxy address and port
		-z		Zero-I/O mode [used for scanning]
	Port numbers can be individual or ranges: lo-hi [inclusive]

I think there are two different issues in this block of code:

  if [ -f "$CSR_PATH" ] && [ ! -f "$CERT_KEY_PATH" ]; then
    _info "Signing from existing CSR."
  else
    _key=$(_readdomainconf Le_Keylength)
    _debug "Read key length:$_key"
    if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ]; then
      ...
    fi
    ...
  fi

1. If $CERT_KEY_PATH already exists, we should proceed without generating the domain key again IMO.

2. --createDomainKey didn't write Le_Keylength into domain conf therefore $_key is empty and the test "$_key_length" != "$_key" triggered domain key generation.

If one of two issues above are fixed, it should work correctly. Currently I have to append Le_Keylength='3072' before calling --signcsr as a workaround.

[Neilpang]

The key length is saved now.
But why do you use --sgncsr, instead of --issue ?

"signcsr" is only used when you only have a csr, but not private key.

And the file path should be absolute path.

[daohoangson]

Thanks for the quick fix @Neilpang, we were trying to automate acme.sh usage and one of the flow involves --signcsr specifically.