when issues a certificate fails, the acme certificate config is missings options

[mjrider]

Steps to reproduce

/root/.acme.sh/acme.sh --staging --issue --keylength 4096 --webroot /var/www/html/ --domain unresolved.example.org --keypath /etc/ssl/unresolved.example.org/cert.key --fullchainpath /etc/ssl/unresolved.example.org/cert.crt

.acme.sh/unresolved.example.org/unresolved.example.org.conf doesn't contain the installation paths for certificates,

when comparing with a successful requested certificate the following fields are missing
Le_RealCertPath=''
Le_RealCACertPath=''
Le_RealKeyPath='/etc/ssl/unresolved.example.org/cert.key'
Le_ReloadCmd='service apache2 graceful'
Le_RealFullChainPath='/etc/ssl/unresolved.example.org/cert.crt'

while a failed certificate request could be retried by a acme.sh --renew -d , due to the missing settings it doesn't get installed in the right directory,
which gave a a few hours of debugging why 1 certificate was not correct installed, because the cronjob had fixed the failed certificate request with --renew-all

Debug log

acme.sh  --issue .....   --debug 2
[Mon Jul 10 11:27:24 CEST 2017] Lets find script dir.
[Mon Jul 10 11:27:24 CEST 2017] _SCRIPT_='/root/.acme.sh/acme.sh'
[Mon Jul 10 11:27:24 CEST 2017] _script='/root/.acme.sh/acme.sh'
[Mon Jul 10 11:27:24 CEST 2017] _script_home='/root/.acme.sh'
[Mon Jul 10 11:27:24 CEST 2017] Using config home:/root/.acme.sh
[Mon Jul 10 11:27:24 CEST 2017] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/Neilpang/acme.sh
v2.7.3
[Mon Jul 10 11:27:24 CEST 2017] Using config home:/root/.acme.sh
[Mon Jul 10 11:27:24 CEST 2017] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Mon Jul 10 11:27:24 CEST 2017] _ACME_SERVER_HOST='acme-staging.api.letsencrypt.org'
[Mon Jul 10 11:27:24 CEST 2017] DOMAIN_PATH='/root/.acme.sh/unresolved.example.org'
[Mon Jul 10 11:27:24 CEST 2017] Using ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Mon Jul 10 11:27:24 CEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Mon Jul 10 11:27:24 CEST 2017] GET
[Mon Jul 10 11:27:24 CEST 2017] url='https://acme-staging.api.letsencrypt.org/directory'
[Mon Jul 10 11:27:24 CEST 2017] timeout
[Mon Jul 10 11:27:24 CEST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.pNfyAmqoRz '
[Mon Jul 10 11:27:24 CEST 2017] ret='0'
[Mon Jul 10 11:27:24 CEST 2017] response='{
  "h9v2h9I0Sxo": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "https://acme-staging.api.letsencrypt.org/acme/key-change",
  "new-authz": "https://acme-staging.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-staging.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-staging.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-staging.api.letsencrypt.org/acme/revoke-cert"
}'
[Mon Jul 10 11:27:24 CEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
[Mon Jul 10 11:27:24 CEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Mon Jul 10 11:27:24 CEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Mon Jul 10 11:27:24 CEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Mon Jul 10 11:27:24 CEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
[Mon Jul 10 11:27:24 CEST 2017] _on_before_issue
[Mon Jul 10 11:27:24 CEST 2017] '/var/www/html/' does not contain 'no'
[Mon Jul 10 11:27:24 CEST 2017] Le_LocalAddress
[Mon Jul 10 11:27:24 CEST 2017] Check for domain='unresolved.example.org'
[Mon Jul 10 11:27:24 CEST 2017] _currentRoot='/var/www/html/'
[Mon Jul 10 11:27:24 CEST 2017] '/var/www/html/' does not contain 'apache'
[Mon Jul 10 11:27:24 CEST 2017] _saved_account_key_hash='NWpGoTgSprX1q8d/batICq3oC7FUS0a42E07pQWJy+0='
[Mon Jul 10 11:27:24 CEST 2017] _saved_account_key_hash is not changed, skip register account.
[Mon Jul 10 11:27:24 CEST 2017] Read key length:
[Mon Jul 10 11:27:24 CEST 2017] Creating domain key
[Mon Jul 10 11:27:24 CEST 2017] Using config home:/root/.acme.sh
[Mon Jul 10 11:27:24 CEST 2017] _ACME_SERVER_HOST='acme-staging.api.letsencrypt.org'
[Mon Jul 10 11:27:24 CEST 2017] _createkey for file:/root/.acme.sh/unresolved.example.org/unresolved.example.org.key
[Mon Jul 10 11:27:24 CEST 2017] Use length 4096
[Mon Jul 10 11:27:24 CEST 2017] Using RSA: 4096
[Mon Jul 10 11:27:25 CEST 2017] The domain key is here: /root/.acme.sh/unresolved.example.org/unresolved.example.org.key
[Mon Jul 10 11:27:25 CEST 2017] _createcsr
[Mon Jul 10 11:27:25 CEST 2017] domain='unresolved.example.org'
[Mon Jul 10 11:27:25 CEST 2017] domainlist
[Mon Jul 10 11:27:25 CEST 2017] csrkey='/root/.acme.sh/unresolved.example.org/unresolved.example.org.key'
[Mon Jul 10 11:27:25 CEST 2017] csr='/root/.acme.sh/unresolved.example.org/unresolved.example.org.csr'
[Mon Jul 10 11:27:25 CEST 2017] csrconf='/root/.acme.sh/unresolved.example.org/unresolved.example.org.csr.conf'
[Mon Jul 10 11:27:25 CEST 2017] Single domain='unresolved.example.org'
[Mon Jul 10 11:27:25 CEST 2017] _is_idn_d='unresolved.example.org'
[Mon Jul 10 11:27:25 CEST 2017] _idn_temp
[Mon Jul 10 11:27:25 CEST 2017] _csr_cn='unresolved.example.org'
[Mon Jul 10 11:27:25 CEST 2017] Getting domain auth token for each domain
[Mon Jul 10 11:27:25 CEST 2017] Getting webroot for domain='unresolved.example.org'
[Mon Jul 10 11:27:25 CEST 2017] _w='/var/www/html/'
[Mon Jul 10 11:27:25 CEST 2017] _currentRoot='/var/www/html/'
[Mon Jul 10 11:27:25 CEST 2017] Getting new-authz for domain='unresolved.example.org'
[Mon Jul 10 11:27:25 CEST 2017] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Mon Jul 10 11:27:25 CEST 2017] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
[Mon Jul 10 11:27:25 CEST 2017] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Mon Jul 10 11:27:25 CEST 2017] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Mon Jul 10 11:27:25 CEST 2017] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Mon Jul 10 11:27:25 CEST 2017] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
[Mon Jul 10 11:27:25 CEST 2017] Try new-authz for the 0 time.
[Mon Jul 10 11:27:25 CEST 2017] _is_idn_d='unresolved.example.org'
[Mon Jul 10 11:27:25 CEST 2017] _idn_temp
[Mon Jul 10 11:27:25 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Mon Jul 10 11:27:25 CEST 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "unresolved.example.org"}}'
[Mon Jul 10 11:27:25 CEST 2017] RSA key
[Mon Jul 10 11:27:25 CEST 2017] Get nonce. ACME_DIRECTORY='https://acme-staging.api.letsencrypt.org/directory'
[Mon Jul 10 11:27:25 CEST 2017] GET
[Mon Jul 10 11:27:25 CEST 2017] url='https://acme-staging.api.letsencrypt.org/directory'
[Mon Jul 10 11:27:25 CEST 2017] timeout
[Mon Jul 10 11:27:25 CEST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.Y15pwriVRC '
[Mon Jul 10 11:27:25 CEST 2017] ret='0'
[Mon Jul 10 11:27:25 CEST 2017] _headers='HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 473
Boulder-Request-Id: jt8MOHi_knRa-gwCZymcMUvgPd-tNO9MskJWZ1jn9O0
Replay-Nonce: qo9org3bk0Tm6snUhfbeVWPHY4ITNb1n_-PGdzJ_-4s
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 10 Jul 2017 09:27:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 10 Jul 2017 09:27:25 GMT
Connection: keep-alive

'
[Mon Jul 10 11:27:25 CEST 2017] _CACHED_NONCE='qo9org3bk0Tm6snUhfbeVWPHY4ITNb1n_-PGdzJ_-4s'
[Mon Jul 10 11:27:25 CEST 2017] nonce='qo9org3bk0Tm6snUhfbeVWPHY4ITNb1n_-PGdzJ_-4s'
[Mon Jul 10 11:27:25 CEST 2017] POST
[Mon Jul 10 11:27:25 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Mon Jul 10 11:27:25 CEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "z2piUmglgrq6y3d93E2Ryh_AofYpvluQf_Pc8FDPW_8bBFKQkQeP3ln-wpvg40dyNWgcxRVtUi-k1L0ErTBtCTdE9dz7_JrMnsivEv_yOL4g8tay7wL2TUbpNAN2NVO2_3h5NMGdM9Y3qBUpOe82V8JzlXdnIWKbATGn1qH08BVWVM0qb3AEnWvsf909tYZZSp6xnsT0pUhBh2gUXBYGetdvCPEkBJMsXg-RlGZEngYfcgxrOVDnYjQ782C_NX4AfkUe5zLyeB0YpXbUwtCvnGnHoPhVT1iHI0A6I089LDDr7uwFzm2XbO8ujnu4m_CtvIWcdUDuw_hvCfFdtJ2KwQ"}}, "protected": "eyJub25jZSI6ICJxbzlvcmczYmswVG02c25VaGZiZVZXUEhZNElUTmIxbl8tUEdkekpfLTRzIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWF1dGh6IiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiejJwaVVtZ2xncnE2eTNkOTNFMlJ5aF9Bb2ZZcHZsdVFmX1BjOEZEUFdfOGJCRktRa1FlUDNsbi13cHZnNDBkeU5XZ2N4UlZ0VWktazFMMEVyVEJ0Q1RkRTlkejdfSnJNbnNpdkV2X3lPTDRnOHRheTd3TDJUVWJwTkFOMk5WTzJfM2g1Tk1HZE05WTNxQlVwT2U4MlY4SnpsWGRuSVdLYkFUR24xcUgwOEJWV1ZNMHFiM0FFbld2c2Y5MDl0WVpaU3A2eG5zVDBwVWhCaDJnVVhCWUdldGR2Q1BFa0JKTXNYZy1SbEdaRW5nWWZjZ3hyT1ZEbllqUTc4MkNfTlg0QWZrVWU1ekx5ZUIwWXBYYlV3dEN2bkduSG9QaFZUMWlISTBBNkkwODlMRERyN3V3RnptMlhiTzh1am51NG1fQ3R2SVdjZFVEdXdfaHZDZkZkdEoyS3dRIn19", "payload": "eyJyZXNvdXJjZSI6ICJuZXctYXV0aHoiLCAiaWRlbnRpZmllciI6IHsidHlwZSI6ICJkbnMiLCAidmFsdWUiOiAidW5yZXNvbHZlZC5leGFtcGxlLm9yZyJ9fQ", "signature": "HgPP2ChG65snii4Vst4nbFbKDQZmvM9DGVuZby76VKgJDuG8B4fs107y7kySLFmdMHcB033NQ0JEGucYiD2jFZPYidgIOeFPghQckIsPCiHhTGJfEZ7LGvvGiZ5FsgAc2xANWAi_g9a-JyOBYEIOpml8VuKKpLH0xYpp6RBqZ_2boo8Pp6WkK_-CEBYb8KjB_o1IgYuXUG7PUzdhc1WImXwzY9Nxgw_xIYbcimELhDlk3A1V2r6ZzT79suzvUnqAOpmE8pOp70H3uoW685Zb0F5cAPbydLR8KYXiPGVbDlmk2NCW7zOHdhM7Ve9G7PapGu_s3MI5lEEpTzykCZoFEQ"}'
[Mon Jul 10 11:27:25 CEST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.lddbgU4tGa '
[Mon Jul 10 11:27:26 CEST 2017] _ret='0'
[Mon Jul 10 11:27:26 CEST 2017] original='{
  "identifier": {
    "type": "dns",
    "value": "unresolved.example.org"
  },
  "status": "pending",
  "expires": "2017-07-17T09:27:26.792874305Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607491",
      "token": "pyitqp8k5oRND50GkrJNDN2S0x1Bw6VxFzkRXrAfaVM"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492",
      "token": "Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607493",
      "token": "BJ7I-ADcDfCCI2Qpnfs13vpZlu9krFW-ApsGDbpxGb8"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      0
    ],
    [
      1
    ]
  ]
}'
[Mon Jul 10 11:27:26 CEST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Mon, 10 Jul 2017 09:27:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 1016
Boulder-Request-Id: RhbP9hdZV6DnZDIyMRh4qtAGqPrDIDbxKqn27nJ6GQg
Boulder-Requester: 2801140
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-staging.api.letsencrypt.org/acme/authz/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ
Replay-Nonce: wJZbov-T0YDRYqsSn8B6vi265glJ87OFL7e4M7wBLdI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 10 Jul 2017 09:27:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 10 Jul 2017 09:27:26 GMT
Connection: keep-alive

'
[Mon Jul 10 11:27:26 CEST 2017] response='{"identifier":{"type":"dns","value":"unresolved.example.org"},"status":"pending","expires":"2017-07-17T09:27:26.792874305Z","challenges":[{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607491","token":"pyitqp8k5oRND50GkrJNDN2S0x1Bw6VxFzkRXrAfaVM"},{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492","token":"Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607493","token":"BJ7I-ADcDfCCI2Qpnfs13vpZlu9krFW-ApsGDbpxGb8"}],"combinations":[[2],[0],[1]]}'
[Mon Jul 10 11:27:26 CEST 2017] code='201'
[Mon Jul 10 11:27:26 CEST 2017] The new-authz request is ok.
[Mon Jul 10 11:27:26 CEST 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492","token":"Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y"'
[Mon Jul 10 11:27:26 CEST 2017] token='Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y'
[Mon Jul 10 11:27:26 CEST 2017] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492'
[Mon Jul 10 11:27:26 CEST 2017] keyauthorization='Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y.ar6Z2ET7sTuEplUDvuxM6TCt-9Yj7eSVCgZkUmRyOAI'
[Mon Jul 10 11:27:26 CEST 2017] dvlist='unresolved.example.org#Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y.ar6Z2ET7sTuEplUDvuxM6TCt-9Yj7eSVCgZkUmRyOAI#https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492#http-01#/var/www/html/'
[Mon Jul 10 11:27:26 CEST 2017] vlist='unresolved.example.org#Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y.ar6Z2ET7sTuEplUDvuxM6TCt-9Yj7eSVCgZkUmRyOAI#https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492#http-01#/var/www/html/,'
[Mon Jul 10 11:27:26 CEST 2017] ok, let's start to verify
[Mon Jul 10 11:27:26 CEST 2017] Verifying:unresolved.example.org
[Mon Jul 10 11:27:26 CEST 2017] d='unresolved.example.org'
[Mon Jul 10 11:27:26 CEST 2017] keyauthorization='Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y.ar6Z2ET7sTuEplUDvuxM6TCt-9Yj7eSVCgZkUmRyOAI'
[Mon Jul 10 11:27:26 CEST 2017] uri='https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492'
[Mon Jul 10 11:27:26 CEST 2017] _currentRoot='/var/www/html/'
[Mon Jul 10 11:27:27 CEST 2017] wellknown_path='/var/www/html//.well-known/acme-challenge'
[Mon Jul 10 11:27:27 CEST 2017] writing token:Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y to /var/www/html//.well-known/acme-challenge/Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y
[Mon Jul 10 11:27:27 CEST 2017] Changing owner/group of .well-known to root:root
[Mon Jul 10 11:27:27 CEST 2017] tigger domain validation.
[Mon Jul 10 11:27:27 CEST 2017] _t_url='https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492'
[Mon Jul 10 11:27:27 CEST 2017] _t_key_authz='Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y.ar6Z2ET7sTuEplUDvuxM6TCt-9Yj7eSVCgZkUmRyOAI'
[Mon Jul 10 11:27:27 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492'
[Mon Jul 10 11:27:27 CEST 2017] payload='{"resource": "challenge", "keyAuthorization": "Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y.ar6Z2ET7sTuEplUDvuxM6TCt-9Yj7eSVCgZkUmRyOAI"}'
[Mon Jul 10 11:27:27 CEST 2017] Use cached jwk for file: /root/.acme.sh/ca/acme-staging.api.letsencrypt.org/account.key
[Mon Jul 10 11:27:27 CEST 2017] Use _CACHED_NONCE='wJZbov-T0YDRYqsSn8B6vi265glJ87OFL7e4M7wBLdI'
[Mon Jul 10 11:27:27 CEST 2017] nonce='wJZbov-T0YDRYqsSn8B6vi265glJ87OFL7e4M7wBLdI'
[Mon Jul 10 11:27:27 CEST 2017] POST
[Mon Jul 10 11:27:27 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492'
[Mon Jul 10 11:27:27 CEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "z2piUmglgrq6y3d93E2Ryh_AofYpvluQf_Pc8FDPW_8bBFKQkQeP3ln-wpvg40dyNWgcxRVtUi-k1L0ErTBtCTdE9dz7_JrMnsivEv_yOL4g8tay7wL2TUbpNAN2NVO2_3h5NMGdM9Y3qBUpOe82V8JzlXdnIWKbATGn1qH08BVWVM0qb3AEnWvsf909tYZZSp6xnsT0pUhBh2gUXBYGetdvCPEkBJMsXg-RlGZEngYfcgxrOVDnYjQ782C_NX4AfkUe5zLyeB0YpXbUwtCvnGnHoPhVT1iHI0A6I089LDDr7uwFzm2XbO8ujnu4m_CtvIWcdUDuw_hvCfFdtJ2KwQ"}}, "protected": "eyJub25jZSI6ICJ3Slpib3YtVDBZRFJZcXNTbjhCNnZpMjY1Z2xKODdPRkw3ZTRNN3dCTGRJIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGxlbmdlL09EUTZLcGVORV9KM0dheDJ3MnA5MzFTX1VUWWVhNERuV1RIT2ZwNVd5RVEvNDc2MDc0OTIiLCAiYWxnIjogIlJTMjU2IiwgImp3ayI6IHsiZSI6ICJBUUFCIiwgImt0eSI6ICJSU0EiLCAibiI6ICJ6MnBpVW1nbGdycTZ5M2Q5M0UyUnloX0FvZllwdmx1UWZfUGM4RkRQV184YkJGS1FrUWVQM2xuLXdwdmc0MGR5TldnY3hSVnRVaS1rMUwwRXJUQnRDVGRFOWR6N19Kck1uc2l2RXZfeU9MNGc4dGF5N3dMMlRVYnBOQU4yTlZPMl8zaDVOTUdkTTlZM3FCVXBPZTgyVjhKemxYZG5JV0tiQVRHbjFxSDA4QlZXVk0wcWIzQUVuV3ZzZjkwOXRZWlpTcDZ4bnNUMHBVaEJoMmdVWEJZR2V0ZHZDUEVrQkpNc1hnLVJsR1pFbmdZZmNneHJPVkRuWWpRNzgyQ19OWDRBZmtVZTV6THllQjBZcFhiVXd0Q3ZuR25Ib1BoVlQxaUhJMEE2STA4OUxERHI3dXdGem0yWGJPOHVqbnU0bV9DdHZJV2NkVUR1d19odkNmRmR0SjJLd1EifX0", "payload": "eyJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLCAia2V5QXV0aG9yaXphdGlvbiI6ICJIcjhtTFJJbWcybjZZdlB5Sk9lVVE3M2V3b0NMd1cwZ2NJSENQWk81dzFZLmFyNloyRVQ3c1R1RXBsVUR2dXhNNlRDdC05WWo3ZVNWQ2daa1VtUnlPQUkifQ", "signature": "PORsx-nl1GWWnH0JxmfXjQE53dmrCNF6gsBO2zVpxfKk4ojqXSI1z2hSwBkM6jE_qPWXOKvrHnBxVYGlmM7upbxodZZrl4SHP-_jRVU1j8hvKxvqbXTj4OL6grLuPl8vpw3lm1wZKJgKcZh1xpMEJYqr-RXLfT3JOrblj9ky_vbAh8YJPJhm85DZoSZvphhw-XQYow8Ea0Q7c2qD7EAHBY299eYzr7u7GHqgXHrxWKVphYolu4irvX1V85jVRRp7O9hzpPSipnF8n4ec97ea6mnJgQK2DcVWgXlfJq_qgrqT_f6RPU_35eyJI6rjtCRg1gY9PTD8FDAXyyXl7zjF5w"}'
[Mon Jul 10 11:27:27 CEST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.n3CCkqsdTK '
[Mon Jul 10 11:27:28 CEST 2017] _ret='0'
[Mon Jul 10 11:27:28 CEST 2017] original='{
  "type": "http-01",
  "status": "pending",
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492",
  "token": "Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y",
  "keyAuthorization": "Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y.ar6Z2ET7sTuEplUDvuxM6TCt-9Yj7eSVCgZkUmRyOAI"
}'
[Mon Jul 10 11:27:28 CEST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Mon, 10 Jul 2017 09:27:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 202 Accepted
Server: nginx
Content-Type: application/json
Content-Length: 338
Boulder-Request-Id: EJttEVknPLcBjVP7mCzqjB33-tRqZ-KLm-hnjUv9k8Q
Boulder-Requester: 2801140
Link: <https://acme-staging.api.letsencrypt.org/acme/authz/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ>;rel="up"
Location: https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492
Replay-Nonce: 569LwZPK_EjPshIlaCsB_PpVpCWJACMaQqIKS19a5tc
Expires: Mon, 10 Jul 2017 09:27:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 10 Jul 2017 09:27:28 GMT
Connection: keep-alive

'
[Mon Jul 10 11:27:28 CEST 2017] response='{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492","token":"Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y","keyAuthorization":"Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y.ar6Z2ET7sTuEplUDvuxM6TCt-9Yj7eSVCgZkUmRyOAI"}'
[Mon Jul 10 11:27:28 CEST 2017] code='202'
[Mon Jul 10 11:27:28 CEST 2017] sleep 2 secs to verify
[Mon Jul 10 11:27:30 CEST 2017] checking
[Mon Jul 10 11:27:30 CEST 2017] GET
[Mon Jul 10 11:27:30 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492'
[Mon Jul 10 11:27:30 CEST 2017] timeout
[Mon Jul 10 11:27:30 CEST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.31sA5rQxOL '
[Mon Jul 10 11:27:30 CEST 2017] ret='0'
[Mon Jul 10 11:27:30 CEST 2017] original='{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "DNS problem: NXDOMAIN looking up A for unresolved.example.org",
    "status": 400
  },
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492",
  "token": "Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y",
  "keyAuthorization": "Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y.ar6Z2ET7sTuEplUDvuxM6TCt-9Yj7eSVCgZkUmRyOAI",
  "validationRecord": [
    {
      "url": "http://unresolved.example.org/.well-known/acme-challenge/Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y",
      "hostname": "unresolved.example.org",
      "port": "80",
      "addressesResolved": [],
      "addressUsed": "",
      "addressesTried": []
    }
  ]
}'
[Mon Jul 10 11:27:30 CEST 2017] response='{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"DNS problem: NXDOMAIN looking up A for unresolved.example.org","status": 400},"uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492","token":"Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y","keyAuthorization":"Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y.ar6Z2ET7sTuEplUDvuxM6TCt-9Yj7eSVCgZkUmRyOAI","validationRecord":[{"url":"http://unresolved.example.org/.well-known/acme-challenge/Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y","hostname":"unresolved.example.org","port":"80","addressesResolved":[],"addressUsed":"","addressesTried":[]}]}'
[Mon Jul 10 11:27:30 CEST 2017] error='"error":{"type":"urn:acme:error:connection","detail":"DNS problem: NXDOMAIN looking up A for unresolved.example.org","status": 400'
[Mon Jul 10 11:27:30 CEST 2017] errordetail='DNS problem: NXDOMAIN looking up A for unresolved.example.org'
[Mon Jul 10 11:27:30 CEST 2017] unresolved.example.org:Verify error:DNS problem: NXDOMAIN looking up A for unresolved.example.org
[Mon Jul 10 11:27:30 CEST 2017] Debug: get token url.
[Mon Jul 10 11:27:30 CEST 2017] GET
[Mon Jul 10 11:27:30 CEST 2017] url='http://unresolved.example.org/.well-known/acme-challenge/Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y'
[Mon Jul 10 11:27:30 CEST 2017] timeout='1'
[Mon Jul 10 11:27:30 CEST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.nFXQVMVwae  --connect-timeout 1'
[Mon Jul 10 11:27:31 CEST 2017] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
[Mon Jul 10 11:27:31 CEST 2017] Here is the curl dump log:
[Mon Jul 10 11:27:31 CEST 2017] == Info: Could not resolve host: unresolved.example.org
== Info: Closing connection 0
[Mon Jul 10 11:27:31 CEST 2017] ret='6'
[Mon Jul 10 11:27:31 CEST 2017] Debugging, skip removing: /var/www/html//.well-known/acme-challenge/Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y
[Mon Jul 10 11:27:31 CEST 2017] pid
[Mon Jul 10 11:27:31 CEST 2017] No need to restore nginx, skip.
[Mon Jul 10 11:27:31 CEST 2017] _clearupdns
[Mon Jul 10 11:27:31 CEST 2017] skip dns.
[Mon Jul 10 11:27:31 CEST 2017] _on_issue_err
[Mon Jul 10 11:27:31 CEST 2017] Please add '--debug' or '--log' to check more details.
[Mon Jul 10 11:27:31 CEST 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Mon Jul 10 11:27:31 CEST 2017] _chk_vlist='unresolved.example.org#Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y.ar6Z2ET7sTuEplUDvuxM6TCt-9Yj7eSVCgZkUmRyOAI#https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492#http-01#/var/www/html/,'
[Mon Jul 10 11:27:31 CEST 2017] start to deactivate authz
[Mon Jul 10 11:27:31 CEST 2017] tigger domain validation.
[Mon Jul 10 11:27:31 CEST 2017] _t_url='https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492'
[Mon Jul 10 11:27:31 CEST 2017] _t_key_authz='Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y.ar6Z2ET7sTuEplUDvuxM6TCt-9Yj7eSVCgZkUmRyOAI'
[Mon Jul 10 11:27:31 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492'
[Mon Jul 10 11:27:31 CEST 2017] payload='{"resource": "challenge", "keyAuthorization": "Hr8mLRImg2n6YvPyJOeUQ73ewoCLwW0gcIHCPZO5w1Y.ar6Z2ET7sTuEplUDvuxM6TCt-9Yj7eSVCgZkUmRyOAI"}'
[Mon Jul 10 11:27:31 CEST 2017] Use cached jwk for file: /root/.acme.sh/ca/acme-staging.api.letsencrypt.org/account.key
[Mon Jul 10 11:27:31 CEST 2017] Use _CACHED_NONCE='569LwZPK_EjPshIlaCsB_PpVpCWJACMaQqIKS19a5tc'
[Mon Jul 10 11:27:31 CEST 2017] nonce='569LwZPK_EjPshIlaCsB_PpVpCWJACMaQqIKS19a5tc'
[Mon Jul 10 11:27:31 CEST 2017] POST
[Mon Jul 10 11:27:31 CEST 2017] url='https://acme-staging.api.letsencrypt.org/acme/challenge/ODQ6KpeNE_J3Gax2w2p931S_UTYea4DnWTHOfp5WyEQ/47607492'
[Mon Jul 10 11:27:31 CEST 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "z2piUmglgrq6y3d93E2Ryh_AofYpvluQf_Pc8FDPW_8bBFKQkQeP3ln-wpvg40dyNWgcxRVtUi-k1L0ErTBtCTdE9dz7_JrMnsivEv_yOL4g8tay7wL2TUbpNAN2NVO2_3h5NMGdM9Y3qBUpOe82V8JzlXdnIWKbATGn1qH08BVWVM0qb3AEnWvsf909tYZZSp6xnsT0pUhBh2gUXBYGetdvCPEkBJMsXg-RlGZEngYfcgxrOVDnYjQ782C_NX4AfkUe5zLyeB0YpXbUwtCvnGnHoPhVT1iHI0A6I089LDDr7uwFzm2XbO8ujnu4m_CtvIWcdUDuw_hvCfFdtJ2KwQ"}}, "protected": "eyJub25jZSI6ICI1NjlMd1pQS19FalBzaElsYUNzQl9QcFZwQ1dKQUNNYVFxSUtTMTlhNXRjIiwgInVybCI6ICJodHRwczovL2FjbWUtc3RhZ2luZy5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvY2hhbGxlbmdlL09EUTZLcGVORV9KM0dheDJ3MnA5MzFTX1VUWWVhNERuV1RIT2ZwNVd5RVEvNDc2MDc0OTIiLCAiYWxnIjogIlJTMjU2IiwgImp3ayI6IHsiZSI6ICJBUUFCIiwgImt0eSI6ICJSU0EiLCAibiI6ICJ6MnBpVW1nbGdycTZ5M2Q5M0UyUnloX0FvZllwdmx1UWZfUGM4RkRQV184YkJGS1FrUWVQM2xuLXdwdmc0MGR5TldnY3hSVnRVaS1rMUwwRXJUQnRDVGRFOWR6N19Kck1uc2l2RXZfeU9MNGc4dGF5N3dMMlRVYnBOQU4yTlZPMl8zaDVOTUdkTTlZM3FCVXBPZTgyVjhKemxYZG5JV0tiQVRHbjFxSDA4QlZXVk0wcWIzQUVuV3ZzZjkwOXRZWlpTcDZ4bnNUMHBVaEJoMmdVWEJZR2V0ZHZDUEVrQkpNc1hnLVJsR1pFbmdZZmNneHJPVkRuWWpRNzgyQ19OWDRBZmtVZTV6THllQjBZcFhiVXd0Q3ZuR25Ib1BoVlQxaUhJMEE2STA4OUxERHI3dXdGem0yWGJPOHVqbnU0bV9DdHZJV2NkVUR1d19odkNmRmR0SjJLd1EifX0", "payload": "eyJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLCAia2V5QXV0aG9yaXphdGlvbiI6ICJIcjhtTFJJbWcybjZZdlB5Sk9lVVE3M2V3b0NMd1cwZ2NJSENQWk81dzFZLmFyNloyRVQ3c1R1RXBsVUR2dXhNNlRDdC05WWo3ZVNWQ2daa1VtUnlPQUkifQ", "signature": "Axsa7tILNztj7F8ec9AVaLU27wap3cSiuznkTblMQIfUDDZ4mF-P0uSEJm0jXv71-uyPzUKGSiQWlWDd379p0SOi_akJlqNWyZ_2l48b3z10ZMdhyoUZXPLNSFM8chvn3AI_rPXlAjYXpaBpT5Wa6AWpETXZhTeqoAmBX8BLBUU0AqSLRAPV21u3fWL-9M0bhNGQl2cgsXEJpdfNGM5pqeDyCV7rYlz2zDORTloDR00TSma8Bihmr25iKTWn55DOgIHsYaqIBQuYjIMUsGnej9zhJLufZi8jSVauZ9YVJcgrskzOW6-FVwQwtNy8unqbJ72bsNUmm70izr8YMVtcpg"}'
[Mon Jul 10 11:27:31 CEST 2017] Http already initialized.
[Mon Jul 10 11:27:31 CEST 2017] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header  --trace-ascii /tmp/tmp.nFXQVMVwae '
[Mon Jul 10 11:27:32 CEST 2017] _ret='0'
[Mon Jul 10 11:27:32 CEST 2017] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Unable to update challenge :: The challenge is not pending.",
  "status": 400
}'
[Mon Jul 10 11:27:32 CEST 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Mon, 10 Jul 2017 09:27:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 132
Boulder-Request-Id: D32KRzQsf-2qPJJj6-BJgqH1NHITzVrxU8PwwjqP9r4
Boulder-Requester: 2801140
Replay-Nonce: 4aLm2Z0_IvjrAM3T8VpFr08lguoYGSPN8J-ifM1sT20
Expires: Mon, 10 Jul 2017 09:27:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 10 Jul 2017 09:27:32 GMT
Connection: close

'
[Mon Jul 10 11:27:32 CEST 2017] response='{"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: The challenge is not pending.","status": 400}'
[Mon Jul 10 11:27:32 CEST 2017] code='400'
[Mon Jul 10 11:27:32 CEST 2017] Diagnosis versions: 
openssl:openssl
OpenSSL 1.0.2g  1 Mar 2016
apache:
apache doesn't exists.
nginx:
nginx doesn't exists.
nc:
OpenBSD netcat (Debian patchlevel 1.105-7ubuntu1)
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
	  [-P proxy_username] [-p source_port] [-q seconds] [-s source]
	  [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
	  [-x proxy_address[:port]] [destination] [port]
	Command Summary:
		-4		Use IPv4
		-6		Use IPv6
		-b		Allow broadcast
		-C		Send CRLF as line-ending
		-D		Enable the debug socket option
		-d		Detach from stdin
		-h		This help text
		-I length	TCP receive buffer length
		-i secs		Delay interval for lines sent, ports scanned
		-j		Use jumbo frame
		-k		Keep inbound sockets open for multiple connects
		-l		Listen mode, for inbound connects
		-n		Suppress name/port resolutions
		-O length	TCP send buffer length
		-P proxyuser	Username for proxy authentication
		-p port		Specify local port for remote connects
        	-q secs		quit after EOF on stdin and delay of secs
		-r		Randomize remote ports
		-S		Enable the TCP MD5 signature option
		-s addr		Local source address
		-T toskeyword	Set IP Type of Service
		-t		Answer TELNET negotiation
		-U		Use UNIX domain socket
		-u		UDP mode
		-V rtable	Specify alternate routing table
		-v		Verbose
		-w secs		Timeout for connects and final net reads
		-X proto	Proxy protocol: "4", "5" (SOCKS) or "connect"
		-x addr[:port]	Specify proxy address and port
		-Z		DCCP mode
		-z		Zero-I/O mode [used for scanning]
	Port numbers can be individual or ranges: lo-hi [inclusive]

[Neilpang]

sorry, it was a design.
We only save the settings on a successful cert.

That makes sure that if you can successfully issue a cert by your hand, the cronjob will also success.

Otherwise, it's useless to save a broken config for cronjob to use.

[mjrider]

problem is, the certconfig is now between 2 states:
1: non-existing, and the cronjob wouldn't request the cert
2: complete, the cronjob does what we expect it to do

the result: --issue fails, the cronjob issues the certificate with --renew-all ( failure due to dns propagation delay ) but doesn't install it in the right location.

so if it is by design: remove the certificate dir and config on a failed --issue
or we consider it a feature that the cronjob retries failed issue request, and then we need a complete configuration

i would go got option 2, and make it a feature, but i could live with option 1, remove the folder, and prevent the cronjob from issuing the certificate

i would consider the current saved config broken also because it misses my settings, but is still valid for the cronjob

[mjrider]

mmm maybe my steps to reproduce are unclear

• remove test.example.org from dns
• issue cert
  /root/.acme.sh/acme.sh --staging --issue --keylength 4096 --webroot /var/www/html/ --domain test.example.org --keypath /etc/ssl/test.example.org/cert.key --fullchainpath /etc/ssl/test.example.org/cert.crt
• see failure
• add test.example.org to dns
• wait for dns to propagate
• acme.sh --renew-all
  acme now successful request the certificate, but without the installation options
• sysadmin is confused why it is broken

[Neilpang]

yes, I see.

But you should not call acme.sh --renew-all after the dns propagated.

you should call --issue again, with all the correct parameters.

[Neilpang]

--renew means to renew a correct cert.

if the cert has not been correctly issued, it's meaningless to renew it.

[mjrider]

@Neilpang for the reproduction, i call it by hand, but the cronjob is installed

so the realworld scenario:

• try getting a certificate
• conclude that ISP dns servers have dns propagation issues
• report dns issue to ISP
• go home
• new day
• certificate is issues by the cronjob after ISP fixes it dns issue, and spend time debuging

now i would call it a great feature, if acme retries failed issues
but otherwise, remove the directory/config and prevent the cronjob from messing up my certificates

[mjrider]

conclusion from your statement
we need a new issue: 'acme.sh tries to renew certificates which are not issues before'

is that correct ?

[Neilpang]

It was also a design to retry in the cronjob.
Let me explain more.

The auto-renew may fail due to the availability of the Letsencrypt CA server or network connectivity . So we should retry at the next day till success.
We try our best to make sure the cert can be renewed automatically.

As in your case, I totally understand what you are experiencing here.

After you report dns issue to ISP, and go home. you should remember your cert was not issued success yet.

So, another day, you should try --issue again by your hand. At this moment, you probably see the cert was already issued, and everything goes more faster than you expected.

There is no harm to you.

[mjrider]

except, then the certificates are not installed, because the certificate is already issues, and i need --force to override it.
imho, acme.sh should prevent an inconsistent state.
which could be resolved by renew not triggering for certificates without a Le_CertCreateTime

my biggest problem is dat acme.sh gets in an inconsistent state, and which is detectable and preventable.
if we keep acme.sh from getting in that state, it is easier for the user to not make mistakes.

[mjrider]

oke, 'WORKAROUND' time

if i call acme.sh --installcert --domain unresolved.example.org --keypath /etc/ssl/unresolved.example.org/cert.key --fullchainpath /etc/ssl/unresolved.example.org/cert.crt
after a failed --issue request, it saves the config and then fail on installation because the files are missing, and apache doesn't like the 0 byte cert.crt.

when the cron job runs, the certificate will be issues and installed exactly as expected

[frkca]

Fixed in #1969 - just for those searching for it :-) Thanks @Neilpang !