Register account Error: {"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] Invalid MAC on JWS request"}

[garycnew]

Details

Using acme-3.0.6.sh, wget, and dns_ispman (custom dnsapi) to renew expired ZeroSSL certs as I have done many time without issue. I'm wondering if something has changed between ACME.sh and ZeroSSL?  Thank you for your assistance.

Steps to reproduce

# /jffs/sbin/acme.sh --home /tmp/.le --certhome /jffs/.le --accountkey /jffs/.le/account.key --accountconf /jffs/.le/account.conf --renew-all

Debug log

[Sun Jul  2 21:53:46 DST 2023] Lets find script dir.
[Sun Jul  2 21:53:46 DST 2023] _SCRIPT_='/jffs/sbin/acme.sh'
[Sun Jul  2 21:53:46 DST 2023] _script='/jffs/sbin/acme-3.0.6.sh'
[Sun Jul  2 21:53:46 DST 2023] _script_home='/jffs/sbin'
[Sun Jul  2 21:53:46 DST 2023] Using config home:/tmp/.le
[Sun Jul  2 21:53:46 DST 2023] LE_WORKING_DIR='/tmp/.le'
https://github.com/acmesh-official/acme.sh
v3.0.6
[Sun Jul  2 21:53:46 DST 2023] Running cmd: renewAll
[Sun Jul  2 21:53:47 DST 2023] Using config home:/tmp/.le
[Sun Jul  2 21:53:47 DST 2023] default_acme_server='https://acme.zerossl.com/v2/DV90'
[Sun Jul  2 21:53:47 DST 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Sun Jul  2 21:53:47 DST 2023] _ACME_SERVER_HOST='acme.zerossl.com'
[Sun Jul  2 21:53:47 DST 2023] _ACME_SERVER_PATH='v2/DV90'
[Sun Jul  2 21:53:47 DST 2023] _stopRenewOnError
[Sun Jul  2 21:53:47 DST 2023] _server
[Sun Jul  2 21:53:47 DST 2023] _set_level='2'
[Sun Jul  2 21:53:47 DST 2023] di='/jffs/.le/domain.com/'
[Sun Jul  2 21:53:48 DST 2023] d='domain.com'
[Sun Jul  2 21:53:48 DST 2023] _renewServer
[Sun Jul  2 21:53:48 DST 2023] Using config home:/tmp/.le
[Sun Jul  2 21:53:48 DST 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Sun Jul  2 21:53:48 DST 2023] _ACME_SERVER_HOST='acme.zerossl.com'
[Sun Jul  2 21:53:48 DST 2023] _ACME_SERVER_PATH='v2/DV90'
[Sun Jul  2 21:53:48 DST 2023] DOMAIN_PATH='/jffs/.le/domain.com'
[Sun Jul  2 21:53:48 DST 2023] Renew: 'domain.com'
[Sun Jul  2 21:53:49 DST 2023] Le_API='https://acme.zerossl.com/v2/DV90'
[Sun Jul  2 21:53:49 DST 2023] Renew to Le_API=https://acme.zerossl.com/v2/DV90
[Sun Jul  2 21:53:49 DST 2023] initpath again.
[Sun Jul  2 21:53:49 DST 2023] Using config home:/tmp/.le
[Sun Jul  2 21:53:49 DST 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Sun Jul  2 21:53:49 DST 2023] _ACME_SERVER_HOST='acme.zerossl.com'
[Sun Jul  2 21:53:49 DST 2023] _ACME_SERVER_PATH='v2/DV90'
[Sun Jul  2 21:53:50 DST 2023] _main_domain='domain.com'
[Sun Jul  2 21:53:50 DST 2023] _alt_domains='*.domain.com'
[Sun Jul  2 21:53:50 DST 2023] 'dns_ispman' does not contain 'dns'
[Sun Jul  2 21:53:50 DST 2023] 'dns_ispman' does not contain 'dns'
[Sun Jul  2 21:53:50 DST 2023] Le_NextRenewTime='1685560725'
[Sun Jul  2 21:53:50 DST 2023] Using ACME_DIRECTORY: https://acme.zerossl.com/v2/DV90
[Sun Jul  2 21:53:50 DST 2023] _init api for server: https://acme.zerossl.com/v2/DV90
[Sun Jul  2 21:53:50 DST 2023] GET
[Sun Jul  2 21:53:50 DST 2023] url='https://acme.zerossl.com/v2/DV90'
[Sun Jul  2 21:53:50 DST 2023] timeout=
[Sun Jul  2 21:53:52 DST 2023] _WGET='wget -q --content-on-error '
[Sun Jul  2 21:53:54 DST 2023] options='s/^  //g'
[Sun Jul  2 21:53:54 DST 2023] No -i support in sed
[Sun Jul  2 21:53:54 DST 2023] ret='0'
[Sun Jul  2 21:53:54 DST 2023] response='{
  "newNonce": "https://acme.zerossl.com/v2/DV90/newNonce",
  "newAccount": "https://acme.zerossl.com/v2/DV90/newAccount",
  "newOrder": "https://acme.zerossl.com/v2/DV90/newOrder",
  "revokeCert": "https://acme.zerossl.com/v2/DV90/revokeCert",
  "keyChange": "https://acme.zerossl.com/v2/DV90/keyChange",
  "meta": {
    "termsOfService": "https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf",
    "website": "https://zerossl.com",
    "caaIdentities": ["sectigo.com", "trust-provider.com", "usertrust.com", "comodoca.com", "comodo.com"],
    "externalAccountRequired": true
  }
}'
[Sun Jul  2 21:53:54 DST 2023] ACME_KEY_CHANGE='https://acme.zerossl.com/v2/DV90/keyChange'
[Sun Jul  2 21:53:54 DST 2023] ACME_NEW_AUTHZ
[Sun Jul  2 21:53:55 DST 2023] ACME_NEW_ORDER='https://acme.zerossl.com/v2/DV90/newOrder'
[Sun Jul  2 21:53:55 DST 2023] ACME_NEW_ACCOUNT='https://acme.zerossl.com/v2/DV90/newAccount'
[Sun Jul  2 21:53:55 DST 2023] ACME_REVOKE_CERT='https://acme.zerossl.com/v2/DV90/revokeCert'
[Sun Jul  2 21:53:55 DST 2023] ACME_AGREEMENT='https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf'
[Sun Jul  2 21:53:55 DST 2023] ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce'
[Sun Jul  2 21:53:57 DST 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Sun Jul  2 21:53:57 DST 2023] _on_before_issue
[Sun Jul  2 21:53:57 DST 2023] _chk_main_domain='domain.com'
[Sun Jul  2 21:53:57 DST 2023] _chk_alt_domains='*.domain.com'
[Sun Jul  2 21:53:57 DST 2023] 'dns_ispman' does not contain 'no'
[Sun Jul  2 21:53:57 DST 2023] Le_LocalAddress
[Sun Jul  2 21:53:57 DST 2023] d='domain.com'
[Sun Jul  2 21:53:58 DST 2023] Check for domain='domain.com'
[Sun Jul  2 21:53:58 DST 2023] _currentRoot='dns_ispman'
[Sun Jul  2 21:53:58 DST 2023] d='*.domain.com'
[Sun Jul  2 21:53:58 DST 2023] Check for domain='*.domain.com'
[Sun Jul  2 21:53:58 DST 2023] _currentRoot='dns_ispman'
[Sun Jul  2 21:53:58 DST 2023] d
[Sun Jul  2 21:53:58 DST 2023] 'dns_ispman' does not contain 'apache'
[Sun Jul  2 21:53:59 DST 2023] _saved_account_key_hash='8qO5UU36V8ixDFSmrH5vTuemRDzsuukZXddLBJ/u7Zc='
[Sun Jul  2 21:54:00 DST 2023] Using config home:/tmp/.le
[Sun Jul  2 21:54:01 DST 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Sun Jul  2 21:54:01 DST 2023] _ACME_SERVER_HOST='acme.zerossl.com'
[Sun Jul  2 21:54:01 DST 2023] _ACME_SERVER_PATH='v2/DV90'
[Sun Jul  2 21:54:01 DST 2023] _init api for server: https://acme.zerossl.com/v2/DV90
[Sun Jul  2 21:54:01 DST 2023] RSA key
[Sun Jul  2 21:54:02 DST 2023] _URGLY_PRINTF
[Sun Jul  2 21:54:02 DST 2023] xargs
[Sun Jul  2 21:54:02 DST 2023] _URGLY_PRINTF
[Sun Jul  2 21:54:02 DST 2023] xargs
[Sun Jul  2 21:54:03 DST 2023] Using _ascii_hex
[Sun Jul  2 21:54:05 DST 2023] Registering account: https://acme.zerossl.com/v2/DV90
[Sun Jul  2 21:54:06 DST 2023] url='https://acme.zerossl.com/v2/DV90/newAccount'
[Sun Jul  2 21:54:06 DST 2023] payload='{"contact": ["mailto:username@domain.com"], "termsOfServiceAgreed": true,"externalAccountBinding":{"protected":"eyJhbGciOiJIUzI1NiIsImtpZCI6IkNZRG9TOFdjbDFHbGE3a2xaQ2RSNHciLCJ1cmwiOiJodHRwczovL2FjbWUuemVyb3NzbC5jb20vdjIvRFY5MC9uZXdBY2NvdW50In0", "payload":"eyJlIjogIkFRQUIiLCAia3R5IjogIlJTQSIsICJuIjogIm80MDBLTmgyU1dyRS1YV210enZoUUkwbVJQVjBldnZxRUhfMmxqQnNBemNlVGJUN1JzNWVqbzEyZ2c1VVkxUnpCdzA3SXRtSGNaNXY1ZnpsM1FyQVU1aGVhdndGcDltRF9keU5xUVVGVlZHZVY3dTZXVUVzQ19SUVVZVW1GN2NQZVFMcjNuSzFKa2gxbU9rUmMybmdwcEh5ZGMwc1o2Q0V4Y1ZKa1luMzdVRDgwTGpoSG9nQkVVR3BrTWVQZC1jUkdpTmtyX1dGUC1rQ0VXV24ycHNuRHptWDFUOHZkREVtNm1DVzlXeHB5OG5VMzlFaV85elBJbFJ0djBsN29OZzhUcVVMaW1VWHNlUzZIOVJjREliTkxnWGV2WU9VRHpNTXU5elFISUxLaHlkbmhDUWZmaXJpakRDVkZueG1qZ2NHS0IyRG5wanp3NDZNRFJ3anFGZkZ0USJ9", "signature":"bHBBpjEvbXPm9ffIHHcj3KXKsRifYvT7jdxL33oMfTg"}}'
[Sun Jul  2 21:54:06 DST 2023] Use cached jwk for file: /tmp/.le/ca/acme.zerossl.com/v2/DV90/account.key
[Sun Jul  2 21:54:06 DST 2023] Get nonce with HEAD. ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce'
[Sun Jul  2 21:54:06 DST 2023] HEAD
[Sun Jul  2 21:54:06 DST 2023] _post_url='https://acme.zerossl.com/v2/DV90/newNonce'
[Sun Jul  2 21:54:06 DST 2023] body
[Sun Jul  2 21:54:06 DST 2023] _postContentType='application/jose+json'
[Sun Jul  2 21:54:07 DST 2023] _WGET='wget -q --content-on-error  --read-timeout=3.0  --tries=2  '
[Sun Jul  2 21:54:09 DST 2023] options='s/^  //g'
[Sun Jul  2 21:54:10 DST 2023] No -i support in sed
[Sun Jul  2 21:54:10 DST 2023] _ret='0'
[Sun Jul  2 21:54:10 DST 2023] _headers='HTTP/1.1 200 OK
Server: nginx
Date: Mon, 03 Jul 2023 03:54:09 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Replay-Nonce: XTWp2y2KfUVQuHo_VwLHphwrVUSagB6Iw8b7MOndcRM
Cache-Control: max-age=0, no-cache, no-store
Access-Control-Allow-Origin: *
Link: <https://acme.zerossl.com/v2/DV90>;rel="index"
Strict-Transport-Security: max-age=15724800; includeSubDomains'
[Sun Jul  2 21:54:10 DST 2023] _CACHED_NONCE='XTWp2y2KfUVQuHo_VwLHphwrVUSagB6Iw8b7MOndcRM'
[Sun Jul  2 21:54:10 DST 2023] nonce='XTWp2y2KfUVQuHo_VwLHphwrVUSagB6Iw8b7MOndcRM'
[Sun Jul  2 21:54:11 DST 2023] POST
[Sun Jul  2 21:54:11 DST 2023] _post_url='https://acme.zerossl.com/v2/DV90/newAccount'
[Sun Jul  2 21:54:11 DST 2023] body='{"protected": "eyJub25jZSI6ICJYVFdwMnkyS2ZVVlF1SG9fVndMSHBod3JWVVNhZ0I2SXc4YjdNT25kY1JNIiwgInVybCI6ICJodHRwczovL2FjbWUuemVyb3NzbC5jb20vdjIvRFY5MC9uZXdBY2NvdW50IiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAibzQwMEtOaDJTV3JFLVhXbXR6dmhRSTBtUlBWMGV2dnFFSF8ybGpCc0F6Y2VUYlQ3UnM1ZWpvMTJnZzVVWTFSekJ3MDdJdG1IY1o1djVmemwzUXJBVTVoZWF2d0ZwOW1EX2R5TnFRVUZWVkdlVjd1NldVRXNDX1JRVVlVbUY3Y1BlUUxyM25LMUpraDFtT2tSYzJuZ3BwSHlkYzBzWjZDRXhjVkprWW4zN1VEODBMamhIb2dCRVVHcGtNZVBkLWNSR2lOa3JfV0ZQLWtDRVdXbjJwc25Eem1YMVQ4dmRERW02bUNXOVd4cHk4blUzOUVpXzl6UElsUnR2MGw3b05nOFRxVUxpbVVYc2VTNkg5UmNESWJOTGdYZXZZT1VEek1NdTl6UUhJTEtoeWRuaENRZmZpcmlqRENWRm54bWpnY0dLQjJEbnBqenc0Nk1EUndqcUZmRnRRIn19", "payload": "eyJjb250YWN0IjogWyJtYWlsdG86Z2FyeWNuZXdAeWFob28uY29tIl0sICJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWUsImV4dGVybmFsQWNjb3VudEJpbmRpbmciOnsicHJvdGVjdGVkIjoiZXlKaGJHY2lPaUpJVXpJMU5pSXNJbXRwWkNJNklrTlpSRzlUT0ZkamJERkhiR0UzYTJ4YVEyUlNOSGNpTENKMWNtd2lPaUpvZEhSd2N6b3ZMMkZqYldVdWVtVnliM056YkM1amIyMHZkakl2UkZZNU1DOXVaWGRCWTJOdmRXNTBJbjAiLCAicGF5bG9hZCI6ImV5SmxJam9nSWtGUlFVSWlMQ0FpYTNSNUlqb2dJbEpUUVNJc0lDSnVJam9nSW04ME1EQkxUbWd5VTFkeVJTMVlWMjEwZW5ab1VVa3diVkpRVmpCbGRuWnhSVWhmTW14cVFuTkJlbU5sVkdKVU4xSnpOV1ZxYnpFeVoyYzFWVmt4VW5wQ2R6QTNTWFJ0U0dOYU5YWTFabnBzTTFGeVFWVTFhR1ZoZG5kR2NEbHRSRjlrZVU1eFVWVkdWbFpIWlZZM2RUWlhWVVZ6UTE5U1VWVlpWVzFHTjJOUVpWRk1jak51U3pGS2EyZ3hiVTlyVW1NeWJtZHdjRWg1WkdNd2MxbzJRMFY0WTFaS2ExbHVNemRWUkRnd1RHcG9TRzluUWtWVlIzQnJUV1ZRWkMxalVrZHBUbXR5WDFkR1VDMXJRMFZYVjI0eWNITnVSSHB0V0RGVU9IWmtSRVZ0Tm0xRFZ6bFhlSEI1T0c1Vk16bEZhVjg1ZWxCSmJGSjBkakJzTjI5T1p6aFVjVlZNYVcxVldITmxVelpJT1ZKalJFbGlUa3huV0dWMldVOVZSSHBOVFhVNWVsRklTVXhMYUhsa2JtaERVV1ptYVhKcGFrUkRWa1p1ZUcxcVoyTkhTMEl5Ukc1d2FucDNORFpOUkZKM2FuRkdaa1owVVNKOSIsICJzaWduYXR1cmUiOiJiSEJCcGpFdmJYUG05ZmZJSEhjajNLWEtzUmlmWXZUN2pkeEwzM29NZlRnIn19", "signature": "k7eBTe-arnGDMTi2zA8mh1tAYAr8l-I8uaf2W_WsfdxpAQM-Npp0Jfi2_h4_k4bvii-C5uPUeOsqR19RDH2A-OjszNhMqKyKrjFvdsL2BLqzqT9_RfwcDYovfxryQ4JInlpeRsbfi83ePJbQ3XVpye9hgk5lRmalG9Ev5K6PSUC-JYJ3yZdo-u1eszZe-beBhZ8ANH-DgW0gZm01dxYPFIK_wacVrvn0FrVtv8wUitmuTtpZpB_SQ8AtGaUPsIiZ_Kz1kLdN3MjpGxtLZZaX3Gdcc6fbS6ATweepZUgyYRHkqOaZOiJFakOBBAJtZBr0rpdD3rHxlxBmo_oIwYAggA"}'
[Sun Jul  2 21:54:11 DST 2023] _postContentType='application/jose+json'
[Sun Jul  2 21:54:11 DST 2023] Http already initialized.
[Sun Jul  2 21:54:11 DST 2023] _WGET='wget -q --content-on-error '
[Sun Jul  2 21:54:13 DST 2023] wget returns 8, the server returns a 'Bad request' response, lets process the response later.
[Sun Jul  2 21:54:13 DST 2023] options='s/^  //g'
[Sun Jul  2 21:54:13 DST 2023] No -i support in sed
[Sun Jul  2 21:54:13 DST 2023] _ret='0'
[Sun Jul  2 21:54:13 DST 2023] responseHeaders='HTTP/1.1 400 Bad Request
Server: nginx
Date: Mon, 03 Jul 2023 03:54:12 GMT
Content-Type: application/problem+json
Content-Length: 125
Connection: keep-alive
Replay-Nonce: irOADl9DoUCyZNuxLDCvCLgGkdEWtMjARscpwdHc_Ng
Cache-Control: max-age=0, no-cache, no-store
Access-Control-Allow-Origin: *
Link: <https://acme.zerossl.com/v2/DV90>;rel="index"
Strict-Transport-Security: max-age=15724800; includeSubDomains'
[Sun Jul  2 21:54:13 DST 2023] code='400'
[Sun Jul  2 21:54:13 DST 2023] original='{"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] Invalid MAC on JWS request"}'
[Sun Jul  2 21:54:13 DST 2023] response='{"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] Invalid MAC on JWS request"}'
[Sun Jul  2 21:54:14 DST 2023] Register account Error: {"type":"urn:ietf:params:acme:error:malformed","status":400,"detail":"[External Account Binding] Invalid MAC on JWS request"}
[Sun Jul  2 21:54:14 DST 2023] _on_issue_err
[Sun Jul  2 21:54:14 DST 2023] Please add '--debug' or '--log' to check more details.
[Sun Jul  2 21:54:14 DST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

[github-actions]

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

[garycnew]

Per the debug 2 log, provided in the original post, it shows that I am using acme-3.0.6.sh. Is there a newer version?

[Neilpang]

it seems you are using a router os. the hmac is not working on a limited route os.
please use the letsencrypt as the ca:

acme.sh --set-default-ca  --server  letsencrypt

[garycnew]

The ZeroSSL CA was working with acme.sh on the same router os for over a year.

[garycnew]

It seem ZeroSSL charges for Wildcard SSL Certificates and the reason acme.sh is failing as CA, now.

[Neilpang]

No, the wildcard ssl cert is still free.
Here is one I just applied:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ca:aa:c1:f4:0e:f6:29:d0:12:91:b9:31:a2:ea:e8:43
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CA
        Validity
            Not Before: Jul 21 00:00:00 2023 GMT
            Not After : Oct 19 23:59:59 2023 GMT
        Subject: CN = *.zerossl.neilpang.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:67:84:b7:96:a8:93:c9:28:4e:74:a4:14:82:82:
                    59:c5:64:ba:db:36:02:b1:14:e5:9b:05:6b:83:99:
                    a3:a1:5d:fb:fe:7c:ed:81:ea:40:23:72:9c:32:9f:
                    45:e6:82:6c:7c:83:9a:9f:02:54:cb:fb:05:5b:42:
                    25:60:90:9a:8b
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                0F:6B:E6:4B:CE:39:47:AE:F6:7E:90:1E:79:F0:30:91:92:C8:5F:A3
            X509v3 Subject Key Identifier:
                3E:1F:D4:1E:A5:78:04:CB:F4:41:18:AF:6A:4E:23:B0:22:32:BB:48
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.2.78
                  CPS: https://sectigo.com/CPS
                Policy: 2.23.140.1.2.1
            Authority Information Access:
                CA Issuers - URI:http://zerossl.crt.sectigo.com/ZeroSSLECCDomainSecureSiteCA.crt
                OCSP - URI:http://zerossl.ocsp.sectigo.com
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A:
                                B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A
                    Timestamp : Jul 21 01:19:11.740 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:6D:C8:FB:C7:6A:C5:1B:5C:12:10:5C:7B:
                                19:7B:F1:19:AA:56:A1:17:E5:AB:65:9D:7F:D2:37:B5:
                                FE:C7:16:8E:02:21:00:E4:8F:9D:8E:E2:79:BF:E6:0B:
                                3D:59:AF:1E:12:F7:AF:71:11:B1:07:F2:15:01:FC:E4:
                                B1:51:DD:DF:59:18:6E
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
                                16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
                    Timestamp : Jul 21 01:19:11.821 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:F4:4E:66:08:F5:E5:FD:0F:AB:A2:E6:
                                EA:05:27:82:E9:D6:04:64:51:34:95:8D:D4:F6:82:55:
                                4B:67:2A:85:44:02:21:00:84:03:20:AD:29:4C:46:F7:
                                E0:F3:E5:E3:07:1C:68:0E:E4:15:DF:DC:8A:03:24:9D:
                                C8:16:19:C9:50:A6:E5:A2
            X509v3 Subject Alternative Name:
                DNS:*.zerossl.neilpang.com
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:64:02:30:1c:ed:18:16:72:e0:af:a1:d3:c9:26:31:65:ce:
        72:81:91:e1:17:54:2f:69:44:42:4c:6a:3a:f6:c5:24:67:ff:
        a2:d6:c0:01:73:ea:fd:01:da:2e:bd:d7:a7:b2:f5:16:02:30:
        0d:3f:e2:9c:6e:74:28:db:fb:08:93:79:aa:d6:ba:81:88:31:
        a5:60:ef:3c:da:9e:43:77:4c:44:ce:a4:ef:dc:37:cc:1e:6c:
        57:25:b8:63:4c:69:5c:0a:2d:db:35:45
-----BEGIN CERTIFICATE-----
MIIEDzCCA5agAwIBAgIRAMqqwfQO9inQEpG5MaLq6EMwCgYIKoZIzj0EAwMwSzEL
MAkGA1UEBhMCQVQxEDAOBgNVBAoTB1plcm9TU0wxKjAoBgNVBAMTIVplcm9TU0wg
RUNDIERvbWFpbiBTZWN1cmUgU2l0ZSBDQTAeFw0yMzA3MjEwMDAwMDBaFw0yMzEw
MTkyMzU5NTlaMCExHzAdBgNVBAMMFiouemVyb3NzbC5uZWlscGFuZy5jb20wWTAT
BgcqhkjOPQIBBggqhkjOPQMBBwNCAARnhLeWqJPJKE50pBSCglnFZLrbNgKxFOWb
BWuDmaOhXfv+fO2B6kAjcpwyn0Xmgmx8g5qfAlTL+wVbQiVgkJqLo4ICgzCCAn8w
HwYDVR0jBBgwFoAUD2vmS845R672fpAeefAwkZLIX6MwHQYDVR0OBBYEFD4f1B6l
eATL9EEYr2pOI7AiMrtIMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQB
sjEBAgJOMCUwIwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgG
BmeBDAECATCBiAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVy
b3NzbC5jcnQuc2VjdGlnby5jb20vWmVyb1NTTEVDQ0RvbWFpblNlY3VyZVNpdGVD
QS5jcnQwKwYIKwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5j
b20wggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgCt9776fP8QyIudPZwePhhqtGcp
Xc+xDCTKhYY069yCigAAAYl2B4V8AAAEAwBHMEUCIG3I+8dqxRtcEhBcexl78Rmq
VqEX5atlnX/SN7X+xxaOAiEA5I+djuJ5v+YLPVmvHhL3r3ERsQfyFQH85LFR3d9Z
GG4AdwB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYl2B4XNAAAE
AwBIMEYCIQD0TmYI9eX9D6ui5uoFJ4Lp1gRkUTSVjdT2glVLZyqFRAIhAIQDIK0p
TEb34PPl4wccaA7kFd/cigMkncgWGclQpuWiMCEGA1UdEQQaMBiCFiouemVyb3Nz
bC5uZWlscGFuZy5jb20wCgYIKoZIzj0EAwMDZwAwZAIwHO0YFnLgr6HTySYxZc5y
gZHhF1QvaURCTGo69sUkZ/+i1sABc+r9AdouvdensvUWAjANP+KcbnQo2/sIk3mq
1rqBiDGlYO882p5Dd0xEzqTv3DfMHmxXJbhjTGlcCi3bNUU=
-----END CERTIFICATE-----

[garycnew]

Neil,

Now, I'm really confused. As part of my troubleshooting efforts, I logged in to ZeroSSL and attempted to manually renew expired certificates. In that process, ZeroSSL's available plans showed that the Free 3-domain option no longer supported wildcard, multi-domain certificates. It suggested that I would need to upgrade to the $50/mnth plan.

BTW... I was successfully using acme-3.0.1.sh on the router o/s for over a year. I've upgraded to acme-3.0.6.sh on the same router o/s, but the error remains the same.

If ZeroSSL still supports Free wildcard, multi-domain certificates, why the issue with acme.sh? It was previously working.

Thank you for your time and assistance.

Kind Regards,

Gary

[garycnew]

Neal,

The issue is specific with Wildcard, SAN Certs. The example you provided is a subdomain, wildcard certificate, which is not an problem.

Please try issuing a Wildcard, SAN Cert with multiple parent domains with acme.sh.

Thanks, again.

Gary

P.S. You can find relevant troubleshooting discussion here: https://www.snbforums.com/threads/solution-asus-wrapper-acme-sh-adds-dns-support-for-lets-encrypt-wildcard-san-certs-to-integrated-asus-acme-sh-implementation.75233/page-3

[Neilpang]

https://zerossl.com/letsencrypt-alternative/

[garycnew]

Neil,

Is the link you provided an old marketing reference? The following screenshot shows the current plans:

To reproduce the issue... Please try issuing a ZeroSSL Wildcard, SAN Cert with multiple parent domains using acme.sh.

Thanks, again.

Gary

[Neilpang]

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            79:a8:31:ec:12:c8:4c:b8:fd:16:06:b2:2f:43:94:d3
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = AT, O = ZeroSSL, CN = ZeroSSL ECC Domain Secure Site CA
        Validity
            Not Before: Jul 24 00:00:00 2023 GMT
            Not After : Oct 22 23:59:59 2023 GMT
        Subject: CN = *.neilpang.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:e5:34:2d:5c:5e:e0:1c:e3:60:55:00:36:f0:be:
                    d7:2c:41:c7:81:0a:fc:9e:09:76:29:57:c6:d5:7d:
                    b1:d8:28:3a:d6:c2:8e:e4:e7:3d:2b:8f:85:6a:c9:
                    d2:bf:53:0b:f8:8d:bc:3b:d4:0f:7d:ee:5d:07:33:
                    ac:d0:ae:e1:9f
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                0F:6B:E6:4B:CE:39:47:AE:F6:7E:90:1E:79:F0:30:91:92:C8:5F:A3
            X509v3 Subject Key Identifier:
                66:7A:3C:A9:AF:BC:63:F3:F4:66:99:00:F0:30:06:E3:03:7C:11:DC
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.2.78
                  CPS: https://sectigo.com/CPS
                Policy: 2.23.140.1.2.1
            Authority Information Access:
                CA Issuers - URI:http://zerossl.crt.sectigo.com/ZeroSSLECCDomainSecureSiteCA.crt
                OCSP - URI:http://zerossl.ocsp.sectigo.com
            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A:
                                B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A
                    Timestamp : Jul 24 14:15:20.193 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:CA:FC:40:A5:7A:2C:12:BE:68:85:9E:
                                F7:3D:F8:01:C2:39:B0:1B:67:F8:C9:F2:D8:9B:4F:C2:
                                70:A8:1B:FE:E5:02:20:32:AE:4B:93:9F:DE:C6:77:C8:
                                82:D1:FC:39:D9:DD:70:C8:B5:F1:84:9A:97:CC:EE:F4:
                                3F:CE:1E:DC:25:C8:79
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
                                16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
                    Timestamp : Jul 24 14:15:20.279 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:7D:80:1A:56:AE:1C:16:82:74:BE:FB:BA:
                                D1:F8:AC:27:8C:E9:4A:E9:2A:85:8D:B3:75:83:3E:B7:
                                49:AD:0D:00:02:20:26:04:A3:62:CA:E8:A0:C7:2A:54:
                                91:98:D2:03:21:2B:12:5D:2C:4B:2B:12:21:00:55:F5:
                                17:7D:53:93:83:DD
            X509v3 Subject Alternative Name:
                DNS:*.neilpang.com, DNS:neilpang.com
    Signature Algorithm: ecdsa-with-SHA384
    Signature Value:
        30:66:02:31:00:eb:e9:52:fc:a5:13:e6:86:29:0b:7b:a0:62:
        82:e7:52:91:be:83:8f:d6:b8:96:97:15:3c:24:a6:7c:72:74:
        5a:9e:be:fe:43:2d:21:9c:0d:73:48:9b:d1:f3:8a:22:35:02:
        31:00:bf:17:98:c0:ec:7a:b9:dc:4b:6f:09:9f:a6:57:96:b4:
        86:7d:54:de:77:22:92:06:cd:d5:4e:29:18:fa:6a:18:bb:3d:
        fe:4d:d1:5a:13:5a:13:ff:86:14:b4:7a:82:c9
-----BEGIN CERTIFICATE-----
MIIEDDCCA5GgAwIBAgIQeagx7BLITLj9FgayL0OU0zAKBggqhkjOPQQDAzBLMQsw
CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF
Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIzMDcyNDAwMDAwMFoXDTIzMTAy
MjIzNTk1OVowGTEXMBUGA1UEAwwOKi5uZWlscGFuZy5jb20wWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAATlNC1cXuAc42BVADbwvtcsQceBCvyeCXYpV8bVfbHYKDrW
wo7k5z0rj4VqydK/Uwv4jbw71A997l0HM6zQruGfo4IChzCCAoMwHwYDVR0jBBgw
FoAUD2vmS845R672fpAeefAwkZLIX6MwHQYDVR0OBBYEFGZ6PKmvvGPz9GaZAPAw
BuMDfBHcMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUw
IwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCB
iAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQu
c2VjdGlnby5jb20vWmVyb1NTTEVDQ0RvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYI
KwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20wggEDBgor
BgEEAdZ5AgQCBIH0BIHxAO8AdgCt9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY0
69yCigAAAYmIQS2BAAAEAwBHMEUCIQDK/ECleiwSvmiFnvc9+AHCObAbZ/jJ8tib
T8JwqBv+5QIgMq5Lk5/exnfIgtH8OdndcMi18YSal8zu9D/OHtwlyHkAdQB6MoxU
2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYmIQS3XAAAEAwBGMEQCIH2A
GlauHBaCdL77utH4rCeM6UrpKoWNs3WDPrdJrQ0AAiAmBKNiyuigxypUkZjSAyEr
El0sSysSIQBV9Rd9U5OD3TAnBgNVHREEIDAegg4qLm5laWxwYW5nLmNvbYIMbmVp
bHBhbmcuY29tMAoGCCqGSM49BAMDA2kAMGYCMQDr6VL8pRPmhikLe6BigudSkb6D
j9a4lpcVPCSmfHJ0Wp6+/kMtIZwNc0ib0fOKIjUCMQC/F5jA7Hq53EtvCZ+mV5a0
hn1U3ncikgbN1U4pGPpqGLs9/k3RWhNaE/+GFLR6gsk=
-----END CERTIFICATE-----

[Neilpang]

all the limits of zerossl are for the web interface.
If you use ACME API, there is no limit. you can issue any count of wildcard certs.

I have explained these for thousands of times. I don't want to say it again.

[garycnew]

Neil,

Apologies for causing you to explain the ZeroSSL acme.sh vs web plan differences, again.

Thank you for validating you are able to have a ZeroSSL Wildcard, SAN Cert issued using acme.sh.

Which version of acme.sh and dnsapi did you use to generate your ZeroSSL Wildcard, SAN Cert example?

Again, I was able to generate ZeroSSL Wildcard, SAN Certs for the past year and a half on the router o/s in question using acme-3.0.1.sh and dnsapi. The same implementation still works with Let's Encrypt as a CA.

It seems something must have changed on the ZeroSSL side to cause the issue.

Any thoughts on the matter?

Thanks, again.

Gary

[Neilpang]

Is the v3.0.0.1 still working now ?

[garycnew]

acme-3.0.1.sh still works with Let's Encrypt, but no longer working with ZeroSSL.

[Neilpang]

did the v3.0.1 ever work wth Zerossl for you before ?

[garycnew]

Yes... acme-3.0.1.sh successfully issued and renewed Wildcard, SAN Certs through ZeroSSL for over a year on the same operating system. It was only in July 2023 that the error began being reported by acme.sh.

I believe ZeroSSL must have changed something with their External Account Binding parameters that no longer works with acme.sh

Thank you for your assistance.

Gary