JWS Error: ERR ts=1717164516.1400423 logger=tls.obtain msg=could not get certificate from issuer identifier=*.gnas.duckdns.org issuer=acme-v02.api.letsencrypt.org-directory error=HTTP 400 urn:ietf:params:acme:error:malformed - JWS verification error

Help
1

Hello.

I get the above error on Wildcards when using the below Caddyfile.

Also when I clear the certs and redo the entire thing, I have observed this same error either happens with main domain gnas.duckdns.org or the Wildcard, based on whichever is releasing the lock first. So if the Wildcard is released the JWS error happens on Main Domain or Vise versa.

So either the Main domain is verified and works, while Wildcards show JWS errors
OR Wildcards work and main domain has this JWS error

{
	acme_ca https://acme-v02.api.letsencrypt.org/directory
	acme_dns duckdns secret-token
}

gnas.duckdns.org:443 {
	tls {
		dns duckdns secret-token
	}

	encode zstd gzip

	reverse_proxy 192.168.1.9:80
}

*.gnas.duckdns.org:443 {
	tls {
		dns duckdns secret-token
	}

	encode zstd gzip

	@files host files.gnas.duckdns.org
	handle @files {
		reverse_proxy 192.168.1.9:8081
	}

	@tv host tv.gnas.duckdns.org
	handle @tv {
		reverse_proxy 192.168.1.9:8989
	}

	@dash host dash.gnas.duckdns.org
	handle @dash {
		reverse_proxy 192.168.1.9:8090
	}

	@ssh host ssh.gnas.duckdns.org
	handle @ssh {
		reverse_proxy 192.168.1.9:3000
	}

	@vault host vault.gnas.duckdns.org
	handle @vault {
		reverse_proxy vaultwarden:80
		# reverse_proxy /notifications/hub vaultwarden:3012
	}

	@notes host notes.gnas.duckdns.org
	handle @notes {
		reverse_proxy 192.168.1.9:22300
	}

	@movies host movies.gnas.duckdns.org
	handle @movies {
		reverse_proxy 192.168.1.9:7878
	}

	@subs host subs.gnas.duckdns.org
	handle @subs {
		reverse_proxy 192.168.1.9:6767
	}

	@docks host docks.gnas.duckdns.org
	handle @docks {
		reverse_proxy 192.168.1.9:9000
	}

	# @speedtest host speedtest.gnas.duckdns.org
	# handle @speedtest {
	#     reverse_proxy 192.168.1.9:49159
	# }

	@flare host flare.gnas.duckdns.org
	handle @flare {
		reverse_proxy 192.168.1.9:8191
	}

	@torrents host torrents.gnas.duckdns.org
	handle @torrents {
		reverse_proxy 192.168.1.9:8080
	}

	@photos host photos.gnas.duckdns.org
	handle @photos {
		reverse_proxy 192.168.1.9:8089
	}

	@sync host sync.gnas.duckdns.org
	handle @sync {
		reverse_proxy 192.168.1.9:8384
	}

	@backup host backup.gnas.duckdns.org
	handle @backup {
		reverse_proxy 192.168.1.9:8200
	}

	@indexer host indexer.gnas.duckdns.org
	handle @indexer {
		reverse_proxy 192.168.1.9:9117
	}

	@monitor host monitor.gnas.duckdns.org
	handle @monitor {
		reverse_proxy 192.168.1.9:19999
	}

	@media host media.gnas.duckdns.org
	handle @media {
		reverse_proxy 192.168.1.9:8096
		# reverse_proxy 192.168.1.9:8920
		# reverse_proxy 192.168.1.9:7359
		# reverse_proxy 192.168.1.9:1900
	}

	# @adguard host adguard.gnas.duckdns.org
	# handle @adguard {
	#     reverse_proxy adguardhome:80
	#     reverse_proxy adguardhome:53
	#     reverse_proxy adguardhome:67
	#     reverse_proxy adguardhome:68
	#     reverse_proxy adguardhome:443
	#     reverse_proxy adguardhome:3000
	#     reverse_proxy adguardhome:853
	#     reverse_proxy adguardhome:784
	#     reverse_proxy adguardhome:8853
	#     reverse_proxy adguardhome:5443
	# }
}

adguard-gnas.duckdns.org:443 {
	tls {
		dns duckdns secret-token
	}

	encode zstd gzip

	reverse_proxy adguardhome:80
}
2

What happens if you clear out this folder in your data dir (default is $HOME/.local/share/caddy/): acme/acme-v02.../users and then try again

2 Likes
3

I am running Caddy as a docker container, so not only certs but I cleared the entire caddy data and restarted the container multiple times.

So it also removes all the folders acme, certificates, locks and ocsp

And it would either give me JWS error on root domain or the Wildcards.

So if wildcard is released first, root domain would show JWS error

or if the root domain is released, the Wildcard would give me JWS error.

So it is either root or Wildcards with JWS error, based on which one is released first.

Example on the title you can see the Wildcards are the one with JWS error, when I cleared the data and restarted the container, now wildcards are released and root domain is showing the JWS errors

INF ts=1717165376.5817263 logger=tls.obtain msg=releasing lock identifier=gnas.duckdns.org
ERR ts=1717165376.5820842 logger=tls msg=job failed error=gnas.duckdns.org: obtaining certificate: [gnas.duckdns.org] Obtain: [gnas.duckdns.org] creating new order: attempt 1: https://acme-v02.api.letsencrypt.org/acme/new-order: HTTP 400 urn:ietf:params:acme:error:malformed - JWS verification error (ca=https://acme-v02.api.letsencrypt.org/directory)
4

Hello @matt , thank you for your help. So yes what I shared earlier stands true, if I clear all the Caddy Data (the entire thing) (i.e acme, certificates, locks and ocsp)

JWS config error happens with either Wildcards or Root domain based on which ever is released first.

However, when I now just clear the User Folder which you stated, somehow it worked.

Still I tried once again by clearing the Caddy Data (the entire thing) (i.e acme, certificates, locks and ocsp), and somehow it still works.

While the same thing yesterday and even today morning, was giving me that JWS error on either Root or Wildcards (based on which is released first).

I don’t know how it fixed itself, but I don’t wanna attempt trying again, as I could not be rate limited. As I have already tried almost 5 times since yesterday.

What can be the issue here, as the same thing till today morning was not working (i.e clearing Caddy Data entirely)?

1 Like
5

I am not sure, honestly. :thinking: It would require more digging.

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.