Sign failed with HTTP/1.1 400 Bad Request

[backbohne]

Hi,

I'm using your script without any issue under Debian, but it fails under Cloudlinux (CentOS).
Not sure what is the problem here?

> le issue dns-deep web01.mydomain.ch
...
Verify finished, start to sign.
url=https://acme-v01.api.letsencrypt.org/acme/new-cert
payload={"resource": "new-cert", "csr": "..."}
RSA key
pub_exp=010001
e=AQAB
jwk={"e": "AQAB", "kty": "RSA", "n": "..."}
HEADER={"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "..."}}
payload64=...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0   263    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
nonce=...
protected={"nonce": "...", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "..."}}
protected64=...
sig=...
body={"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "..."}}, "protected": "...", "payload": "...", "signature": "..."}
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
102  2652    0    98  102  2554    125   3269 --:--:-- --:--:-- --:--:--  3607
responseHeaders=HTTP/1.1 100 Continue
Expires: Tue, 29 Mar 2016 14:34:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 98
Replay-Nonce: 3XnsQBBg4Oc32DV4F7GejkWFwM45Ty0PheLOw965uUA
Expires: Tue, 29 Mar 2016 14:34:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 29 Mar 2016 14:34:52 GMT
Connection: close

response=curl exists=0
eyJ0eXBlIjoidXJuOmFjbWU6ZXJyb3I6bWFsZm9ybWVkIiwiZGV0YWlsIjoiRXJyb3IgdW5tYXJzaGFsaW5nIGNlcnRpZmljYXRlIHJlcXVlc3QiLCJzdGF0dXMiOjQwMH0=
code=400
OK
/opt/deep-le/web01.mydomain.ch/web01.mydomain.ch.conf:9:Le_LinkCert=
Sign failed: 

> cat http.header                                                                                                           
HTTP/1.1 100 Continue
Expires: Tue, 29 Mar 2016 14:34:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 98
Replay-Nonce: 3XnsQBBg4Oc32DV4F7GejkWFwM45Ty0PheLOw965uUA
Expires: Tue, 29 Mar 2016 14:34:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 29 Mar 2016 14:34:52 GMT
Connection: close

> curl -V                                                                                         
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz 

Regrads
Frank

[Neilpang]

It seems that you are not using the latest version. Please uninstall and re-install the latest version.
Paste the logs here if you still have the issue.

[backbohne]

OK, I've installed the latest repo under my user, but it will still fails:

le issue dns-deep web01.mydomain.ch

OK
/home/fbo/.le/web01.mydomain.ch/web01.mydomain.ch.conf:1:Le_Domain=web01.mydomain.ch
OK
/home/fbo/.le/web01.mydomain.ch/web01.mydomain.ch.conf:2:Le_Alt=
OK
/home/fbo/.le/web01.mydomain.ch/web01.mydomain.ch.conf:3:Le_Webroot=dns-deep
OK
/home/fbo/.le/web01.mydomain.ch/web01.mydomain.ch.conf:4:Le_Keylength=
OK
/home/fbo/.le/web01.mydomain.ch/web01.mydomain.ch.conf:5:Le_RealCertPath=""
OK
/home/fbo/.le/web01.mydomain.ch/web01.mydomain.ch.conf:6:Le_RealCACertPath=""
OK
/home/fbo/.le/web01.mydomain.ch/web01.mydomain.ch.conf:7:Le_RealKeyPath=""
OK
/home/fbo/.le/web01.mydomain.ch/web01.mydomain.ch.conf:8:Le_ReloadCmd=""
Creating account key
Use default length 2048
Account key exists, skip
RSA key
pub_exp='010001'
e='AQAB'
jwk='{"e": "AQAB", "kty": "RSA", "n": "..."}'
HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "..."}}'
Skip register account key
Creating domain key
Use length 2048
Creating csr
Single domain=web01.mydomain.ch
Verify each domain
Getting token for domain=web01.mydomain.ch
url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "web01.mydomain.ch"}}'
RSA key
pub_exp='010001'
e='AQAB'
jwk='{"e": "AQAB", "kty": "RSA", "n": "..."}'
HEADER='{"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "..."}}'
payload64='...'
url='https://acme-v01.api.letsencrypt.org/directory'
curl exists=0
nonce='...'
protected='{"nonce": "...", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "..."}}'
protected64='...'
sig='...'
body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "..."}}, "protected": "...", "payload": "...", "signature": "..."}'
curl exists=0
responseHeaders='HTTP/1.1 100 Continue
Expires: Wed, 30 Mar 2016 08:18:47 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 776
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/Aynk4952q5T7iNZhY-UKmutk7XAVtj5Sguk8DfKXUCs
Replay-Nonce: _smdTRy6Huvno-w5pp9rKNzGwjjXPA0TyefLGyOjIBE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 30 Mar 2016 08:18:48 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 30 Mar 2016 08:18:48 GMT
Connection: keep-alive
'
response='{"identifier":{"type":"dns","value":"web01.mydomain.ch"},"status":"pending","expires":"2016-04-06T08:18:47.745578166Z","challenges":[{"type":"tls-sni-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Aynk4952q5T7iNZhY-UKmutk7XAVtj5Sguk8DfKXUCs/37555821","token":"hgp74PcPYzhGS7LVLmXgmg0u2mWcQE84CvpBmMb7kxM"},{"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Aynk4952q5T7iNZhY-UKmutk7XAVtj5Sguk8DfKXUCs/37555822","token":"nPUl05gRe9It2bVCeX7HrEce747ygV968ONWvKzuNEY"},{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Aynk4952q5T7iNZhY-UKmutk7XAVtj5Sguk8DfKXUCs/37555823","token":"Y6QshXhBcGYE-QDZ6gTvaMxurZsoxYw2aRYr0iRrmxQ"}],"combinations":[[2],[1],[0]]}'
code='201'
entry='{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Aynk4952q5T7iNZhY-UKmutk7XAVtj5Sguk8DfKXUCs/37555823","token":"Y6QshXhBcGYE-QDZ6gTvaMxurZsoxYw2aRYr0iRrmxQ"'
token='Y6QshXhBcGYE-QDZ6gTvaMxurZsoxYw2aRYr0iRrmxQ'
uri='https://acme-v01.api.letsencrypt.org/acme/challenge/Aynk4952q5T7iNZhY-UKmutk7XAVtj5Sguk8DfKXUCs/37555823'
keyauthorization='Y6QshXhBcGYE-QDZ6gTvaMxurZsoxYw2aRYr0iRrmxQ.vyfpmc0EcRAKQ-ziXQM9_JDJayraFrrxVXWo8539UNo'
dvlist='web01.mydomain.ch#Y6QshXhBcGYE-QDZ6gTvaMxurZsoxYw2aRYr0iRrmxQ.vyfpmc0EcRAKQ-ziXQM9_JDJayraFrrxVXWo8539UNo#https://acme-v01.api.letsencrypt.org/acme/challenge/Aynk4952q5T7iNZhY-UKmutk7XAVtj5Sguk8DfKXUCs/37555823'
txtdomain='_acme-challenge.web01.mydomain.ch'
txt='RhpGVJUgV6516V24uhCC1auBbjZ-cKKEytFseXyNpro'
d_api='/home/fbo/.le/dnsapi/dns-deep.sh'
Found domain api file: /home/fbo/.le/dnsapi/dns-deep.sh
dns-deep-add
OK
/home/fbo/.le/account.conf:16:DEEP_Key=rek548ujFar23d7u3hVFF3
OK
/home/fbo/.le/account.conf:15:DEEP_Api=https://backend.ida.mydomain.ch/special-dns-acme-challenge
calling API: /usr/bin/curl -s -k -X POST --data 'key=*****&domain=_acme-challenge.web01.mydomain.ch&value=RhpGVJUgV6516V24uhCC1auBbjZ-cKKEytFseXyNpro' https://backend.ida.mydomain.ch/special-dns-acme-challenge
Sleep 60 seconds for the txt records to take effect
ok, let's start to verify
Verifying:web01.mydomain.ch
d=web01.mydomain.ch
keyauthorization=Y6QshXhBcGYE-QDZ6gTvaMxurZsoxYw2aRYr0iRrmxQ.vyfpmc0EcRAKQ-ziXQM9_JDJayraFrrxVXWo8539UNo
uri=https://acme-v01.api.letsencrypt.org/acme/challenge/Aynk4952q5T7iNZhY-UKmutk7XAVtj5Sguk8DfKXUCs/37555823
url=https://acme-v01.api.letsencrypt.org/acme/challenge/Aynk4952q5T7iNZhY-UKmutk7XAVtj5Sguk8DfKXUCs/37555823
payload={"resource": "challenge", "keyAuthorization": "Y6QshXhBcGYE-QDZ6gTvaMxurZsoxYw2aRYr0iRrmxQ.vyfpmc0EcRAKQ-ziXQM9_JDJayraFrrxVXWo8539UNo"}
RSA key
pub_exp=010001
e=AQAB
jwk={"e": "AQAB", "kty": "RSA", "n": "..."}
HEADER={"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "..."}}
payload64=eyJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLCAia2V5QXV0aG9yaXphdGlvbiI6ICJZNlFzaFhoQmNHWUUtUURaNmdUdmFNeHVyWnNveFl3MmFSWXIwaVJybXhRLnZ5ZnBtYzBFY1JBS1EtemlYUU05X0pESmF5cmFGcnJ4VlhXbzg1MzlVTm8ifQ
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0   263    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
nonce=_C7RiHR1Ng10KLHclZCWBeG8HTqwZXQxW-Z4IfEBzmU
protected={"nonce": "_C7RiHR1Ng10KLHclZCWBeG8HTqwZXQxW-Z4IfEBzmU", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "..."}}
protected64=...
sig=...
body={"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "..."}}, "protected": "...", "payload": "...", "signature": "..."}
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1912  104   312  100  1600    360   1846 --:--:-- --:--:-- --:--:--  2185
responseHeaders=HTTP/1.1 100 Continue
Expires: Wed, 30 Mar 2016 08:20:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 202 Accepted
Server: nginx
Content-Type: application/json
Content-Length: 312
Link: <https://acme-v01.api.letsencrypt.org/acme/authz/Aynk4952q5T7iNZhY-UKmutk7XAVtj5Sguk8DfKXUCs>;rel="up"
Location: https://acme-v01.api.letsencrypt.org/acme/challenge/Aynk4952q5T7iNZhY-UKmutk7XAVtj5Sguk8DfKXUCs/37555823
Replay-Nonce: jZjVtYln6MSFsjWea1diMd0NmHHHrCPGMCOcg4VIMSs
Expires: Wed, 30 Mar 2016 08:20:05 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 30 Mar 2016 08:20:05 GMT
Connection: keep-alive

response=curl exists=0
{"type":"dns-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/Aynk4952q5T7iNZhY-UKmutk7XAVtj5Sguk8DfKXUCs/37555823","token":"Y6QshXhBcGYE-QDZ6gTvaMxurZsoxYw2aRYr0iRrmxQ","keyAuthorization":"Y6QshXhBcGYE-QDZ6gTvaMxurZsoxYw2aRYr0iRrmxQ.vyfpmc0EcRAKQ-ziXQM9_JDJayraFrrxVXWo8539UNo"}
code=202
sleep 5 secs to verify
checking
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
103   412  103   412    0     0   1384      0 --:--:-- --:--:-- --:--:--  2203
Success
Skip for removelevel:
Verify finished, start to sign.
url=https://acme-v01.api.letsencrypt.org/acme/new-cert
payload={"resource": "new-cert", "csr": "..."}
RSA key
pub_exp=010001
e=AQAB
jwk={"e": "AQAB", "kty": "RSA", "n": "..."}
HEADER={"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "..."}}
payload64=...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0   263    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
nonce=xl9p5bRiQeuIwxL75DNhrHWKvllxvTCK7V61-ijEx7k
protected={"nonce": "xl9p5bRiQeuIwxL75DNhrHWKvllxvTCK7V61-ijEx7k", "alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "..."}}
protected64=...
sig=...
body={"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "..."}}, "protected": "...", "payload": "...", "signature": "..."}
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
102  2652    0    98  102  2554    122   3205 --:--:-- --:--:-- --:--:--  3627
responseHeaders=HTTP/1.1 100 Continue
Expires: Wed, 30 Mar 2016 08:20:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 98
Replay-Nonce: J6w670D4E0nNzYr-bX7YXzAJHillzXYvvTKihzshHcY
Expires: Wed, 30 Mar 2016 08:20:12 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 30 Mar 2016 08:20:12 GMT
Connection: close

response=curl exists=0
eyJ0eXBlIjoidXJuOmFjbWU6ZXJyb3I6bWFsZm9ybWVkIiwiZGV0YWlsIjoiRXJyb3IgdW5tYXJzaGFsaW5nIGNlcnRpZmljYXRlIHJlcXVlc3QiLCJzdGF0dXMiOjQwMH0=
code=400
OK
/home/fbo/.le/web01.mydomain.ch/web01.deep.ch.conf:9:Le_LinkCert=
Sign failed: 

[Neilpang]

I believe the log is not generated by our latest code.

1. Install the latest version online :

curl https://raw.githubusercontent.com/Neilpang/le/master/le.sh | INSTALLONLINE=1  bash

And then try again.

1. If it still doesn't work, please check the generated CSR with online decoder:

https://certlogik.com/decoder/

The csr is located : ~/.le/yourdomain.ch/yourdomain.ch.csr

[backbohne]

Have reinstalled as you mentioned above, but it still fails (lease note that I've removed clear-text keys/certs from the logs).

Your generated CSR ist valid (status "green" at all).

[Neilpang]

Yes, I knew that you removed some keys/certs. but the output doesn't look like from our latest code.

I just checked in a new version number 1.2.1.

Please re-install, and see if the version number is correct.

[backbohne]

> curl https://raw.githubusercontent.com/Neilpang/le/master/le.sh | INSTALLONLINE=1  bash                                                                                                                [1062]
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 41599  100 41599    0     0   118k      0 --:--:-- --:--:-- --:--:--  286k
Installing from online archive.
Downloading https://github.com/Neilpang/le/archive/master.tar.gz
url='https://github.com/Neilpang/le/archive/master.tar.gz'
curl exists=0
Extracting master.tar.gz
curl exists=0
crontab exists=0
openssl exists=0
nc exists=0
Installing to /home/fbo/.le
Installed to /home/fbo/.le/le.sh
Found profile: /home/fbo/.zshrc
OK
/home/fbo/.zshrc:5:source "/home/fbo/.le/le.env"
OK, Close and reopen your terminal to start using le
crontab exists=0
Installing cron job
0 0 * * * LE_WORKING_DIR="/home/fbo/.le" "/home/fbo/.le"/le.sh cron > /dev/null
OK
Install success!

> /home/fbo/.le/le.sh                                                                                                                                                                                   
https://github.com/Neilpang/le
v1.2.1
Usage: le.sh  [command] ...[args]....
Avalible commands:

install:
  Install le.sh to your system.
issue:
  Issue a cert.
installcert:
  Install the issued cert to apache/nginx or any other server.
renew:
  Renew a cert.
renewAll:
  Renew all the certs.
uninstall:
  Uninstall le.sh, and uninstall the cron job.
version:
  Show version info.
installcronjob:
  Install the cron job to renew certs, you don't need to call this. The 'install' command can automatically install the cron job.
uninstallcronjob:
  Uninstall the cron job. The 'uninstall' command can do this automatically.
createAccountKey:
  Create an account private key, professional use.
createDomainKey:
  Create an domain private key, professional use.
createCSR:
  Create CSR , professional use.

...but same error :-(

[backbohne]

The only difference I see between my running Debian setup is the curl version.

Cloudlinux (6): 7.19.7 (x86_64-redhat-linux-gnu)
Debian (jessie): 7.38.0 (x86_64-pc-linux-gnu)

[Neilpang]

Then can you please upgrade your curl version and try again?

Or, you can uninstall curl, and install wget. we can support wget too.

[Neilpang]

I just tried with my CentOS 6 VM, it uses curl 7.19.7, which is same as yours:

[root@centos .le]# curl -V
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz 

But it works for me, no issue is there.

And, I just made a minor fix for you. Please update and try again.

[backbohne]

• curl https://raw.githubusercontent.com/Neilpang/le/master/le.sh | INSTALLONLINE=1 bash
• le issue dns-deep web01.mydomain.ch

same issue :-(

account.conf

ACCOUNT_EMAIL=ops@mydomain.ch
ACCOUNT_KEY_PATH="/home/fbo/.le/account.key"
ACCOUNT_KEY_HASH=123456789=

LE_WORKING_DIR="/home/fbo/.le"
ACME_DIR=/var/www
APACHE_CONF_BACKUP_DIR="/home/fbo/.le/backup"
USER_AGENT="le.sh client: https://github.com/Neilpang/le"

# STAGE=1 
FORCE=1
DEBUG=1

# deep DNS ACME API URL and key 
DEEP_Api=https://backend.ida.mydomain.ch/special-dns-acme-challenge
DEEP_Key=*******

dnsapi/dns-deep.sh

#!/bin/bash
#
# see https://github.com/Neilpang/le/tree/master/dnsapi for details

CURL=/usr/bin/curl

dns-deep-add() {
  domain=$1
  txtvalue=$2

  if [ -z "$DEEP_Key" ] || [ -z "$DEEP_Api" ] ; then
    _err "You don't specify DEEP_Key and/or DEEP_Api yet."
    _err "Please create you key and try again."
    return 1
  fi

  # save the key and url to account conf file.
  _saveaccountconf DEEP_Key "$DEEP_Key"
  _saveaccountconf DEEP_Api "$DEEP_Api"

  data="key=${DEEP_Key}&domain=${domain}&value=${txtvalue}"
  _debug "calling API: $CURL -s -k -X POST --data '$data' $DEEP_Api"
  result="`$CURL -s -k -X POST --data \"$data\" $DEEP_Api`"

  if [ "$result" == '"OK"' ] ; then
    return 0
  fi

  _err "DNS update fails with: $result"

  return 1
}

_debug() {
  if [ -z "$DEBUG" ] ; then
    return
  fi

  if [ -z "$2" ] ; then
    echo $1
  else
    echo "$1"="$2"
  fi
}

_info() {
  if [ -z "$2" ] ; then
    echo "$1"
  else
    echo "$1"="$2"
  fi
}

_err() {
  if [ -z "$2" ] ; then
    echo "$1" >&2
  else
    echo "$1"="$2" >&2
  fi
}

curl.dump

...
=> Send data, 1528 bytes (0x5f8)
0000: {"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "
0040: n": "..."}
<= Recv header, 22 bytes (0x16)
0000: HTTP/1.1 201 Created
<= Recv header, 15 bytes (0xf)
0000: Server: nginx
<= Recv header, 32 bytes (0x20)
0000: Content-Type: application/json
<= Recv header, 21 bytes (0x15)
0000: Content-Length: 776
<= Recv header, 71 bytes (0x47)
0000: Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="
0040: next"
<= Recv header, 103 bytes (0x67)
0000: Location: https://acme-v01.api.letsencrypt.org/acme/authz/_OG69A
0040: xMvFtxeGhxPEnCHhUe7-4Lla5a1qcUUeiAKaM
<= Recv header, 59 bytes (0x3b)
0000: Replay-Nonce: 8LoOb34NNOfj5sfwAP46Cf1j98398aAcsbht53lLt5A
<= Recv header, 23 bytes (0x17)
0000: X-Frame-Options: DENY
<= Recv header, 43 bytes (0x2b)
0000: Strict-Transport-Security: max-age=604800
<= Recv header, 40 bytes (0x28)
0000: Expires: Thu, 31 Mar 2016 12:46:20 GMT
<= Recv header, 46 bytes (0x2e)
0000: Cache-Control: max-age=0, no-cache, no-store
<= Recv header, 18 bytes (0x12)
0000: Pragma: no-cache
<= Recv header, 37 bytes (0x25)
0000: Date: Thu, 31 Mar 2016 12:46:20 GMT
<= Recv header, 24 bytes (0x18)
0000: Connection: keep-alive
<= Recv header, 2 bytes (0x2)
0000: 
<= Recv data, 776 bytes (0x308)
0000: {"identifier":{"type":"dns","value":"web01.deep.ch"},"status":"p
0040: ending","expires":"2016-04-07T12:46:20.295042491Z","challenges":
0080: [{"type":"http-01","status":"pending","uri":"https://acme-v01.ap
00c0: i.letsencrypt.org/acme/challenge/_OG69AxMvFtxeGhxPEnCHhUe7-4Lla5
0100: a1qcUUeiAKaM/38430144","token":"khnf-R2lD2OapztlvZ3eFVN_p9XwukbB
0140: iOYzEqXRshM"},{"type":"dns-01","status":"pending","uri":"https:/
0180: /acme-v01.api.letsencrypt.org/acme/challenge/_OG69AxMvFtxeGhxPEn
01c0: CHhUe7-4Lla5a1qcUUeiAKaM/38430145","token":"Eg9hLRC4iJlxbDXU7slF
0200: LMrT-pwYKScih6BeWcolIvk"},{"type":"tls-sni-01","status":"pending
0240: ","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/_OG
0280: 69AxMvFtxeGhxPEnCHhUe7-4Lla5a1qcUUeiAKaM/38430146","token":"LuJy
02c0: feb98moVzYC7frA5jc_I7ssXGJkPtmuSeFr2qig"}],"combinations":[[1],[
0300: 2],[0]]}
== Info: Connection #0 to host acme-v01.api.letsencrypt.org left intact
== Info: Closing connection #0

le.env

LE_WORKING_DIR=/home/fbo/.le
alias le="/home/fbo/.le/le.sh"
alias le.sh="/home/fbo/.le/le.sh"

[Neilpang]

please remove the line in your script:

CURL=/usr/bin/curl

[Neilpang]

I just fix the code. the domain api will be run in a subshell.

please try again.

[backbohne]

removed, but still same error :-(

[Neilpang]

please update and try again

[backbohne]

IT WORKS!!!!