[GH-ISSUE #1372] [BUG] Certificate Renewal Error in Nginx UI (JWS verification error) #6536

New issue

Closed

opened 2026-03-01 17:12:53 +03:00 by kerem · 7 comments

kerem commented 2026-03-01 17:12:53 +03:00

Owner

Copy link

Originally created by @zdv1g on GitHub (Oct 4, 2025).
Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/1372

Describe the bug
When trying to renew an SSL certificate via Nginx UI, the renewal process fails with a JWS verification error.
The currently active certificate remains valid, but auto-renewal does not work.

To Reproduce
Steps to reproduce the behavior:

1. Go to Nginx UI → SSL
2. Click on Renew certificate
3. Wait for the process to start
4. See the error in logs

Expected behavior
The certificate should be successfully renewed through ACME (Let’s Encrypt) without JWS validation errors.

Screenshots
N/A

Info (please complete the following information):

• Server OS: Debian 13 (bare metal, no Docker)
• Server Arch: x86_64
• Nginx UI Version: v2.1.17 (876213ad)
• Your Browser: Chrome (latest)

Additional context
Error log:
[Error] renew cert error: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: Unable to validate JWS :: JWS verification error

• The ACME account is associated with more than 6 domains.
• Current certificate is still valid, but renewal fails.
• ACME challenge method in use: DNS Method 1.
• Possible cause: invalid JWS signing, expired/corrupted ACME account registration, or time sync issues.

Originally created by @zdv1g on GitHub (Oct 4, 2025). Original GitHub issue: https://github.com/0xJacky/nginx-ui/issues/1372 **Describe the bug** When trying to renew an SSL certificate via Nginx UI, the renewal process fails with a JWS verification error. The currently active certificate remains valid, but auto-renewal does not work. **To Reproduce** Steps to reproduce the behavior: 1. Go to `Nginx UI → SSL` 2. Click on `Renew certificate` 3. Wait for the process to start 4. See the error in logs **Expected behavior** The certificate should be successfully renewed through ACME (Let’s Encrypt) without JWS validation errors. **Screenshots** N/A **Info (please complete the following information):** - Server OS: Debian 13 (bare metal, no Docker) - Server Arch: x86_64 - Nginx UI Version: v2.1.17 (876213ad) - Your Browser: Chrome (latest) **Additional context** Error log: [Error] renew cert error: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: Unable to validate JWS :: JWS verification error - The ACME account is associated with **more than 6 domains**. - Current certificate is still valid, but renewal fails. - ACME challenge method in use: **DNS Method 1**. - Possible cause: invalid JWS signing, expired/corrupted ACME account registration, or time sync issues.

kerem 2026-03-01 17:12:53 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-03-01 17:12:54 +03:00

Author

Owner

Copy link

@0xJacky commented on GitHub (Oct 4, 2025):

The ACME account is associated with more than 6 domains?

<!-- gh-comment-id:3368342735 --> @0xJacky commented on GitHub (Oct 4, 2025): The ACME account is associated with more than 6 domains?

kerem commented 2026-03-01 17:12:54 +03:00

Author

Owner

Copy link

@zdv1g commented on GitHub (Oct 4, 2025):

/certificates/acme_users (1 user) -> more 6 domains (cert renew)
Yes, correct.
The ACME account in use is a single account under "ACME User" in Nginx UI, and it manages renewal for more than 6 domains.
All renewals are attempted from this one account.

<!-- gh-comment-id:3368384033 --> @zdv1g commented on GitHub (Oct 4, 2025): /certificates/acme_users (1 user) -> more 6 domains (cert renew) Yes, correct. The ACME account in use is a single account under **"ACME User"** in Nginx UI, and it manages renewal for more than 6 domains. All renewals are attempted from this one account.

kerem commented 2026-03-01 17:12:54 +03:00

Author

Owner

Copy link

@zdv1g commented on GitHub (Oct 4, 2025):

Oct 04 13:38:41 NginxUI nginx-ui[130]: 2025-10-04 13:38:41 INFO cert/auto_cert.go:23 AutoCert Worker Started
Oct 04 13:38:41 NginxUI nginx-ui[130]: 2025-10-04 13:38:41 INFO cert/logger.go:72 AutoCert [Nginx UI] Preparing lego configurations
Oct 04 13:38:41 NginxUI nginx-ui[130]: 2025-10-04 13:38:41 INFO cert/logger.go:72 AutoCert [Nginx UI] ACME User: xxxxxx@xxxxxx, Email: xxxxxx@xxxx, CA Dir: https://acme-v02.api.letsencrypt.org/direct>
Oct 04 13:38:41 NginxUI nginx-ui[130]: 2025-10-04 13:38:41 INFO cert/logger.go:72 AutoCert [Nginx UI] Creating client facilitates communication with the CA server
Oct 04 13:38:42 NginxUI nginx-ui[130]: 2025-10-04 13:38:42 INFO cert/logger.go:72 AutoCert [Nginx UI] Setting DNS01 challenge provider
Oct 04 13:38:42 NginxUI nginx-ui[130]: 2025-10-04 13:38:42 INFO cert/logger.go:72 AutoCert [Nginx UI] Setting environment variables
Oct 04 13:38:42 NginxUI nginx-ui[130]: 2025-10-04 13:38:42 INFO cert/logger.go:72 AutoCert 2025/10/04 13:38:42 [INFO] [.xxx.ru] acme: Trying renewal with 1758 hours remaining
Oct 04 13:38:42 NginxUI nginx-ui[130]: 2025-10-04 13:38:42 INFO cert/logger.go:72 AutoCert 2025/10/04 13:38:42 [INFO] [.xxx.ru, xxx.ru] acme: Obtaining bundled SAN certificate
Oct 04 13:38:43 NginxUI nginx-ui[130]: 2025-10-04 13:38:43 INFO cert/logger.go:72 AutoCert [Nginx UI] Environment variables cleaned
Oct 04 13:38:43 NginxUI nginx-ui[130]: 2025-10-04 13:38:43 ERROR cert/logger.go:85 AutoCert renew cert error: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:>
Oct 04 13:38:43 NginxUI nginx-ui[130]: 2025-10-04 13:38:43 INFO cert/logger.go:72 AutoCert [Nginx UI] Preparing lego configurations

<!-- gh-comment-id:3368431919 --> @zdv1g commented on GitHub (Oct 4, 2025): Oct 04 13:38:41 NginxUI nginx-ui[130]: 2025-10-04 13:38:41 INFO cert/auto_cert.go:23 AutoCert Worker Started Oct 04 13:38:41 NginxUI nginx-ui[130]: 2025-10-04 13:38:41 INFO cert/logger.go:72 AutoCert [Nginx UI] Preparing lego configurations Oct 04 13:38:41 NginxUI nginx-ui[130]: 2025-10-04 13:38:41 INFO cert/logger.go:72 AutoCert [Nginx UI] ACME User: xxxxxx@xxxxxx, Email: xxxxxx@xxxx, CA Dir: https://acme-v02.api.letsencrypt.org/direct> Oct 04 13:38:41 NginxUI nginx-ui[130]: 2025-10-04 13:38:41 INFO cert/logger.go:72 AutoCert [Nginx UI] Creating client facilitates communication with the CA server Oct 04 13:38:42 NginxUI nginx-ui[130]: 2025-10-04 13:38:42 INFO cert/logger.go:72 AutoCert [Nginx UI] Setting DNS01 challenge provider Oct 04 13:38:42 NginxUI nginx-ui[130]: 2025-10-04 13:38:42 INFO cert/logger.go:72 AutoCert [Nginx UI] Setting environment variables Oct 04 13:38:42 NginxUI nginx-ui[130]: 2025-10-04 13:38:42 INFO cert/logger.go:72 AutoCert 2025/10/04 13:38:42 [INFO] [*.xxx.ru] acme: Trying renewal with 1758 hours remaining Oct 04 13:38:42 NginxUI nginx-ui[130]: 2025-10-04 13:38:42 INFO cert/logger.go:72 AutoCert 2025/10/04 13:38:42 [INFO] [*.xxx.ru, xxx.ru] acme: Obtaining bundled SAN certificate Oct 04 13:38:43 NginxUI nginx-ui[130]: 2025-10-04 13:38:43 INFO cert/logger.go:72 AutoCert [Nginx UI] Environment variables cleaned Oct 04 13:38:43 NginxUI nginx-ui[130]: 2025-10-04 13:38:43 ERROR cert/logger.go:85 AutoCert renew cert error: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:> Oct 04 13:38:43 NginxUI nginx-ui[130]: 2025-10-04 13:38:43 INFO cert/logger.go:72 AutoCert [Nginx UI] Preparing lego configurations

kerem commented 2026-03-01 17:12:54 +03:00

Author

Owner

Copy link

@0xJacky commented on GitHub (Oct 5, 2025):

I'm not quite sure if this is a new policy by Let's Encrypt. Could you try creating a new ACME account with a different email address and then use it to reapply for the certificate?

<!-- gh-comment-id:3368625838 --> @0xJacky commented on GitHub (Oct 5, 2025): I'm not quite sure if this is a new policy by Let's Encrypt. Could you try creating a new ACME account with a different email address and then use it to reapply for the certificate?

kerem commented 2026-03-01 17:12:54 +03:00

Author

Owner

Copy link

@zdv1g commented on GitHub (Oct 5, 2025):

The certificate was created if I created a new user. Now look what a problem, when updating in automatic mode, it uses the old data (of the old Acme user)

however, the certificate renewal is successful

<!-- gh-comment-id:3369017266 --> @zdv1g commented on GitHub (Oct 5, 2025): The certificate was created if I created a new user. Now look what a problem, when updating in automatic mode, it uses the old data (of the old Acme user) <img width="495" height="578" alt="Image" src="https://github.com/user-attachments/assets/672f92ca-dfc7-4cc5-bd3e-0e426f1d68a7" /> however, the certificate renewal is successful <img width="929" height="578" alt="Image" src="https://github.com/user-attachments/assets/a4224d25-40e7-46bd-ac64-4d1319f5e9b7" />

kerem commented 2026-03-01 17:12:54 +03:00

Author

Owner

Copy link

@0xJacky commented on GitHub (Oct 5, 2025):

Fixed in 3930aaf, you can try to upgrade nginx-ui to the latest dev version to test. Thank you.

<!-- gh-comment-id:3369131833 --> @0xJacky commented on GitHub (Oct 5, 2025): Fixed in 3930aaf, you can try to upgrade nginx-ui to the latest dev version to test. Thank you.

kerem commented 2026-03-01 17:12:54 +03:00

Author

Owner

Copy link

@zdv1g commented on GitHub (Oct 5, 2025):

Okay, I'm waiting for a new release for automatic updates. I've reopened it if anything happens.

<!-- gh-comment-id:3369319220 --> @zdv1g commented on GitHub (Oct 5, 2025): Okay, I'm waiting for a new release for automatic updates. I've reopened it if anything happens.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

weblate

main

renovate/uuid-14.x

renovate/typescript-6.x

renovate/all-minor-patch

cursor/interface-conversion-error-36ec

cursor/docker-api-stat-path-27ca

cursor/nginx-ui-disk-i-o-3d99

cursor/cloudflare-dns-comments-299c

cursor/access-log-dark-mode-font-dfdc

copilot/fix-ai-chat-title-error

cursor/propfind-method-logging-33b5

cursor/docker-client-version-update-d1b4

copilot/fix-nginx-ui-api-errors

cursor/update-x-forwarded-proto-header-handling-1223

cursor/fix-nginx-ui-issue-1455-gpt-5.1-codex-high-079c

cursor/update-nginx-ui-to-vue-3-gpt-5.1-codex-high-3100

cursor/investigate-nginx-ui-issue-1446-gpt-5.1-codex-high-2be0

v1

v2.3.8

v2.3.7

v2.3.6

v2.3.5

v2.3.4

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.1

v2.2.0-patch.1

v2.2.0

v2.1.17

v2.1.16

v2.1.15

v2.1.14

v2.1.13

v2.1.12

v2.1.11

v2.1.10

v2.1.9

v2.1.8

v2.1.7

v2.1.6

v2.1.5

v2.1.4-patch.1

v2.1.4

v2.1.3

v2.1.2

v2.1.1

v2.1.0-patch.1

v2.1.0

v2.1.0-rc.3

v2.1.0-rc.2

v2.1.0-rc.1

v2.1.0-beta.1

v2.0.2

v2.0.1

v2.0.0

v2.0.0-rc.8-patch.1

v2.0.0-rc.8

v2.0.0-rc.7-patch.6

v2.0.0-rc.7-patch.7

v2.0.0-rc.7-patch.8

v2.0.0-rc.7-patch.5

v2.0.0-rc.7-patch.4

v2.0.0-rc.7-patch.3

v2.0.0-rc.7-patch.2

v2.0.0-rc.7-patch.1

v2.0.0-rc.7

v2.0.0-rc.6-patch.5

v2.0.0-rc.6-patch.4

v2.0.0-rc.6-patch.3

v2.0.0-rc.6-patch.2

v2.0.0-rc.6-patch.1

v2.0.0-rc.6

v2.0.0-rc.5

v2.0.0-rc.4-patch.3

v2.0.0-rc.4-patch.2

v2.0.0-rc.4-patch.1

v2.0.0-rc.4

v2.0.0-rc.3-patch.1

v2.0.0-rc.3

v2.0.0-rc.2

v2.0.0-rc.1-patch.2

v2.0.0-rc.1-patch.1

v2.0.0-rc.1

v2.0.0-beta.42

v2.0.0-beta.41

v2.0.0-beta.40

v2.0.0-beta.39-risefront.6

v2.0.0-beta.39-risefront.5

v2.0.0-beta.39-risefront.4

v2.0.0-beta.39-risefront.3

v2.0.0-beta.39-risefront.2

v2.0.0-beta.39-risefront

v2.0.0-beta.39

v2.0.0-beta.38

v2.0.0-beta.37-patch.5

v2.0.0-beta.37-patch.3

v2.0.0-beta.37-patch.4

v2.0.0-beta.37-patch.2

v2.0.0-beta.37-patch.1

v2.0.0-beta.37

v2.0.0-beta.36

v2.0.0-beta.35

v2.0.0-beta.34

v2.0.0-beta.33

v2.0.0-beta.32-patch.1

v2.0.0-beta.32

v2.0.0-beta.31

v2.0.0-beta.30

v2.0.0-beta.29

v2.0.0-beta.28

v2.0.0-beta.27

v2.0.0-beta.26

v2.0.0-beta.25-patch.2

v2.0.0-beta.25-patch.1

v2.0.0-beta.25

v2.0.0-beta.24

v2.0.0-beta.23-patch.2

v2.0.0-beta.23-patch.1

v2.0.0-beta.23

v2.0.0-beta.22

v2.0.0-beta.21

v2.0.0-beta.20

v2.0.0-beta.19

v2.0.0-beta.18-patch.2

v2.0.0-beta.18-patch.1

v2.0.0-beta.18

v2.0.0-beta.17

v2.0.0-beta.16

v2.0.0-beta.15

v2.0.0-beta.14

v2.0.0-beta.13-patch

v2.0.0-beta.13

v2.0.0-beta.12

v2.0.0-beta.11

v2.0.0-beta.10-patch

v2.0.0-beta.10

v2.0.0-beta.9

v2.0.0-beta.8-patch

v2.0.0-beta.8

v2.0.0-beta.7

v2.0.0-beta.6-patch.2

v2.0.0-beta.6-patch

v2.0.0-beta.6

v2.0.0-beta.5-patch

v2.0.0-beta.5

v2.0.0-beta.4-patch

v2.0.0-beta.4

v2.0.0-beta.3

v2.0.0-beta.2

v2.0.0-beta.1

v1.9.9-4

v1.9.9-3

v1.9.9-2

v1.9.9

v1.9.9-1

v1.8.4-patch

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.9

v1.7.8

v1.7.7

v1.7.6

v1.7.5

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0-patch

v1.7.0

v1.6.8

v1.6.7

v1.6.6

v1.6.5

v1.6.3

v1.6.2

v1.6.1

v1.6.0-fix

v1.6.0

v1.5.2

v1.5.1

v1.5.0

v1.5.0-beta9

v1.5.0-beta8

v1.5.0-beta7

v1.5.0-beta6

v1.5.0-beta5

v1.5.0-beta4-fix

v1.5.0-beta4

v1.5.0-beta3

v1.5.0-beta2

v1.5.0-beta1

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc1

v1.3.3-rc1

v1.3.2

v1.3.1-fix

v1.3.1

v1.3.0

v1.3.0-rc1

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc.3

v1.2.0-rc.2

v1.2.0-rc.1

v1.2.0-alpha.4

v1.2.0-alpha.3

v1.2.0-alpha.2

v1.1.0

Labels

Clear labels   

Q/A

  

bug

  

casdoor

  

dependencies

  

docker

  

documentation

  

duplicate

  

enhancement

  

help wanted

  

invalid

  

lego

  

platform:openwrt

  

platform:windows

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

No labels

Q/A

bug

casdoor

dependencies

docker

documentation

duplicate

enhancement

help wanted

invalid

lego

platform:openwrt

platform:windows

pull-request

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-ui#6536

No description provided.