Welcome
How do you use lego?
Docker image
Effective version of lego
4.35.2 / 99f082e763c3
Logs
RUN EXAMPLE
podman run -v ./TEST/lego:/.lego:Z --env-file ./TEST/.env.list docker.io/goacme/lego:latest --email [redacted] --accept-tos --key-type rsa4096 --dns bluecat --dns.resolvers [redacted] -d [redacted] run
2026/05/01 12:57:24 [INFO] [redacted] acme: Obtaining bundled SAN certificate
2026/05/01 12:57:24 [WARN] retry: acme: error: 400 :: urn:ietf:params:acme:error:malformed :: Unable to validate JWS :: JWS verification error
2026/05/01 12:57:24 Could not obtain certificates:
Post "https://acme-v02.api.letsencrypt.org/acme/new-order": POST https://acme-02.api.letsencrypt.org/acme/new-order giving up after 1 attempt(s): acme: error: 400 :: urn:ietf:params:acme:error:malformed :: Unable to validate JWS :: JWS verification error
RENEW EXAMPLE
podman run -v ./TEST/lego:/.lego:Z --env-file ./TEST/.env.list docker.io/goacme/lego:latest --email [redacted]--accept-tos --key-type rsa4096 --dns bluecat --dns.resolvers [redacted] -d [redacted] renew
2026/05/01 12:58:16 [INFO] [redacted] acme: renewalInfo endpoint indicates that renewal is not needed
2026/05/01 12:58:16 [redacted] The certificate expires in 87 days, the number of days defined to perform the renewal is 30: no renewal.
REVOKE EXAMPLE
podman run -v ./TEST/lego:/.lego:Z --env-file ./TEST/.env.list docker.io/goacme/lego:latest --email [redacted] --accept-tos --key-type rsa4096 --dns bluecat --dns.resolvers [redacted] -d [redacted] revoke
2026/05/01 12:58:40 Trying to revoke certificate for domain [redacted]
2026/05/01 12:58:40 [WARN] retry: acme: error: 400 :: urn:ietf:params:acme:error:malformed :: Unable to revoke :: JWS verification error
2026/05/01 12:58:40 Error while revoking the certificate for domain [redacted]
Post "https://acme-v02.api.letsencrypt.org/acme/revoke-cert": POST https://acme-v02.api.letsencrypt.org/acme/revoke-cert giving up after 1 attempt(s): acme: error: 400 :: urn:ietf:params:acme:error:malformed :: Unable to revoke :: JWS verification error
What did you expect to see?
Every run of the docker container using the 'run/renew/revoke' option works without giving "Unable to validate JWS :: JWS verification".
I'm running lego via podman (RHEL's drop-in docker alternative) on a RHEL 8.10 VM
I can request certs using the 'run' option. On first run it makes a private key in ./lego/accounts/acme-v02.api.letsencrypt.org/[my email address]/ and runs a few times without issue.
Then, after some time passes, if I do a 'run' request I get errors like in the logs (Unable to validate JWS :: JWS verification error). Renewals are processed locally until they have less than 30 days left so they execute until a renewal is needed and then I get the same error. Revoke requests immediately generate the same error too.
In the past I deleted the account folder and re-registered via a new 'run' command. This worked but it broke my existing cert renewals because they weren't linked to the new account.
I'd like to get to the bottom of this instead. Have you seen this issue before and is there any known resolution?
What did you see instead?
'run/renew/revoke' options give "Unable to validate JWS :: JWS verification" error until account is deleted/recreated. This breaks existing cert renewal links.
Reproduction steps
- Make an account and obtain a certificate/key using the 'run' option
podman run -v ./TEST/lego:/.lego:Z --env-file ./TEST/.env.list docker.io/goacme/lego:latest --email [redacted] --accept-tos --key-type rsa4096 --dns bluecat --dns.resolvers [redacted] -d [redacted] run
- Wait some amount of time (between 30 minutes to 96 hours)
- Try to obtain a certificate/key using the run option (some domain as earlier or different doesn't matter)
- Observe the "Unable to validate JWS :: JWS verification" error until account is re-created
Go environment (if applicable)
I'm using the docker image so Go is bundled inside it.
In which context are you using lego?
Professional use
🌱 Supporting the Maintainer
Validation
Welcome
How do you use lego?
Docker image
Effective version of lego
4.35.2 / 99f082e763c3
Logs
RUN EXAMPLE
RENEW EXAMPLE
REVOKE EXAMPLE
What did you expect to see?
Every run of the docker container using the 'run/renew/revoke' option works without giving "Unable to validate JWS :: JWS verification".
I'm running lego via podman (RHEL's drop-in docker alternative) on a RHEL 8.10 VM
I can request certs using the 'run' option. On first run it makes a private key in
./lego/accounts/acme-v02.api.letsencrypt.org/[my email address]/and runs a few times without issue.Then, after some time passes, if I do a 'run' request I get errors like in the logs (
Unable to validate JWS :: JWS verification error). Renewals are processed locally until they have less than 30 days left so they execute until a renewal is needed and then I get the same error. Revoke requests immediately generate the same error too.In the past I deleted the account folder and re-registered via a new 'run' command. This worked but it broke my existing cert renewals because they weren't linked to the new account.
I'd like to get to the bottom of this instead. Have you seen this issue before and is there any known resolution?
What did you see instead?
'run/renew/revoke' options give "Unable to validate JWS :: JWS verification" error until account is deleted/recreated. This breaks existing cert renewal links.
Reproduction steps
podman run -v ./TEST/lego:/.lego:Z --env-file ./TEST/.env.list docker.io/goacme/lego:latest --email [redacted] --accept-tos --key-type rsa4096 --dns bluecat --dns.resolvers [redacted] -d [redacted] runGo environment (if applicable)
I'm using the docker image so Go is bundled inside it.
In which context are you using lego?
Professional use
🌱 Supporting the Maintainer
Validation