[BUG] Certificate Renewal Error in Nginx UI (JWS verification error)

[zdv1g]

Describe the bug
When trying to renew an SSL certificate via Nginx UI, the renewal process fails with a JWS verification error.
The currently active certificate remains valid, but auto-renewal does not work.

To Reproduce
Steps to reproduce the behavior:

1. Go to Nginx UI → SSL
2. Click on Renew certificate
3. Wait for the process to start
4. See the error in logs

Expected behavior
The certificate should be successfully renewed through ACME (Let’s Encrypt) without JWS validation errors.

Screenshots
N/A

Info (please complete the following information):

• Server OS: Debian 13 (bare metal, no Docker)
• Server Arch: x86_64
• Nginx UI Version: v2.1.17 (876213a)
• Your Browser: Chrome (latest)

Additional context
Error log:
[Error] renew cert error: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: Unable to validate JWS :: JWS verification error

• The ACME account is associated with more than 6 domains.
• Current certificate is still valid, but renewal fails.
• ACME challenge method in use: DNS Method 1.
• Possible cause: invalid JWS signing, expired/corrupted ACME account registration, or time sync issues.

[0xJacky]

The ACME account is associated with more than 6 domains?

[zdv1g]

/certificates/acme_users (1 user) -> more 6 domains (cert renew)
Yes, correct.
The ACME account in use is a single account under "ACME User" in Nginx UI, and it manages renewal for more than 6 domains.
All renewals are attempted from this one account.

[zdv1g]

Oct 04 13:38:41 NginxUI nginx-ui[130]: 2025-10-04 13:38:41 INFO cert/auto_cert.go:23 AutoCert Worker Started
Oct 04 13:38:41 NginxUI nginx-ui[130]: 2025-10-04 13:38:41 INFO cert/logger.go:72 AutoCert [Nginx UI] Preparing lego configurations
Oct 04 13:38:41 NginxUI nginx-ui[130]: 2025-10-04 13:38:41 INFO cert/logger.go:72 AutoCert [Nginx UI] ACME User: xxxxxx@xxxxxx, Email: xxxxxx@xxxx, CA Dir: https://acme-v02.api.letsencrypt.org/direct>
Oct 04 13:38:41 NginxUI nginx-ui[130]: 2025-10-04 13:38:41 INFO cert/logger.go:72 AutoCert [Nginx UI] Creating client facilitates communication with the CA server
Oct 04 13:38:42 NginxUI nginx-ui[130]: 2025-10-04 13:38:42 INFO cert/logger.go:72 AutoCert [Nginx UI] Setting DNS01 challenge provider
Oct 04 13:38:42 NginxUI nginx-ui[130]: 2025-10-04 13:38:42 INFO cert/logger.go:72 AutoCert [Nginx UI] Setting environment variables
Oct 04 13:38:42 NginxUI nginx-ui[130]: 2025-10-04 13:38:42 INFO cert/logger.go:72 AutoCert 2025/10/04 13:38:42 [INFO] [.xxx.ru] acme: Trying renewal with 1758 hours remaining
Oct 04 13:38:42 NginxUI nginx-ui[130]: 2025-10-04 13:38:42 INFO cert/logger.go:72 AutoCert 2025/10/04 13:38:42 [INFO] [.xxx.ru, xxx.ru] acme: Obtaining bundled SAN certificate
Oct 04 13:38:43 NginxUI nginx-ui[130]: 2025-10-04 13:38:43 INFO cert/logger.go:72 AutoCert [Nginx UI] Environment variables cleaned
Oct 04 13:38:43 NginxUI nginx-ui[130]: 2025-10-04 13:38:43 ERROR cert/logger.go:85 AutoCert renew cert error: acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:>
Oct 04 13:38:43 NginxUI nginx-ui[130]: 2025-10-04 13:38:43 INFO cert/logger.go:72 AutoCert [Nginx UI] Preparing lego configurations

[0xJacky]

I'm not quite sure if this is a new policy by Let's Encrypt. Could you try creating a new ACME account with a different email address and then use it to reapply for the certificate?

[zdv1g]

The certificate was created if I created a new user. Now look what a problem, when updating in automatic mode, it uses the old data (of the old Acme user)

however, the certificate renewal is successful

[0xJacky]

Fixed in 3930aaf, you can try to upgrade nginx-ui to the latest dev version to test. Thank you.

[zdv1g]

Okay, I'm waiting for a new release for automatic updates. I've reopened it if anything happens.