First chance error calling into acme server retrying with new nonce - Исправление ошибок и поиск оптимальных решений проблем

Содержание

Cannot renew certificate from win-acme #1809
Comments
Support KeyonACME service #1718
Comments

Cannot renew certificate from win-acme #1809

I ran this command: from win-acme

It produced this output:
[INFO] Force renewing certificate for [Manual] sctch.co.il
[WARN] First chance error calling into ACME server, retrying with new nonce.
[INFO] Authorize identifier: sctch.co.il
[INFO] Cached authorization result: valid
[INFO] Authorize identifier: www.sctch.co.il
[INFO] Authorizing www.sctch.co.il using http-01 validation (FileSystem)
[INFO] Answer should now be browsable at http://www.sctch.co.il/.well-known/acme-challenge/UG-ajdVVR6hrDeu2cCt0vQ95YOdeum_mxY5jlXOqX40
[WARN] Preliminary validation failed, found (null) instead of UG-ajdVVR6hrDeu2cCt0vQ95YOdeum_mxY5jlXOqX40.DBfAjJBOeiMcz-ocDTx2iwCr3rAEO64lpMPir1lhtmk
[EROR] <
«type»: «urn:ietf:params:acme:error:unauthorized»,
«detail»: «The key authorization file from the server did not match this challenge «UG-ajdVVR6hrDeu2cCt0vQ95YOdeum_mxY5jlXOqX40.DBfAjJBOeiMcz-ocDTx2iwCr3rAEO64lpMPir1lhtmk» != «hello world»»,
«status»: 403
>
[EROR] Authorization result: invalid
[EROR] Renewal for [Manual] sctch.co.il failed, will retry on next run

My web server is (include version): apache

The operating system my web server runs on is (include version):Windows10 & XAMPP

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot —version or certbot-auto —version if you’re using Certbot):

I am having trouble renewing the certificate win-acme cannot renew trough http://www.sctch.co.il
Is there any way of making win-acme renewal through http://sctch.co.il instead of www.sctch.co.il
The site cannot be reached through www .

The text was updated successfully, but these errors were encountered:

Источник

Support KeyonACME service #1718

Hi,
I’m testing the tool with Keyon ACME server — after updating ACME server URL in configuration, of course 🙂

Problem is, I have an IIS server that does a bunch of shenanigans (like ADFS redirects), and win-acme fails validation:
Failed to create order: Unexpected response status code [NotFound] for [GetDirectoryAsync]

Keyon ACME server allows the client to specify the port to connect back to — in my case, I selected 55555. The ACME client can then setup provisional HTTP server on the port to run verification (this is in accordance with ACME specs). I tried using WinCertes that has this capability, but it falls short on 2 fronts: doesn’t allow updating IIS bindings in this mode, and it utilizes OpenSSL, and I much prefer to use native Windows certificate handling mechanisms, like win-acme does.

Would it be possible to implement similar functionality in win-acme?

The text was updated successfully, but these errors were encountered:

You can specify the port that the self-hosted validation method will listen on from the command line with the —validationport switch. That is not communicated from the client to the server though, it’s intended use is for NAT/port forwarding scenarios from port 80 to port xxx. I’m not aware of any part of the ACME spec that allows client to indicate a port preference to the server, do you have a reference for that?

In any case the port configuration does not seem to be the issue that you ran into. It already errors out on fetching the ACME service directory. Perhaps you can run with —verbose and check the request made from your own browser.

I looked it up because I was pretty sure it’s not in ACME. From RFC8555 section 8.3 (HTTP Challenge): This request MUST be sent to TCP port 80 on the HTTP server.

Hm, interesting — it appears Keyon introduced this for better compatibility. I think «port 80» as «MUST» doesn’t make sense in some scenarios — granted, for Let’s Encrypt it’s a must, but for internal CA — not necessarily. I can tell you that firewall situation for port 80 in my company is spotty at best, hence I used a completely different port with «clear» firewall situation.

As a side note — from my point of view, exposing port 80 to the general internet just to get LE certificate is a security risk, as compared to exposing just 443. But maybe that’s just me 🙂

Just as an aside, there is no security risk associated with exposing port 80, that’s an internet myth. The only security risk associated with opening any port is with the service that’s bound to that port.

You’re probably right, no exploits that’d work on 80 that wouldn’t work on 443 🙂 (yes? no? maybe? idk). I think it’s more of «chill down the spine every time you open some port on the internet» 🙂

And it doesn’t render the rest of my argument invalid.

might be better in your situation to just use dns validation then. allows for much more flexibility and probably not difficult to implement if doing things on an internal network

I considered this, but in our reality this would be much more complicated that it may sound, and not a huge improvement over manually requesting certificate issuance (if any). Wincertes tool does verification on different ports, but prefer how win-acme handles keys and certificates.

Also, keep in mind you can make the port 80 exclusion in windows firewall only for wacs.exe and thus the port is blocked except when the validation is running.

Also, keep in mind you can make the port 80 exclusion in windows firewall only for wacs.exe and thus the port is blocked except when the validation is running.

I’m not sure if that works. .NET 5.0 may have improved in that regard but previously with .NET Core 3.1 the Windows Firewall didn’t consider our single-file-bundle to be actual running application.

In the meantime, I’m interested to know if my first comment was at all helpful @Stan-Tastic?

So, using —validationport will cause the client to wait on specified port, and the server is free to check this port if it likes? That’d work, I initially misunderstood this 🙂

Plot twist: turns out there’s some incompatibility between win-acme and Keyon ACME server.

Server doesn’t throw any issues.

A side note: win-acme only asked me for account email when —test —verbose were enabled. I didn’t investigate that much, I’m afraid, I had really terrible VPN experience today.

With the information I have: Our true-Xtender software supports RSA for JSON Web Key signatures (if this is not the case, a badSignatureAlgorithm is returned). Is it possible that win-acme uses a different JWK signing algorithm?

Hi Christoph, you may want to consider extending your algorithm support to be compliant with ACME. RFC8555 section 6.2 says An ACME server MUST implement the «ES256» signature algorithm , which is what win-acme uses. There is a fallback to RS256 but that’s only triggered when the operation system fails to generate an ES256 key pair initially.

The «CreateAccount» call comes pretty late in the whole setup process of the client (e.g. we’ve already got the service directory, got the nonce, checked terms of service, checked if EAB is needed etc. etc.) so it’s no trivial fix for us to rewind and start over with an RS256 signer at that point.

Hi WouterTinus, many thanks you for your answer! I will create a request on our side to support ES256. Unfortunately, I must admit that we have not yet tested your win-acme client by ourselves. But we will do so (thanks Stan) after we have analyzed this in more detail internally. We can do that at the beginning of next year and let you know the results.

Hi WouterTinus, I have a question to your source code. It looks like the class «win-acme/src/main.lib/Clients/Acme/AccountSigner.cs» supports RSA keys. What is needed to update your client to use an RSA key for the Account registration? As a temporary solution we think about updating your client.

It was annoying me that it was so difficult to add the feature in the registration flow, so I refactored it some.

Hi WouterTinus, I recognized that the newest client (win-acme.v2.1.13.981) may not follow the correct order of steps for account registration. Using the version win-acme.v2.1.13.978, the account registration works as expected.

Hi, I tested .981 today and here’s the result:

Not sure whose fault is that.

Well, I’m guessing they don’t include a new nonce in the error response for the first call, which they SHOULD but not MUST do according to the specification. So technically it’s a client bug, but what is unclear is how they implemented their nonce system if errors don’t automatically generate a new nonce.

Are we expected to call newNonce after each error, or can we reuse the previous one? Perhaps @Thomas-Stu or @christoph-bach can comment?

Theses fixes have been release in 2.1.14, please comment again if you run into more problems.

Sorry for the late feedback. Our nonce system should be implemented in such a way that we return a replay nonce even in case of error messages.

I was able to test now using patch provided by Keyon, and new win-acme version and this still fails 🙁 (although win-acme doesn’t crash now):

S E:OPSwin-acme.v2.1.14.996.x64.trimmed>
[cut]
Enter email(s) for notifications about problems and abuse (comma-separated): test@example.com
[DBUG] Creating new ES256 signer
[DBUG] Send HEAD request to https://acme.example.com:21443/acme/ws/Acme.svc/new-nonce
[VERB] Request completed with status OK
[DBUG] Send POST request to https://acme.example.com:21443/acme/ws/Acme.svc/KeyonACME/new-account
[VERB] Request completed with status BadRequest
[EROR] Failed to create order: Key ID is malformed.
Create certificate failed, retry? (y/n*) —

I’m guessing this was expected?

win-acme still tries ES256 first, but falls back to RS256 if it gets back a error of type BadSignatureAlgorithm .

It looks like another error is hit now that the developers have added support for ES256. I don’t know what that error means, perhaps it refers to the kid header of the jwt, but that’s not available yet in the case of the new-account call.

I think to get past this we will need help from the server side again, either by returning the BadSignatureAlgorithm error like before (so that the fallback to RS256 will be done), or by figuring out why the ES256 is not working in this case.

win-acme.v2.1.14.996
Bi calling /acme/ws/Acme.svc/KeyonWebserverACME/new-account, the KeyId in the protected Header is an empty string and the JsonWebKey is null.
Result on ACME Proxy Server is the error message: Key ID is malformed.

win-acme.v2.1.13.978
First chance error calling into ACME server, retrying with new nonce.
[dev-stu.true-xtender.keyon.test] Authorizing.
[dev-stu.true-xtender.keyon.test] Authorizing using http-01 validation (SelfHosting)
[dev-stu.true-xtender.keyon.test] Authorization result: valid
Requesting certificate [Manual] dev-stu.true-xtender.keyon.test
(NullReferenceException): Object reference not set to an instance of an object.

Result on ACME Proxy Server: Certificate has been issued and returned to the client.

20210113-19:41:39:139 [https-jsse-nio-21443-exec-9] DEBUG sid: rid: — Proxy returning response to ACME client with IP fe80:0:0:0:50f2:406a:8c7c:ab43%5
——BEGIN CERTIFICATE——
MIIHjTCCBXWgAwIBAgITQAAAEhjdJg0/YpUsiQAAAAASGDANBgkqhkiG9w0BAQsFADBBMQswCQYD
VQQGEwJDSDERMA8GA1UEChMIS2V5b24gQUcxHzAdBgNVBAMTFnRydWUteHRlbmRlciBEZW1vIENB
IDEwHhcNMjEwMTEzMTgzMTIzWhcNMjYwMTEyMTgzMTIzWjAqMSgwJgYDVQQDEx9kZXYtc3R1LnRy
dWUteHRlbmRlci5rZXlvbi50ZXN0MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAp1vY
qFZ/n0XPxAlaDfPSvky6quO/bSJFzEQUcnxcz90/CK8N2+r4FOousrf7agObv8aEkLKCLSet3+JT
InTTHyAKoJFr7Ih4k0kmNeWszPcE8x1gDxLYpfL4+u2YMPWAX0/CY4g7nPZ4NvFUiKDCIxf7f76W
oGZ/Pz0Yzzf4snM38FFqxtX6Pqzvbc73K2iqDvH2+SoCFnp9KBiEN+K4fV45vHVSnhL2NOqpTk0u
C6oVs2QXBLakt9TcsxqFD3efAr/0/Z2XruHy056ZXsw6ptNH2PsQxGdwxiWpTU94mVLCVYN2rFsb
0wq+LOyoP1KtRGlQEwSz7+xdQO7BJhg4+7OFMCiJikoRJzfIH4tKg9SDGSkTOOjQlhE2WYcjMnPi
HmpytbYpTUHLDuc0Sx49JMaFl9FD/eaqcWG4NnmMBlYT4yfkDz0mvRC7RMjty3Knw+qxUi3FIJkx
KIXWN3oasGu26UUFSRCm5LAvEU8w8rRw8n58+qezgNWnAb7jcZinAgMBAAGjggMTMIIDDzAqBgNV
HREEIzAhgh9kZXYtc3R1LnRydWUteHRlbmRlci5rZXlvbi50ZXN0MB0GA1UdDgQWBBRR8RTvFDen
QvjfoqmuroHhlITanTAfBgNVHSMEGDAWgBRFK7FojbIk4GuTQqakf5L13S9z1TCCAScGA1UdHwSC
AR4wggEaMIIBFqCCARKgggEOhkJodHRwOi8vc2VydmVyMS50cnVlLXh0ZW5kZXIua2V5b24udGVz
dC9jcmwvdHJ1ZS14dGVuZGVyRGVtb0NBMS5jcmyGgcdsZGFwOi8vL0NOPXRydWUteHRlbmRlciUy
MERlbW8lMjBDQSUyMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp
Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9dHJ1ZS14dGVuZGVyLERDPWtleW9uLERDPXRlc3Q/Y2Vy
dGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBv
aW50MIGWBggrBgEFBQcBAQSBiTCBhjBOBggrBgEFBQcwAoZCaHR0cDovL3NlcnZlcjEudHJ1ZS14
dGVuZGVyLmtleW9uLnRlc3QvYWlhL3RydWUteHRlbmRlckRlbW9DQTEuY3J0MDQGCCsGAQUFBzAB
hihodHRwOi8vb2NzcC50cnVlLXh0ZW5kZXIua2V5b24udGVzdC9vY3NwMDsGCSsGAQQBgjcVBwQu
MCwGJCsGAQQBgjcVCP3PSILwjA7NiyuD5M8FgZnCBoFbjZ83humuXQIBZAIBSDATBgNVHSUEDDAK
BggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAwXgYDVR0gBFcwVTBTBiYrBgEEAYI3FQiF5Jt/grW0
PoHdmTeGzMpthub7JC6Bp64Yh4nAGDApMCcGCCsGAQUFBwIBFhtodHRwOi8vTk8uQVNTVVJBTkNF
LkFULkFMTAAwGwYJKwYBBAGCNxUKBA4wDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEA
L+WXmx0fnpXr5JEaT4tCWlMd3rPmjpAbp8nely2U3whGHp9F+lK1t/sQZjPLtiA/mDiArG0AKRyg
gH8SEHPeWMtWiJy4tC53U4htuUNhXCWcmTKCwzvEO6k9P1QQpDyfaCxKFHEuBQtyd9uiB4XhCT/a
SNES3s5bnWu4n3lsqPzpdprkJd63jqqCZ9gMpwZubawG7Qf9ZzjX9UM9SGiqMWC+BwUi71OGLdji
Wxivkiy7e25Hr4Px+0k/To+g/iQdaYqtTzOzXy+ad9k8kLukHF6SCBq3WNKm7Nzj4Aygo1c7Rswo
ZKicC8fwCbJA9ks238l0AvTa5TCLkQjeiGWhKLWN08xp6f61PPBfiRSrFeW4/l83eCZEy65Rmi0R
9OQHTm3cVUPyblru0beYV28Y5FQ/N8H1Ti6Ol1M4I1za3Ubngrdz+cgFUHT7SDMMbiZRjtfAYym4
00DGR+hj/MvpsPw2eO+olBVVXi9GwW+n3LQHtRAkN894gerEqFmnuF474VKw/fQngXJy6b8XjP64
bRsuSO4ow7N0LMG6+GGjtSYKVlB2BN4fsynpBW8HHJmYViD64wQB+DbGA+S+vy2PfZuqQ+O3N832
ylwsf2DilVL7YsehrsPmQYNKLqFnKO/2ocqxQueGHaml3ONat1QuewBFmGRpak2BJL+tYG7FE1M=
——END CERTIFICATE——
——BEGIN CERTIFICATE——
MIIFXTCCA0WgAwIBAgIQMkSaE73GuIxAyzp7DiOHiTANBgkqhkiG9w0BAQsFADBBMQswCQYDVQQG
EwJDSDERMA8GA1UEChMIS2V5b24gQUcxHzAdBgNVBAMTFnRydWUteHRlbmRlciBEZW1vIENBIDEw
HhcNMTMwNzEyMTA1NDIyWhcNMzgwNzEyMTEwNDE3WjBBMQswCQYDVQQGEwJDSDERMA8GA1UEChMI
S2V5b24gQUcxHzAdBgNVBAMTFnRydWUteHRlbmRlciBEZW1vIENBIDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQC1WMhwusiGhFQVa66npiNd1eIvJ802845iNVoBId6jr3pbDb5CA1Qy
mjuMzCAS8MPft7h+636rP8MYhRj0jHV9DkgCx41bjdXZpRi0QbBIvlgCglpLx4MZWZckU41R5aJw
7hIHAitC9P1guVOP0mQIHelkKP7urw43pq/sy/h6iKCTFVv18Gm1iRG0riCei0LoLM92+vxh2iTg
PZAgv/oineBx4c4rr6hJq9XIBzQo1qSluJsF7UjcMHbw/WFHDKLXplPXLIDbPWrN6IMEJE72yz5g
1iF5sfgNXMk6kLZW23ea1W6MXAb7/kniBmQq94A+br0plrTOdAFfmDxL2TGH4O4g6IgdaTeql+pn
W7ISD0J+O5CuVmS4KY+4r3EvASSXSROrjvnWSifONmnyAV7kUugXsF+MRBfFxH6cY3nGWrYc83ji
5uizrKs5ClgUodkWYYDxhpkal3r7RyiRBESGHZcbwAu5d6Mkka9R4gKT6VuffAEqTTldR/4QV8FN
K6W8QVPeVeZOCSEvWpoalBlToBTOolHmDRixAWJ5CyZkbqdpldd9p8VrGrvByAq3LAaypiK4H/eW
KtUtuHugTBWZ3UDZMa9DIW6fHuZJB6DVClNk/g5PsQU98E6XFph6NR4dgu3ueqsHp6iwSZvB9Gqo
MuAqwiimatTxS6wtHFLpfwIDAQABo1EwTzALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAd
BgNVHQ4EFgQURSuxaI2yJOBrk0KmpH+S9d0vc9UwEAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcN
AQELBQADggIBAH5W59cSHXUPHChbLqr2hCD2FB2Fcoy5Nyymt+zypn+SwuERTEscVt1GxT9k0hHj
FvKd1+Y0kEbUslYHwPofXEy/+zXVNJy4dj2rYYt39b9QYXm46VNr2qzSp3c2XtQeypRlQmCmVBgC
LhZBvR9IrHcagSeJxGJjC3g4bRF20Rb5K5NMPvMkY7L5n0XL4MSfAgWRqGHkXnRz5qM+w+h82lB7
KTPfJaajsKFwDjIsCQA9mSs3pbqaVDABZJkge/q9VKpbk1im7fWiRV2Vth3Q43iQCV4UyhEpqpjX
tj2PzD2vw37cugC8ZB9Hae/N1RC+d4TsKa/8K1U/db+5zujNpCc1IjeulcOOEBkhUrgJX7bHk7iR
S8/zFcUrsR787uPHcvVLIR/OR6Y9Psac27IzVrJnT1U7vTzGPku6ZHPZE3MWVfvfdrsmMLFpAgMn
tm9NLiO/AhSYrnoDjoTQ8whVQX2UDEfHhjdTrbdQp/XYQPAp2DLWpYZzNtSh3c8OXJQ65x9SyNBo
pOsyf3qDONu1NvP//OmVHqKi7u2yAo8J7veAGiBlCXz07dwhbtA6Cp70H6VY3GLx03o3Y7FfzLVp
G788NkP2lbumsMhYACGa7oOX0OvuzSiy+CBioXoDcSca16nPaFo3ACyjXs42OqJPQKZ3SX9ab4F8
Pk6zddxhh+Uo
——END CERTIFICATE——

I suggest that we setup an ACME component for the developers of the win-acme.v2.1.14.996 tool. This component will be available over the internet. Can you please send an email to stucky@keyon.ch and provide your email address and contact details?

Hah, was just about to update this ticket, Thomas beat me to it 🙂 I will only suggest to either reopen it, or open a new one.

Bi calling /acme/ws/Acme.svc/KeyonWebserverACME/new-account, the KeyId in the protected Header is an empty string and the JsonWebKey is null.

That’s not what’s happening according to my debugger in .14, on the call to create a new account we send alg , url , jwk and nonce in the protected header, no kid . Are you checking those values pre or post deserialization?

I have no explanation for the NullReferenceException , if you run with —verbose you can get a stack trace which should tell us a bit more though. I’ve contacted Thomas to get access to the test endpoint.

Источник

Hello, been using this for a bit and had one issue that was easily identified and resolved. THIS time for some reason nothing has changed but for some reason cert is not being issued anymore. I’ve tried things like creating a new folder ‘/.well-known/acme-challenge’ , tried moving ‘static handler’ above ‘extensionless’ … what’s interesting is this has been working for the last couple renewals.
The frustration here is we need this working. Can we follow up maybe do some patreon.

Here’s the log on test and verbose

C:Program Fileswinacmenew>wacs —test —verbose
[VERB] Verbose mode logging enabled
[VERB] ExePath: C:Program Fileswinacmenewwacs.exe
[VERB] ResourcePath: C:Program Fileswinacmenew
[VERB] PluginPath: C:Program Fileswinacmenew
[VERB] Looking for settings.json in C:Program Fileswinacmenew
[DBUG] Config folder: C:ProgramDatawin-acmeacme-staging-v02.api.letsencrypt.org
[DBUG] Log path: C:ProgramDatawin-acmeacme-staging-v02.api.letsencrypt.orgLog
[DBUG] Cache path: C:ProgramDatawin-acmeacme-staging-v02.api.letsencrypt.orgCertificates
[VERB] W3SVC detected and running
[VERB] No FTPSVC detected
[DBUG] secrets.json not found
[VERB] Arguments: —test —verbose
[DBUG] Renewal period: 55 days
[VERB] Sending e-mails False

[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.22.1289 (release, trimmed, standalone, 64-bit)
[INFO] Connecting to https://acme-staging-v02.api.letsencrypt.org/…
[DBUG] Send GET to https://acme-staging-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Send GET to https://acme-staging-v02.api.letsencrypt.org/
[VERB] Request completed with status OK
[DBUG] Connection failed: Unable to parse response content
[INFO] Connection OK!
[DBUG] Running with administrator credentials
[DBUG] IIS version 10.0
[WARN] Scheduled task not configured yet
[INFO] Please report issues at https://github.com/win-acme/win-acme
[VERB] Unicode display test: Chinese/語言 Russian/язык Arab/لغة

N: Create certificate (default settings)
M: Create certificate (full options)
R: Run renewals (0 currently due)
A: Manage renewals (0 total)
O: More options…
Q: Quit

Please choose from the menu: n

[INFO] Running in mode: Interactive, Simple, Test
[VERB] Adding 8.8.8.8 as DNS server
[VERB] Adding 1.1.1.1 as DNS server
[VERB] Adding 8.8.4.4 as DNS server
[DBUG] Scanning IIS sites
[DBUG] Scanning IIS bindings for hosts

Please select which website(s) should be scanned for host names. You may
input one or more site identifiers (comma-separated) to filter by those
sites, or alternatively leave the input empty to scan all websites.

3: inventory.rdiequip.com (1 binding)
2: rdihost (1 binding)

Site identifier(s) or to choose all: 2

1: timesheet.rdiequip.com (Site 2)

Listed above are the bindings found on the selected site(s). By default all
of them will be included, but you may either pick specific ones by typing the
host names or identifiers (comma-separated) or filter them using one of the
options from the menu.

P: Pick bindings based on a search pattern
A: Pick all bindings

Binding identifiers(s) or menu option: a

[VERB] 2 named bindings found in IIS
[DBUG] Filtering based on binding type
[DBUG] Filtering by site(s) [2]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[VERB] 2 named bindings found in IIS
[DBUG] Filtering based on binding type
[DBUG] Filtering by site(s) [2]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found

1: timesheet.rdiequip.com (Site 2)

Continue with this selection? (y*/n) — yes

[DBUG] Scanning IIS bindings for hosts
[VERB] 2 named bindings found in IIS
[DBUG] Filtering based on binding type
[DBUG] Filtering by site(s) [2]
[VERB] 1 bindings remaining after site filter
[VERB] No host filter applied
[VERB] 1 matching binding found
[DBUG] Scanning IIS sites
[VERB] Source converted into 1 order(s)
[DBUG] Reading certificate cache
[DBUG] No cache files found for renewal
[DBUG] Reading certificate cache
[DBUG] No cache files found for renewal
[VERB] Obtain order details for Main
[DBUG] Refreshing cached order
[DBUG] Refreshing order…
[VERB] Constructing ACME protocol client…
[VERB] Getting service directory…
[DBUG] Send GET to https://acme-staging-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Loading signer from C:ProgramDatawin-acmeacme-staging-v02.api.letsencrypt.orgSigner_v2
[DBUG] Loading account from C:ProgramDatawin-acmeacme-staging-v02.api.letsencrypt.orgRegistration_v2
[VERB] Using existing ACME account
[VERB] ACME client initialized
[DBUG] Send HEAD to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/order/70118914/4279860864
[VERB] Request completed with status OK
[WARN] Cached order has status invalid, discarding
[VERB] Creating order for hosts: [«DnsName: timesheet.rdiequip.com»]
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-staging-v02.api.letsencrypt.org/acme/order/70118914/4279937954 created
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3763525914
[VERB] Request completed with status OK
[VERB] Handle authorization 1/1
[INFO] [timesheet.rdiequip.com] Authorizing…
[VERB] [timesheet.rdiequip.com] Initial authorization status: pending
[VERB] [timesheet.rdiequip.com] Challenge types available: [«http-01», «dns-01», «tls-alpn-01»]
[VERB] [timesheet.rdiequip.com] Initial challenge status: pending
[INFO] [timesheet.rdiequip.com] Authorizing using http-01 validation (SelfHosting)
[VERB] Starting commit stage
[VERB] Commit was succesful
[DBUG] [timesheet.rdiequip.com] Submitting challenge answer
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3763525914/7wi6Vw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (1/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3763525914/7wi6Vw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (2/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3763525914/7wi6Vw
[VERB] Request completed with status OK
[DBUG] Refreshing authorization (3/15)
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3763525914/7wi6Vw
[VERB] Request completed with status OK
[EROR] [timesheet.rdiequip.com] Authorization result: invalid
[EROR] [timesheet.rdiequip.com] {
«type»: «urn:ietf:params:acme:error:connection»,
«detail»: «99.233.172.216: Fetching http://timesheet.rdiequip.com/.well-known/acme-challenge/ScwBHbKl_Wl495xW6nixUbXogkoddWvsBw2e4lgKWlA: Timeout during connect (likely firewall problem)»,
«status»: 400
}
[VERB] Starting post-validation cleanup
[VERB] Post-validation cleanup was succesful
[INFO] [timesheet.rdiequip.com] Deactivating pending authorization
[DBUG] Send POST to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3763525914
[VERB] Request completed with status OK
[VERB] Order 1/1 (Main): error
[VERB] Processing order 1/1: Main

Create certificate failed, retry? (y/n*)

Источник

Инструкция:
https://certbot.eff.org/lets-encrypt/debianbuster-nginx

Когда установил и запустил:
sudo certbot —nginx
Мне выдаёт:
>>>>>
>>после указания «все домены», их порядка 560<<
Renewing an existing certificate
An unexpected error occurred:
acme.errors.ClientError:
Please see the logfiles in /var/log/letsencrypt for more details.
<<<<<<

в логах «413 Request Entity Too Large»
Подробнее:

И в логе /var/log/letsencrypt

2020-09-20 17:43:01,752:DEBUG:certbot.cert_manager:Renewal conf file /etc/letsencrypt/renewal/xn--142.xn--p1ai.conf is broken. Skipping.
2020-09-20 17:43:01,752:DEBUG:certbot.cert_manager:Traceback was:
Traceback (most recent call last):
File «/usr/lib/python3/dist-packages/certbot/cert_manager.py», line 383, in _search_lineages
candidate_lineage = storage.RenewableCert(renewal_file, cli_config)
File «/usr/lib/python3/dist-packages/certbot/storage.py», line 444, in __init__
«file reference».format(self.configfile))
certbot.errors.CertStorageError: renewal config file {} is missing a required file reference

2020-09-20 17:43:07,015:INFO:certbot.main:Renewing an existing certificate
2020-09-20 17:43:07,365:DEBUG:certbot.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/9295_key-certbot.pem
2020-09-20 17:43:07,500:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/9295_csr-certbot.pem
2020-09-20 17:43:07,506:DEBUG:acme.client:Requesting fresh nonce
2020-09-20 17:43:07,506:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2020-09-20 17:43:07,507:DEBUG:urllib3.connectionpool:Resetting dropped connection: acme-v02.api.letsencrypt.org
2020-09-20 17:43:08,380:DEBUG:urllib3.connectionpool:https://acme-v02.api…. «HEAD /acme/new-nonce HTTP/1.1» 200 0
2020-09-20 17:43:08,381:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sun, 20 Sep 2020 10:43:08 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: ;rel=»index»
Replay-Nonce: 0102YoUqBj7ubs69ET3MWsacLyTkReo0VpJfrvfVH-afVsk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

2020-09-20 17:43:08,381:DEBUG:acme.client:Storing nonce: 0102YoUqBj7ubs69ET3MWsacLyTkReo0VpJfrvfVH-afVsk
2020-09-20 17:43:08,394:DEBUG:acme.client:JWS payload:
b'{n «identifiers»: [n {n
>>>>>>>>>>>>>>>>>>>>>>>>>>>>тут идёт перечисление доменов сервера. Порядка 560 штук. на 50 000 символов<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
n }n ]n}’
2020-09-20 17:43:08,400:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
«protected»: «eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNzQyMTY3ODAiLCAibm9uY2UiOiAiMDEwMllvVXFCajd1YnM2OUVUM01Xc2FjTHlUa1JlbzBWcEpmcnZmVkgtYWZWc2siLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciJ9»,
«signature»: «Y3HqMUiE4FTpzjptxNWvmQhJnzrnSUkrT2S0pjqSYOiPW3ptNRnQm-h0NEj82qXnKDb4zeYWQxO9jzo3dQFV_ksifs50YLsCmbHjEwJ3TejUpL8cwpp7DiOzppVVY4f3AZ9QCLQ66w-zHQA-qpT3toYxIM56S6N_poOhKfILSI5xiX9k-06gxuQh565wZs_JG9Ncsg7AZyebfexUmaKO4oEUscRbmd45tPehbPxeBc8AkjIooKWOhK9eMdkAMaEJ5JaJu7IxXLuyTyHdqdW91u-aQj_j-An60ywdv760BYW5iah2BV5rfVWvq7_1q2BHaMLWNJ1wr65SsOqjXoWGYQ»,
«payload»: «КУЧАБУКВ. Более 55 000 штук.»
}
2020-09-20 17:43:08,603:DEBUG:urllib3.connectionpool:https://acme-v02.api…. «POST /acme/new-order HTTP/1.1» 413 176
2020-09-20 17:43:08,604:DEBUG:acme.client:Received response:
HTTP 413
Server: nginx
Date: Sun, 20 Sep 2020 10:43:08 GMT
Content-Type: text/html
Content-Length: 176
Connection: close

413 Request Entity Too Large

413 Request Entity Too Large
nginx

2020-09-20 17:43:08,605:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File «/usr/bin/certbot», line 11, in
load_entry_point(‘certbot==0.31.0’, ‘console_scripts’, ‘certbot’)()
File «/usr/lib/python3/dist-packages/certbot/main.py», line 1365, in main
return config.func(config, plugins)
File «/usr/lib/python3/dist-packages/certbot/main.py», line 1119, in run
certname, lineage)
File «/usr/lib/python3/dist-packages/certbot/main.py», line 116, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File «/usr/lib/python3/dist-packages/certbot/renewal.py», line 310, in renew_cert
new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
File «/usr/lib/python3/dist-packages/certbot/client.py», line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File «/usr/lib/python3/dist-packages/certbot/client.py», line 385, in _get_order_and_authorizations
orderr = self.acme.new_order(csr_pem)
File «/usr/lib/python3/dist-packages/acme/client.py», line 889, in new_order
return self.client.new_order(csr_pem)
File «/usr/lib/python3/dist-packages/acme/client.py», line 672, in new_order
response = self._post(self.directory[‘newOrder’], order)
File «/usr/lib/python3/dist-packages/acme/client.py», line 96, in _post
return self.net.post(*args, **kwargs)
File «/usr/lib/python3/dist-packages/acme/client.py», line 1204, in post
return self._post_once(*args, **kwargs)
File «/usr/lib/python3/dist-packages/acme/client.py», line 1218, in _post_once
response = self._check_response(response, content_type=content_type)
File «/usr/lib/python3/dist-packages/acme/client.py», line 1079, in _check_response
raise errors.ClientError(response)
acme.errors.ClientError:
2020-09-20 17:43:08,608:ERROR:certbot.log:An unexpected error occurred:

Собственно как получить сертификаты?

Источник

Prevalidation fails: Unable to determine name servers for domain, but authorization works #1217

Comments

palinkas-jo-reggelt commented Sep 20, 2019

Win-Acme v2.0.10.444
Validation by DNS script (working)

Pre-validation is failing but validation authorizes fine. Not really that big of a deal since its working, but it takes a long time between each attempt, which is a big delay when trying to authorize several alternative domains.

[INFO] Authorize identifier: example.com
[INFO] Authorizing example.com using dns-01 validation (DnsScript)
[INFO] Script C:scriptslewswacsScriptsDynu.ps1 starting with parameters create example.com _acme-challenge.example.com ltWLguTpuTOlWnvCfscQekM5G8J1M74CgX5NYxxBCqU
[INFO] Script finished
[INFO] Answer should now be available at _acme-challenge.example.com
[EROR] Preliminary validation failed
System.Exception: Unable to determine name servers for domain _acme-challenge.example.com
at PKISharp.WACS.Clients.DNS.LookupClientProvider.GetClient(String domainName, Int32 round)
at PKISharp.WACS.Plugins.ValidationPlugins.DnsValidation 2.PreValidate(Int32 attempt) [INFO] Will retry in 30 seconds (retry 1/5). [EROR] Preliminary validation failed System.Exception: Unable to determine name servers for domain _acme-challenge.example.com at PKISharp.WACS.Clients.DNS.LookupClientProvider.GetClient(String domainName, Int32 round) at PKISharp.WACS.Plugins.ValidationPlugins.DnsValidation 2.PreValidate(Int32 attempt)
[INFO] Will retry in 30 seconds (retry 2/5).
[EROR] Preliminary validation failed
System.Exception: Unable to determine name servers for domain _acme-challenge.example.com
at PKISharp.WACS.Clients.DNS.LookupClientProvider.GetClient(String domainName, Int32 round)
at PKISharp.WACS.Plugins.ValidationPlugins.DnsValidation 2.PreValidate(Int32 attempt) [INFO] Will retry in 30 seconds (retry 3/5). [EROR] Preliminary validation failed System.Exception: Unable to determine name servers for domain _acme-challenge.example.com at PKISharp.WACS.Clients.DNS.LookupClientProvider.GetClient(String domainName, Int32 round) at PKISharp.WACS.Plugins.ValidationPlugins.DnsValidation 2.PreValidate(Int32 attempt)
[INFO] Will retry in 30 seconds (retry 4/5).
[EROR] Preliminary validation failed
System.Exception: Unable to determine name servers for domain _acme-challenge.example.com
at PKISharp.WACS.Clients.DNS.LookupClientProvider.GetClient(String domainName, Int32 round)
at PKISharp.WACS.Plugins.ValidationPlugins.DnsValidation 2.PreValidate(Int32 attempt) [INFO] Will retry in 30 seconds (retry 5/5). [EROR] Preliminary validation failed System.Exception: Unable to determine name servers for domain _acme-challenge.example.com at PKISharp.WACS.Clients.DNS.LookupClientProvider.GetClient(String domainName, Int32 round) at PKISharp.WACS.Plugins.ValidationPlugins.DnsValidation 2.PreValidate(Int32 attempt)
[INFO] It looks like validation is going to fail, but we will try now anyway.
[WARN] First chance error calling into ACME server, retrying with new nonce.
[INFO] Authorization result: valid

The text was updated successfully, but these errors were encountered:

WouterTinus commented Sep 20, 2019

If you could share the real domain it would be possible to debug this issue. Otherwise the —verbose output might offer some more hints.

palinkas-jo-reggelt commented Sep 20, 2019

Thank you for responding.

I made several certificates this morning. The first couple went ok with no issues with prevalidation. And now I just realized those first couple were «real» domains, meaning they are purchased domains being hosted by dynu.com. All the others that failed pre validation were free ddns subdomains. One example is activesync.dynu.net.

Again, I was able to create the certificates — the only problem was the prevalidation failing and requiring 2-1/2 minutes each to finish, which adds up to a lot of time over many alternative names.

Источник

GoDaddy preliminary validation always fails #1887

Comments

vdenisov commented Jul 18, 2021

I’m using win-acme with GoDaddy DNS validation to validate two domain entries in one CSR ( domain.org and *.domain.org ). It successfully creates, pre-validates and validates the first DNS record. When it modifies the record to validate the second domain, it fails pre-validation with Preliminary validation failed: incorrect TXT record(s) found , retries 5 times, then proceeds to validate via ACME — and succeeds. The reason for preliminary validation failure is probably that the TTL for the TXT record is set to 1 hour (GoDaddy default), so Windows doesn’t really perform the lookup, returning the cached value instead. As far as I understand, TTL can be specified in the API call, but the lowest value is 600 seconds, which makes it impractical anyway. I wonder if it would be a good idea to skip preliminary validation for all validations against the same domain after the first one? Or, alternatively, set DNS TTL to the lowest possible value, and only try preliminary validation once that expires?

The text was updated successfully, but these errors were encountered:

WouterTinus commented Jul 19, 2021 •

Our code is a lot more clever than you give it credit for 😉 . We don’t just ask Windows to do a lookup, we actually look for the authoritive DNS servers and ask them directly. Which is also what Let’s Encrypt does to avoid hitting caches.

It can always happen that preliminary validation fails and the real one succeeds, when the record becomes visible somewhere between the end of the last preliminary attempt and before the last real attempt. You can disable preliminary validation at your peril using settings.json , but I would actually recommend to either increase the retry count, retry interval or both, so that you’re always covered.

I wonder if it would be a good idea to skip preliminary validation for all validations against the same domain after the first one?

It wouldn’t, because Let’s Encrypt wants to see each TXT value. Not waiting for it to become visible is almost guaranteed to lead to a failed validation attempt, and you can’t get a certificate unless all domains are validated. (*.domain.com and domain.com are considered seperate).

Or, alternatively, set DNS TTL to the lowest possible value, and only try preliminary validation once that expires?

Since TTL is a cache setting it’s not relevant unless Godaddy also caches at the source (which would be odd).

vdenisov commented Jul 20, 2021

Thanks for the explanation! Still, there’s some sort of issue with validation if the challenge domains match, check this, for domains test.plukh.org and *.test.plukh.org , which I’d just ran:

I’ve increased the number of retries to 20, so it waited around 10 minutes for the record to change, then failed — but the actual validation by Let’s Encrypt then succeeded. I think it’s very unlikely that the record was refreshed in those couple of seconds between the last pre-validation call and the call to Let’s Encrypt. In GoDaddy UI, btw, the challenge value changes almost immediately (within maybe 5 seconds) after the API call.

vdenisov commented Jul 20, 2021

P.S. For multiple domains in the same CSR with different names, it works as expected:

I would’ve added an (optional) delay before starting the preliminary validation to avoid the very first failure, but that’s non essential. The important part is that both preliminary validations succeed. It’s only when the challenge names match the preliminary validation starts to fail.

WouterTinus commented Jul 20, 2021

Hi @vdenisov, thanks for sharing these logs. It indeed looks like there is something fishy happening there. Would you mind doing that test.plukh.org / *.test.plukh.org run again with —verbose added on the command line? That will produce a lot more output including which servers are being talked to, what the actual responses are vs. expected responses, etc. We might just get to the bottom of it then 😄

vdenisov commented Jul 20, 2021

Of course, here you go. I’ve obfuscated the secrets just to be on the safe side, and skipped some of the preliminary validation attempts (forgot to set back the default count), but other than that it’s fully intact.

Источник

wildcard certificate for Exchange #1522

Comments

bruce1949 commented May 7, 2020

I’d like to apply wildcard certificate for Exchange with this tool,but experiencing some issue.
DNS provider: Aliyun
Path of Script to run
C:Program FilesWindowsPowerShellModulesPosh-ACME3.13.0DnsPluginsAliyun.ps1
I add one line at the top of script:
$aliParams = @
and run the tools with the following input:

Please choose from the menu: M

How shall we determine the domain(s) to include in the certificate?: 2

Enter comma-separated list of host names, starting with the common name: *.mydomain.com

Suggested friendly name ‘[Manual] *.mydomain.com’, press to accept or type an alternative: Exchange

How would you like prove ownership for the domain(s) in the certificate?: 3

Path to script that creates DNS records: C:Program FilesWindowsPowerShellModulesPosh-ACME3.13.0DnsPluginsAliyun.ps1

How to delete records after validation: 1

Input parameters for create script, or enter for default «create «:

Input parameters for delete script, or enter for default «delete «:

What kind of private key should be used for the certificate?: 2

How would you like to store the certificate?:

Would you like to store it in another way too?:

Which installation step should run first?: 3

Enter the path to the script that you want to run after renewal: C:Program FilesWindowsPowerShellModulesScriptsImportExchange.ps1

Enter the parameter format string for the script, e.g. «—hostname «:

Error showed as below

Cached order available but not used with the —force switch.
First chance error calling into ACME server, retrying with new nonce.
Authorize identifier mydomain.com
Authorizing mydomain.com using dns-01 validation (Script)
Script C:Program FilesWindowsPowerShellModulesPosh-ACME3.13.0DnsPluginsAliyun.ps1 starting with parameters create mydomain.com _acme-challenge.mydomain.com P5XH-6-dOKtH0t6SruMwmAXTr-M-HNgwpdga00rNTxU
Script finished
Answer should now be available at _acme-challenge.mydomain.com
Preliminary validation failed: no TXT records found
Will retry in 30 seconds (retry 1/5).
Preliminary validation failed: no TXT records found
Will retry in 30 seconds (retry 2/5).
Preliminary validation failed: no TXT records found
Will retry in 30 seconds (retry 3/5).
Preliminary validation failed: no TXT records found
Will retry in 30 seconds (retry 4/5).
Preliminary validation failed: no TXT records found
Will retry in 30 seconds (retry 5/5).
Preliminary validation failed: no TXT records found
It looks like validation is going to fail, but we will try now anyway.
First chance error calling into ACME server, retrying with new nonce.
<
«type»: «urn:ietf:params:acme:error:dns»,
«detail»: «DNS problem: NXDOMAIN looking up TXT for _acme-challenge.mydomain.com — check that a DNS record exists for this domain»,
«status»: 400
>
Authorization result: invalid
Script C:Program FilesWindowsPowerShellModulesPosh-ACME3.13.0DnsPluginsAliyun.ps1 starting with parameters delete mydomain.com _acme-challenge.mydomain.com P5XH-6-dOKtH0t6SruMwmAXTr-M-HNgwpdga00rNTxU
Script finished

Create certificate failed, retry? (y/n*) — yes

Thanks for your assistance.

The text was updated successfully, but these errors were encountered:

Источник

GoDaddy plugin «Unauthorized» #1794

Comments

DavidLaClair commented Mar 23, 2021

Describe the bug
When creating a certificate request with the GoDaddy plugin, I get an «Unauthorized» error. I believe this is because the plugin calls /v1/domains/host/records/txt instead of /v1/domains/domain/records/txt after looking at GoDaddy’s documentation.

Also related, the json might be missing the «name» field in the request.

To Reproduce

run wacs.exe with —verbose —validation godaddy -validationmode dns-01 —apikey XXX
m
2 (manual)
sub.domain.com
enter
6 (verify with godaddy)
2 (rsa)
4 (windows store)
5 (no additional)
4 (no additional)

Expected behavior
A certificate to be created with the selected host

Log
DNS logs removed for simplicity

Platform:

OS: Server 2012r2
Version: 2.1.16.1037.x64.pluggable, 2.1.16.1040.x64.pluggable

Additional context
verified in firewall no ports blocked

The text was updated successfully, but these errors were encountered:

DavidLaClair commented Mar 23, 2021

Testing GoDaddy using their «Try it now» using similar inputs gives this error:

regorian commented Mar 23, 2021 •

I was running into an issue as well that I feel may be related. I performed the same actions as you, and while the TXT record was successfully created in my GoDaddy account under the correct zone, the record name omitted the subdomain I initially entered. I left the process to attempt verification, which failed after the five attempts.

I ran it again, however during the verification period I was able to go into GoDaddy and manually edit the _acme-challenge TXT record name from _acme-challenge to _acme-challenge.example.domain.com.

It was able to verify successfully, but was unable to remove the TXT record (since the name had changed)

Источник

Support KeyonACME service #1718

Comments

Stan-Tastic commented Dec 11, 2020

Hi,
I’m testing the tool with Keyon ACME server — after updating ACME server URL in configuration, of course 🙂

Would it be possible to implement similar functionality in win-acme?

The text was updated successfully, but these errors were encountered:

WouterTinus commented Dec 11, 2020

WouterTinus commented Dec 12, 2020

I looked it up because I was pretty sure it’s not in ACME. From RFC8555 section 8.3 (HTTP Challenge): This request MUST be sent to TCP port 80 on the HTTP server.

Stan-Tastic commented Dec 14, 2020

As a side note — from my point of view, exposing port 80 to the general internet just to get LE certificate is a security risk, as compared to exposing just 443. But maybe that’s just me 🙂

webprofusion-chrisc commented Dec 14, 2020

Stan-Tastic commented Dec 14, 2020

And it doesn’t render the rest of my argument invalid.

MowFord commented Dec 14, 2020

might be better in your situation to just use dns validation then. allows for much more flexibility and probably not difficult to implement if doing things on an internal network

Stan-Tastic commented Dec 14, 2020

MowFord commented Dec 14, 2020

Also, keep in mind you can make the port 80 exclusion in windows firewall only for wacs.exe and thus the port is blocked except when the validation is running.

WouterTinus commented Dec 14, 2020

Also, keep in mind you can make the port 80 exclusion in windows firewall only for wacs.exe and thus the port is blocked except when the validation is running.

In the meantime, I’m interested to know if my first comment was at all helpful @Stan-Tastic?

Stan-Tastic commented Dec 15, 2020

So, using —validationport will cause the client to wait on specified port, and the server is free to check this port if it likes? That’d work, I initially misunderstood this 🙂

Stan-Tastic commented Dec 16, 2020

Plot twist: turns out there’s some incompatibility between win-acme and Keyon ACME server.

Server doesn’t throw any issues.

A side note: win-acme only asked me for account email when —test —verbose were enabled. I didn’t investigate that much, I’m afraid, I had really terrible VPN experience today.

christoph-bach commented Dec 16, 2020

WouterTinus commented Dec 16, 2020

christoph-bach commented Dec 17, 2020

WouterTinus commented Dec 17, 2020

It was annoying me that it was so difficult to add the feature in the registration flow, so I refactored it some.

Thomas-Stu commented Dec 18, 2020

Stan-Tastic commented Dec 21, 2020

Hi, I tested .981 today and here’s the result:

Not sure whose fault is that.

WouterTinus commented Dec 21, 2020

Are we expected to call newNonce after each error, or can we reuse the previous one? Perhaps @Thomas-Stu or @christoph-bach can comment?

WouterTinus commented Dec 21, 2020

WouterTinus commented Jan 10, 2021

Theses fixes have been release in 2.1.14, please comment again if you run into more problems.

Thomas-Stu commented Jan 11, 2021

Sorry for the late feedback. Our nonce system should be implemented in such a way that we return a replay nonce even in case of error messages.

Stan-Tastic commented Jan 13, 2021

I was able to test now using patch provided by Keyon, and new win-acme version and this still fails 🙁 (although win-acme doesn’t crash now):

I’m guessing this was expected?

WouterTinus commented Jan 13, 2021

win-acme still tries ES256 first, but falls back to RS256 if it gets back a error of type BadSignatureAlgorithm .

Thomas-Stu commented Jan 14, 2021

Result on ACME Proxy Server: Certificate has been issued and returned to the client.

Источник

Problem: https ssl auf einer Domain wird nicht erkannt, obwohl
Letsencrypt ausgeführt wurde

Nach dem Wechsel von Letsencrypt 1 auf 2 ist eine .Net
Domain seither nicht richtig erreichbar.

Dann mit manuellem Create Certificate hinzugefügt.

Angreifer versuchen möglicherweise Ihre Informationen von readdy.net zu stehlen (z. B.
Kennwörter, Nachrichten oder Kreditkarten).

Firefox hat ein Problem erkannt und readdy.net nicht
aufgerufen. Entweder ist die Website falsch eingerichtet oder Datum und/oder
Uhrzeit auf diesem Computer sind nicht korrekt.

Das Zertifikat der Website ist wahrscheinlich abgelaufen,
weshalb Firefox keine verschlüsselte Verbindung aufbauen kann. Falls Sie die
Website besuchen, könnten Angreifer versuchen, Passwörter, E-Mails oder
Kreditkartendaten zu stehlen.

Am wahrscheinlichsten wird das Problem durch die Website
verursacht und Sie können nichts dagegen tun. Sie können den
Website-Administrator über das Problem benachrichtigen.

A simple Windows ACMEv2 client (WACS)

Software
version 2.1.11.917 (RELEASE, PLUGGABLE, 64-bit)

ACME server
https://acme-v02.api.letsencrypt.org/

IIS version
10.0

Running with
administrator credentials

Scheduled
task looks healthy

Please report
issues at https://github.com/win-acme/win-acme

N: Create
certificate (default settings)

M: Create
certificate (full options)

R: Run
renewals (0 currently due)

A: Manage
renewals (8 total)

O: More
options…

Q: Quit

Please choose
from the menu: a

Welcome to
the renewal manager. Actions selected in the menu below will be

applied to
the following list of renewals. You may filter the list to target

your action
at a more specific set of renewals, or sort it to make it easier

to find what
you’re looking for.

1: [IIS]
CodeDocu_com, (any host) — renewed 1 time, due after 2021/5/4 16:05:47

2: [IIS]
CodeDocu_de, (any host) — renewed 1 time, due after 2021/5/11 12:51:59

3: [IIS]
CodeDocu_de, codedocu.de — renewed 1 time, due after 2021/5/11 12:51:25

4: [IIS] CoreFusions,
(any host) — renewed 3 times, due after 2021/5/4 16:06:41

5: [IIS]
FreeHeatBox, (any host) — renewed 3 times, due after 2021/4/13 10:00:35

6: [IIS]
FreeHeatBox, (any host) — renewed 3 times, due after 2021/4/13 10:01:39

7: [IIS]
Readdy, (any host) — renewed 1 time, due after 2021/6/6 17:11:40

8: [IIS]
Rue25, (any host) — renewed 1 time, due after 2021/5/4 16:07:15

Currently
selected 8 of 8 renewals

F: Apply
filter

S: Sort
renewals

D: Show
details for *all* renewals

R: Run *all*
renewals

U: Analyze
duplicates for *all* renewals

C: Cancel
*all* renewals

V: Revoke
certificate(s) for *all* renewals

Q: Back

Choose an
action or type numbers to select renewals: 7

Welcome to
the renewal manager. Actions selected in the menu below will be

applied to
the following list of renewals. You may filter the list to target

your action
at a more specific set of renewals, or sort it to make it easier

to find what
you’re looking for.

1: [IIS]
Readdy, (any host) — renewed 1 time, due after 2021/6/6 17:11:40

X: Reset
sorting and filtering

D: Show
details for 1 of 8 renewals

R: Run 1 of 8
renewals

U: Analyze
duplicates for 1 of 8 renewals

C: Cancel 1
of 8 renewals

V: Revoke
certificate(s) for 1 of 8 renewals

Q: Back

Choose an
action or type numbers to select renewals: v

Are you sure
you want to revoke the most recently issued certificate for 1 currently
selected renewal? This should only be done in case of a (suspected) security
breach. Cancel the renewal if you simply don’t need the certificates anymore.
(y/n*) — yes

Revoked
certificate [IIS] Readdy, (any host) @ 2021/4/12 17:11:41

Welcome to
the renewal manager. Actions selected in the menu below will be

applied to
the following list of renewals. You may filter the list to target

your action
at a more specific set of renewals, or sort it to make it easier

to find what
you’re looking for.

1: [IIS]
Readdy, (any host) — renewed 1 time, due after 2021/6/6 17:11:40, 1 error
like «Certificate(s) revoked»

X: Reset
sorting and filtering

D: Show
details for 1 of 8 renewals

R: Run 1 of 8
renewals

U: Analyze
duplicates for 1 of 8 renewals

C: Cancel 1
of 8 renewals

V: Revoke
certificate(s) for 1 of 8 renewals

Q: Back

Choose an
action or type numbers to select renewals: d

Details for
renewal 1/1

Id: axt-vV50rkuNtdyN6Obqnw

File:
axt-vV50rkuNtdyN6Obqnw.renewal.json

FriendlyName: [Auto] [IIS] Readdy, (any host)

.pfx
password:
wcv2FMDgchy8Mfk/m+EVqHm3W8x4wHIQtqL4eDndROM=

Renewal
due: 6/6/2021 5:11:40 PM

Renewed: 1 times

Target
——————————————————————

—
Plugin: IIS — (Read site
bindings from IIS)

— Common
name: readdy.net

—
Sites: 1

—
Hosts: All

Validation
——————————————————————

—
Plugin: SelfHosting — (Serve
verification files from memory)

Order
——————————————————————

—
Plugin: Single — (Single
certificate)

CSR
——————————————————————

—
Plugin: RSA — (RSA key)

Store
——————————————————————

—
Plugin: CertificateStore —
(Windows Certificate Store)

Installation
——————————————————————

—
Plugin: IIS — (Create or
update https bindings in IIS)

History
——————————————————————

1: 4/12/2021
3:11:40 PM — Success — Thumbprint 99FC393BAE9FAECC7F2FAA86E6B823208966522C

2: 4/12/2021
3:48:11 PM — Error — Certificate(s) revoked

Press
<Enter> to continue

Welcome to
the renewal manager. Actions selected in the menu below will be

applied to
the following list of renewals. You may filter the list to target

your action
at a more specific set of renewals, or sort it to make it easier

to find what
you’re looking for.

1: [IIS]
Readdy, (any host) — renewed 1 time, due after 2021/6/6 17:11:40, 1 error
like «Certificate(s) revoked»

X: Reset
sorting and filtering

D: Show
details for 1 of 8 renewals

R: Run 1 of 8
renewals

U: Analyze
duplicates for 1 of 8 renewals

C: Cancel 1
of 8 renewals

V: Revoke
certificate(s) for 1 of 8 renewals

Q: Back

Choose an
action or type numbers to select renewals: d

Details for
renewal 1/1

Id: axt-vV50rkuNtdyN6Obqnw

File:
axt-vV50rkuNtdyN6Obqnw.renewal.json

FriendlyName: [Auto] [IIS] Readdy, (any host)

.pfx
password:
wcv2FMDgchy8Mfk/m+EVqHm3W8x4wHIQtqL4eDndROM=

Renewal
due: 6/6/2021 5:11:40 PM

Renewed: 1 times

Target
——————————————————————

—
Plugin: IIS — (Read site
bindings from IIS)

— Common
name: readdy.net

—
Sites: 1

—
Hosts: All

Validation
——————————————————————

—
Plugin: SelfHosting — (Serve
verification files from memory)

Order
——————————————————————

—
Plugin: Single — (Single
certificate)

CSR
——————————————————————

—
Plugin: RSA — (RSA key)

Store
——————————————————————

—
Plugin: CertificateStore —
(Windows Certificate Store)

Installation
——————————————————————

—
Plugin: IIS — (Create or
update https bindings in IIS)

History
——————————————————————

1: 4/12/2021
3:11:40 PM — Success — Thumbprint 99FC393BAE9FAECC7F2FAA86E6B823208966522C

2: 4/12/2021
3:48:11 PM — Error — Certificate(s) revoked

Press
<Enter> to continue

Welcome to
the renewal manager. Actions selected in the menu below will be

applied to
the following list of renewals. You may filter the list to target

your action
at a more specific set of renewals, or sort it to make it easier

to find what
you’re looking for.

1: [IIS]
Readdy, (any host) — renewed 1 time, due after 2021/6/6 17:11:40, 1 error
like «Certificate(s) revoked»

X: Reset
sorting and filtering

D: Show
details for 1 of 8 renewals

R: Run 1 of 8
renewals

U: Analyze
duplicates for 1 of 8 renewals

C: Cancel 1
of 8 renewals

V: Revoke
certificate(s) for 1 of 8 renewals

Q: Back

Choose an
action or type numbers to select renewals: c

Are you sure
you want to cancel 1 currently selected renewal? (y/n*) — yes

Renewal [IIS]
Readdy, (any host) — renewed 1 time, due after 6/6/2021 5:11:40 PM, 1 error
like «Certificate(s) revoked» cancelled

Welcome to
the renewal manager. Actions selected in the menu below will be

applied to
the following list of renewals. You may filter the list to target

your action
at a more specific set of renewals, or sort it to make it easier

to find what
you’re looking for.

1: [IIS]
CodeDocu_com, (any host) — renewed 1 time, due after 2021/5/4 16:05:47

2: [IIS]
CodeDocu_de, (any host) — renewed 1 time, due after 2021/5/11 12:51:59

3: [IIS]
CodeDocu_de, codedocu.de — renewed 1 time, due after 2021/5/11 12:51:25

4: [IIS]
CoreFusions, (any host) — renewed 3 times, due after 2021/5/4 16:06:41

5: [IIS]
FreeHeatBox, (any host) — renewed 3 times, due after 2021/4/13 10:00:35

6: [IIS]
FreeHeatBox, (any host) — renewed 3 times, due after 2021/4/13 10:01:39

7: [IIS]
Rue25, (any host) — renewed 1 time, due after 2021/5/4 16:07:15

Currently
selected 7 of 7 renewals

F: Apply
filter

S: Sort
renewals

D: Show
details for *all* renewals

R: Run *all*
renewals

U: Analyze
duplicates for *all* renewals

C: Cancel
*all* renewals

V: Revoke
certificate(s) for *all* renewals

Q: Back

Choose an
action or type numbers to select renewals: <Enter>

Choose an action
or type numbers to select renewals: q

N: Create
certificate (default settings)

M: Create
certificate (full options)

R: Run
renewals (0 currently due)

A: Manage
renewals (7 total)

O: More
options…

Q: Quit

Please choose
from the menu: m

Running in
mode: Interactive, Advanced

Please
specify how the list of domain names that will be included in the

certificate
should be determined. If you choose for one of the «all bindings»

options, the
list will automatically be updated for future renewals to

reflect the
bindings at that time.

1: Read site
bindings from IIS

2: Manual
input

3: CSR
created by another program

C: Abort

How shall we
determine the domain(s) to include in the certificate?: <Enter>

Please
select which website(s) should be scanned for host names. You may

input one or
more site identifiers (comma separated) to filter by those

sites, or
alternatively leave the input empty to scan *all* websites.

5: CodeDocu_com (2 bindings)

4: CodeDocu_de (4 bindings)

9: CoreFusions (2 bindings)

10:
FreeHeatBox (2 bindings)

8: MailEnable
Protocols (2 bindings)

3: MailEnable
WebAdmin (1 binding)

2: MailEnable
WebMail (1 binding)

1: Readdy (2
bindings)

6: Rue25 (2
bindings)

Site
identifier(s) or <Enter> to choose all: 1

1: readdy.net
(Site 1)

2:
www.readdy.net (Site 1)

Listed above
are the bindings found on the selected site(s). By default all

of them will
be included, but you may either pick specific ones by typing the

host names
or identifiers (comma seperated) or filter them using one of the

options from
the menu.

P: Pick
bindings based on a search pattern

R: Pick
bindings based on a regular expression

A: Pick *all*
bindings

Binding
identifiers(s) or menu option: a

1: readdy.net

2:
www.readdy.net

Please pick
the main host, which will be presented as the subject of the certificate:
<Enter>

1: readdy.net
(Site 1)

2: www.readdy.net
(Site 1)

Continue with
this selection? (y*/n) — <Enter>

Target
generated using plugin IIS: readdy.net and 1 alternatives

Suggested
friendly name ‘[IIS] Readdy, (any host)’, press <Enter> to accept or
type an alternative: <Enter>

The ACME server
will need to verify that you are the owner of the domain

names that
you are requesting the certificate for. This happens both during

initial
setup *and* for every future renewal. There are two main methods of

doing so:
answering specific http requests (http-01) or create specific dns

records
(dns-01). For wildcard domains the latter is the only option. Various

additional
plugins are available from https://github.com/win-acme/win-acme/.

1: [http-01]
Save verification files on (network) path

2: [http-01]
Serve verification files from memory

3: [http-01]
Upload verification files via FTP(S)

4: [http-01]
Upload verification files via SSH-FTP

5: [http-01]
Upload verification files via WebDav

6: [dns-01]
Create verification records manually (auto-renew not possible)

7: [dns-01]
Create verification records with acme-dns
(https://github.com/joohoi/acme-dns)

8: [dns-01]
Create verification records with your own script

9:
[tls-alpn-01] Answer TLS verification request from win-acme

C: Abort

How would you
like prove ownership for the domain(s)?: <Enter>

After
ownership of the domain(s) has been proven, we will create a

Certificate
Signing Request (CSR) to obtain the actual certificate. The CSR

determines
properties of the certificate like which (type of) key to use. If

you are not
sure what to pick here, RSA is the safe default.

1: Elliptic
Curve key

2: RSA key

C: Abort

What kind of
private key should be used for the certificate?: <Enter>

When we have
the certificate, you can store in one or more ways to make it

accessible
to your applications. The Windows Certificate Store is the default

location for
IIS (unless you are managing a cluster of them).

1: IIS
Central Certificate Store (.pfx per host)

2: PEM
encoded files (Apache, nginx, etc.)

3: PFX
archive

4: Windows
Certificate Store

5: No
(additional) store steps

How would you
like to store the certificate?: <Enter>

1: IIS
Central Certificate Store (.pfx per host)

2: PEM
encoded files (Apache, nginx, etc.)

3: PFX
archive

4: Windows
Certificate Store

5: No
(additional) store steps

Would you
like to store it in another way too?: <Enter>

With the
certificate saved to the store(s) of your choice, you may choose one

or more
steps to update your applications, e.g. to configure the new

thumbprint,
or to update bindings.

1: Create or
update https bindings in IIS

2: Create or
update ftps bindings in IIS

3: Start
external script or program

4: No
(additional) installation steps

Which
installation step should run first?: <Enter>

Use different
site for installation? (y/n*) —
<Enter>

1: Create or
update https bindings in IIS

2: Create or
update ftps bindings in IIS

3: Start
external script or program

4: No
(additional) installation steps

Add another
installation step?: <Enter>

First chance
error calling into ACME server, retrying with new nonce…

Requesting
certificate [IIS] Readdy, (any host)

Store with
CertificateStore…

Installing
certificate in the certificate store

Adding certificate
[IIS] Readdy, (any host) @ 2021/4/12 17:55:24 to store WebHosting

Installing
with IIS…

Adding new
https binding *:443:Readdy.net

Adding new
https binding *:443:www.readdy.net

Committing 2
https binding changes to IIS

Scheduled
task looks healthy

Adding
renewal for [IIS] Readdy, (any host)

Next renewal
scheduled at 2021/6/6 17:55:21

Certificate
[IIS] Readdy, (any host) created

N: Create
certificate (default settings)

M: Create
certificate (full options)

R: Run
renewals (0 currently due)

A: Manage
renewals (8 total)

O: More
options…

Q: Quit

Please choose from the menu:

Источник

SPEC1AL1ST: Posts: 142; Joined: Sun Aug 10, 2014 1:32 pm

Ошибка LetsEncrypt

Последнюю неделю стали приходить такие письма. Кто знает в чем проблема? Подключен LetsEncrypt через веб панель VestaCP

Code: Select all

Error: Invalid response from http://gateintogame.com/.well-known/acme-challenge/My-6vELlHb3t78Z-Wzu54Xk5WoHL0WerBu20iSzLERA: 
Error: Invalid response from http://eve-ua.com/.well-known/acme-challenge/339M4WRvEuKW2qxaNNh90I-AHtRggxTX32tjAXoTseo: 
Error: Invalid response from http://forum.eve-ua.com/.well-known/acme-challenge/hPt5kOvAOxcBL7K3sHrPtbJeRVTMkYa4kOR5WROLeyQ: 
Error: Invalid response from http://old.eve-ua.com/.well-known/acme-challenge/E6s1iuG076tMR-vdcy-IAq0M11wY-C0rETkeCUQJTxU: 
Error: Invalid response from http://sd.eve-ua.com/.well-known/acme-challenge/QXSVKdD1RUqRQ7vWzSTAcEN-bCBD1rzmgd8qMsAlliY: 
Error: Invalid response from http://test.gateintogame.com/.well-known/acme-challenge/mKFzJXIzy84PJsz5Idy3BPhz3s57cwhssv0qsCjyQ2Q:

Alex Connor: Support team; Posts: 1047; Joined: Fri Mar 21, 2014 7:49 am; Contact:; Os: CentOS 6x; Web: apache + nginx

Re: Ошибка LetsEncrypt

Post

by Alex Connor » Fri Apr 14, 2017 1:59 pm

у вас часом не настроен редирект на https?

Alex Connor: Support team; Posts: 1047; Joined: Fri Mar 21, 2014 7:49 am; Contact:; Os: CentOS 6x; Web: apache + nginx

Re: Ошибка LetsEncrypt

Post

by Alex Connor » Fri Apr 14, 2017 2:00 pm

по всей видимости да… нужно настроить исключение для данного урла или на время обновления сертификата отключить редирект на https

SPEC1AL1ST: Posts: 142; Joined: Sun Aug 10, 2014 1:32 pm

Re: Ошибка LetsEncrypt

Post

by SPEC1AL1ST » Fri Apr 14, 2017 2:17 pm

Alex Connor wrote:по всей видимости да… нужно настроить исключение для данного урла или на время обновления сертификата отключить редирект на https

Вы не могли бы поподробнее подсказать как настроить это исключение?

skurudo: VestaCP Team; Posts: 8099; Joined: Fri Dec 26, 2014 2:23 pm; Contact:

Re: Ошибка LetsEncrypt

Post

by skurudo » Thu Apr 20, 2017 7:24 pm

SPEC1AL1ST wrote:Последнюю неделю стали приходить такие письма. Кто знает в чем проблема? Подключен LetsEncrypt через веб панель VestaCP

Какие шаблоны используете?

skurudo: VestaCP Team; Posts: 8099; Joined: Fri Dec 26, 2014 2:23 pm; Contact:

Re: Ошибка LetsEncrypt

Post

by skurudo » Thu Apr 20, 2017 7:25 pm

SPEC1AL1ST wrote:Как это исправить?

/usr/local/vesta/data/templates/web/nginx/force-https.tpl

Code: Select all

server {
    listen      %ip%:%proxy_port%;
    server_name %domain_idn% %alias_idn%;
    location / {
        rewrite ^(.*) https://%domain_idn%$1 permanent;
    }
include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;
}

/usr/local/vesta/data/templates/web/nginx/force-https.stpl

Code: Select all

server {
    listen      %ip%:%proxy_ssl_port% ssl http2;
    server_name %domain_idn% %alias_idn%;
    ssl         on;
    ssl_certificate      %ssl_pem%;
    ssl_certificate_key  %ssl_key%;
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    error_log  /var/log/%web_system%/domains/%domain%.error.log error;

    location / {
        proxy_pass      https://%ip%:%web_ssl_port%;
        location ~* ^.+.(%proxy_extentions%)$ {
            root           %sdocroot%;
            access_log     /var/log/%web_system%/domains/%domain%.log combined;
            access_log     /var/log/%web_system%/domains/%domain%.bytes bytes;
            expires        max;
            try_files      $uri @fallback;
        }
    }

    location /error/ {
        alias   %home%/%user%/web/%domain%/document_errors/;
    }

    location @fallback {
        proxy_pass      https://%ip%:%web_ssl_port%;
    }

    location ~ /.ht    {return 404;}
    location ~ /.svn/  {return 404;}
    location ~ /.git/  {return 404;}
    location ~ /.hg/   {return 404;}
    location ~ /.bzr/  {return 404;}

    include %home%/%user%/conf/web/*nginx.%domain_idn%.conf_letsencrypt;

    include %home%/%user%/conf/web/s%proxy_system%.%domain%.conf*;
}

SPEC1AL1ST: Posts: 142; Joined: Sun Aug 10, 2014 1:32 pm

Re: Ошибка LetsEncrypt

Post

by SPEC1AL1ST » Fri Apr 21, 2017 6:49 am

skurudo wrote:

SPEC1AL1ST wrote:Последнюю неделю стали приходить такие письма. Кто знает в чем проблема? Подключен LetsEncrypt через веб панель VestaCP

Какие шаблоны используете?

Поскольку я вопрос не понял, наверное стандартные…
Шаблон web: default
Шаблон proxy: force-https

Ошибка все осталась (

Источник