Acme.sh Script Gets Hung

Help
#1

Hello, I’m trying to create a new certificate and the script just gets hung. I don’t see any errors. I’d appreciate any help.

My domain is: gsrm.com

I ran this command: /etc/letsencrypt/acme.sh --config-home ‘/etc/letsencrypt/config’ --issue -d gsrm.com -d www.gsrm.com -w /var/www/html -k “ec-384” --debug 2

It produced this output:

[Tue Sep 24 12:38:00 EDT 2019] Lets find script dir.
[Tue Sep 24 12:38:00 EDT 2019] _SCRIPT_='/etc/letsencrypt/acme.sh'
[Tue Sep 24 12:38:00 EDT 2019] _script='/etc/letsencrypt/acme.sh'
[Tue Sep 24 12:38:00 EDT 2019] _script_home='/etc/letsencrypt'
[Tue Sep 24 12:38:00 EDT 2019] Using config home:/etc/letsencrypt/config
[Tue Sep 24 12:38:00 EDT 2019] LE_WORKING_DIR='/etc/letsencrypt'
https://github.com/Neilpang/acme.sh
v2.8.3
[Tue Sep 24 12:38:00 EDT 2019] Running cmd: issue
[Tue Sep 24 12:38:00 EDT 2019] _main_domain='gsrm.com'
[Tue Sep 24 12:38:00 EDT 2019] _alt_domains='www.gsrm.com'
[Tue Sep 24 12:38:00 EDT 2019] Using config home:/etc/letsencrypt/config
[Tue Sep 24 12:38:00 EDT 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Tue Sep 24 12:38:00 EDT 2019] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Tue Sep 24 12:38:00 EDT 2019] DOMAIN_PATH='/etc/letsencrypt/renewal/gsrm.com_ecc'
[Tue Sep 24 12:38:00 EDT 2019] '/var/www/html' does not contain 'dns'
[Tue Sep 24 12:38:00 EDT 2019] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Tue Sep 24 12:38:00 EDT 2019] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Tue Sep 24 12:38:00 EDT 2019] GET
[Tue Sep 24 12:38:00 EDT 2019] url='https://acme-v02.api.letsencrypt.org/directory'
[Tue Sep 24 12:38:00 EDT 2019] timeout=
[Tue Sep 24 12:38:00 EDT 2019] _CURL='curl -L --silent --dump-header /etc/letsencrypt/config/http.header  --trace-ascii /tmp/tmp.seaEfIdFvA  -g '
[Tue Sep 24 12:38:00 EDT 2019] ret='0'
[Tue Sep 24 12:38:00 EDT 2019] response='{
  "a4NAZCRn4JQ": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}'
[Tue Sep 24 12:38:00 EDT 2019] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Tue Sep 24 12:38:00 EDT 2019] ACME_NEW_AUTHZ
[Tue Sep 24 12:38:00 EDT 2019] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue Sep 24 12:38:00 EDT 2019] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Tue Sep 24 12:38:00 EDT 2019] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Tue Sep 24 12:38:00 EDT 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Tue Sep 24 12:38:00 EDT 2019] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Sep 24 12:38:00 EDT 2019] ACME_VERSION='2'
[Tue Sep 24 12:38:00 EDT 2019] Le_NextRenewTime
[Tue Sep 24 12:38:00 EDT 2019] _on_before_issue
[Tue Sep 24 12:38:00 EDT 2019] _chk_main_domain='gsrm.com'
[Tue Sep 24 12:38:00 EDT 2019] _chk_alt_domains='www.gsrm.com'
[Tue Sep 24 12:38:00 EDT 2019] '/var/www/html' does not contain 'no'
[Tue Sep 24 12:38:00 EDT 2019] Le_LocalAddress
[Tue Sep 24 12:38:00 EDT 2019] d='gsrm.com'
[Tue Sep 24 12:38:00 EDT 2019] Check for domain='gsrm.com'
[Tue Sep 24 12:38:00 EDT 2019] _currentRoot='/var/www/html'
[Tue Sep 24 12:38:00 EDT 2019] d='www.gsrm.com'
[Tue Sep 24 12:38:00 EDT 2019] Check for domain='www.gsrm.com'
[Tue Sep 24 12:38:00 EDT 2019] _currentRoot='/var/www/html'
[Tue Sep 24 12:38:00 EDT 2019] d
[Tue Sep 24 12:38:00 EDT 2019] '/var/www/html' does not contain 'apache'
[Tue Sep 24 12:38:00 EDT 2019] _saved_account_key_hash='nNd1kvxy/bvggEwC5ycAiAIVStLzrcP2gODM4WeZ2yo='
[Tue Sep 24 12:38:00 EDT 2019] _saved_account_key_hash is not changed, skip register account.
[Tue Sep 24 12:38:00 EDT 2019] Read key length:ec-384
[Tue Sep 24 12:38:00 EDT 2019] _createcsr
[Tue Sep 24 12:38:00 EDT 2019] domain='gsrm.com'
[Tue Sep 24 12:38:00 EDT 2019] domainlist='www.gsrm.com'
[Tue Sep 24 12:38:00 EDT 2019] csrkey='/etc/letsencrypt/renewal/gsrm.com_ecc/gsrm.com.key'
[Tue Sep 24 12:38:00 EDT 2019] csr='/etc/letsencrypt/renewal/gsrm.com_ecc/gsrm.com.csr'
[Tue Sep 24 12:38:00 EDT 2019] csrconf='/etc/letsencrypt/renewal/gsrm.com_ecc/gsrm.com.csr.conf'
[Tue Sep 24 12:38:00 EDT 2019] _is_idn_d='www.gsrm.com'
[Tue Sep 24 12:38:01 EDT 2019] _idn_temp
[Tue Sep 24 12:38:01 EDT 2019] domainlist='www.gsrm.com'
[Tue Sep 24 12:38:01 EDT 2019] _is_idn_d='gsrm.com'
[Tue Sep 24 12:38:01 EDT 2019] _idn_temp
[Tue Sep 24 12:38:01 EDT 2019] Multi domain='DNS:gsrm.com,DNS:www.gsrm.com'
[Tue Sep 24 12:38:01 EDT 2019] _is_idn_d='gsrm.com'
[Tue Sep 24 12:38:01 EDT 2019] _idn_temp
[Tue Sep 24 12:38:01 EDT 2019] _csr_cn='gsrm.com'
[Tue Sep 24 12:38:01 EDT 2019] Getting domain auth token for each domain
[Tue Sep 24 12:38:01 EDT 2019] _is_idn_d='gsrm.com'
[Tue Sep 24 12:38:01 EDT 2019] _idn_temp
[Tue Sep 24 12:38:01 EDT 2019] d='www.gsrm.com'
[Tue Sep 24 12:38:01 EDT 2019] _is_idn_d='www.gsrm.com'
[Tue Sep 24 12:38:01 EDT 2019] _idn_temp
[Tue Sep 24 12:38:01 EDT 2019] d
[Tue Sep 24 12:38:01 EDT 2019] _identifiers='{"type":"dns","value":"gsrm.com"},{"type":"dns","value":"www.gsrm.com"}'
[Tue Sep 24 12:38:01 EDT 2019] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Tue Sep 24 12:38:01 EDT 2019] payload='{"identifiers": [{"type":"dns","value":"gsrm.com"},{"type":"dns","value":"www.gsrm.com"}]}'
[Tue Sep 24 12:38:01 EDT 2019] RSA key
[Tue Sep 24 12:38:01 EDT 2019] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Sep 24 12:38:01 EDT 2019] HEAD
[Tue Sep 24 12:38:01 EDT 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Tue Sep 24 12:38:01 EDT 2019] body
[Tue Sep 24 12:38:01 EDT 2019] _postContentType='application/jose+json'
[Tue Sep 24 12:38:01 EDT 2019] _CURL='curl -L --silent --dump-header /etc/letsencrypt/config/http.header  --trace-ascii /tmp/tmp.Dt9V3hlIwA  -g '

My web server is (include version): Nginx running on WordOps 3.9.9

The operating system my web server runs on is (include version): Ubuntu 16.04.6

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): n/a

#2

Hi @thomasbennett,

Welcome to the community forum!

Are you using the most up to date version of acme.sh? There have been some commits that landed in master this morning.

1 Like
#3

Thanks, Phil. Yeap, I’m on the latest : v2.8.3.

#4

Which commit?

I think “2.8.3” is the current development version; it could refer to a lot of different commits.

1 Like
#5

My original install wasn’t off of Git but I’m pretty sure I’m on master. I ran curl https://get.acme.sh | sh and also did a diff against the script on the master branch: https://raw.githubusercontent.com/Neilpang/acme.sh/5244097e2de7b8e5c34a71fa4ab13be7ca9b0030/acme.sh

#6

Does this file exist on your filesystem still? If so, what’s inside?

#7

It does:

== Info:   Trying 172.65.32.248...
== Info: Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
== Info: found 148 certificates in /etc/ssl/certs/ca-certificates.crt
== Info: found 596 certificates in /etc/ssl/certs
== Info: ALPN, offering http/1.1
== Info: SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
== Info: 	 server certificate verification OK
== Info: 	 server certificate status verification SKIPPED
== Info: 	 common name: acme-v01.api.letsencrypt.org (matched)
== Info: 	 server certificate expiration date OK
== Info: 	 server certificate activation date OK
== Info: 	 certificate public key: RSA
== Info: 	 certificate version: #3
== Info: 	 subject: CN=acme-v01.api.letsencrypt.org
== Info: 	 start date: Fri, 13 Sep 2019 17:57:16 GMT
== Info: 	 expire date: Thu, 12 Dec 2019 17:57:16 GMT
== Info: 	 issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
== Info: 	 compression: NULL
== Info: ALPN, server accepted to use http/1.1
=> Send header, 203 bytes (0xcb)
0000: HEAD /acme/new-nonce HTTP/1.1
001f: Host: acme-v02.api.letsencrypt.org
0043: User-Agent: acme.sh/2.8.3 (https://github.com/Neilpang/acme.sh)
0084: Accept: */*
0091: Content-Type: application/jose+json
00b6: Content-Length: 0
00c9:
<= Recv header, 17 bytes (0x11)
0000: HTTP/1.1 200 OK
<= Recv header, 15 bytes (0xf)
0000: Server: nginx
<= Recv header, 37 bytes (0x25)
0000: Date: Tue, 24 Sep 2019 16:38:01 GMT
<= Recv header, 24 bytes (0x18)
0000: Connection: keep-alive
<= Recv header, 44 bytes (0x2c)
0000: Cache-Control: public, max-age=0, no-cache
<= Recv header, 68 bytes (0x44)
0000: Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="inde
0040: x"
<= Recv header, 63 bytes (0x3f)
0000: Replay-Nonce: 0001ISGtcm677NveujuqORZtupqrv_avbP_OjxPhwr0Eotg
<= Recv header, 23 bytes (0x17)
0000: X-Frame-Options: DENY
<= Recv header, 43 bytes (0x2b)
0000: Strict-Transport-Security: max-age=604800
== Info: no chunk, no close, no size. Assume close to signal end
<= Recv header, 2 bytes (0x2)
0000:
#8

Not sure if it’s relevant but not too long ago we used certbot-auto instead. I ran certbot-auto certificates to see if there might be some conflict and but this one doesn’t exist there either.

#9

Still tinkering with this. To debug further I tried running the certbot-auto --nginx command and received a verification denied message with a 403.

I found a deny to .well-known in a conf file so I removed that and tried again. The output of the /etc/letsencrypt/acme.sh --config-home '/etc/letsencrypt/config' --issue -d gsrm.com -d www.gsrm.com -w /var/www/html -k "ec-384" --debug 2 command dies on a socat usage message that lists the options.

Next, I ran the WordOps --letsencrypt command, which is some wrapper for acme.sh and got the message gsrm.com is not pointing to your IP. It IS pointing to my IP but it’s a floating IP on Digital Ocean.

This hasn’t been an issue before but I wanted to pass it along in hopes someone knows what’s going on.

#10

Could you please create this file and report back:

echo 'Hello World' > /var/www/html/.well-known/acme-challenge/test

Since you already have certbot-auto running, may as well continue down that path.

#11

Done. Actually I see two other verification attempts in this directory.

My actual website root is /var/www/gsrm.com. Perhaps I've made a mistake using /var/www/html? I can see I don't have a proper hostname set up.

#12

That probably explains why the test file isn’t accessible at http://www.gsrm.com/.well-known/acme-challenge/test .

Have a go at:

certbot-auto certonly --webroot -w /var/www/gsrm.com -d gsrm.com -d www.gsrm.com --dry-run
#13

I get this error:

--dry-run currently only works with the 'certonly' or 'renew' subcommands ('run')

#14

Sorry, there was meant to be certonly right after certbot. Fixed it.

#15

I added htdocs to the webroot and the dry run was successful. Giving it a full go…

#16

Just regarding the acme.sh thing, it would really help to see the rest of this chopped off line - the last line.

Your follow-up post makes it looks like that run was from an old version of acme.sh. .If we had the whole log line, we could verify that it contains -I - the part that fixes the hanging issue.

#17

Your suggestion here has gotten the certbot to work. That seems viable moving forward but I’d prefer to get acme.sh working too.

I checked again with cat /tmp/tmp.Dt9V3hlIwA and the output I’m showing is all that’s in the file.

Should I try again with the updated -w flag to the proper site directory? I have another website I need to generate anyway.

/etc/letsencrypt/acme.sh --config-home ‘/etc/letsencrypt/config’ --issue -d example.com -d www.example.com -w /var/www/example.com/htdocs -k “ec-384” --debug 2

#18

I didn’t mean the contents of the file, but the output of acme.sh. When you copied it from your terminal, it truncated the really long lines - probably to the width of your terminal.

Sure. If you have a fixed version of acme.sh, it should a) not hang and b) issue a certificate. If (a) is still happening, we can look into the log line again.

#19

Looks like the certificates generated in /etc/letsencrypt/renewal/$site_ecc

The ssl.conf and /etc/letsencrypt/live/$site setup must be added from the setup tool I was using so, assuming this certificate is good, all I’ll need to do is set that up and we’re good.

Thanks!!!

1 Like
#20

Hmm. That is a Certbot directory. Maybe worth being careful that acme.sh and Certbot aren’t writing their stuff into the same place.

Though from your acme.sh command, acme.sh’s stuff should be under /etc/letsencrypt/config, which Certbot doesn’t use.