ACMEv1 question for letsencrypt-express client

Help
#1

My domain is:
crowdcontrolrecords.com

My web server is (include version):
Express 4.14.0

The operating system my web server runs on is (include version):
Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is:
Digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
letsencrypt-express 1.1.5

///////////////////////////////////////////////////

When I attempt to renew my cert via the ACMEv1 API using letsencrypt-express (https://www.npmjs.com/package/letsencrypt-express) like I always have, I don’t get a valid cert back.

I realize I am running a deprecated version of letsencrypt-express, but herein lies the problem. I am trying to find time to update all the 3rd party packages for crowdcontrolrecords.com, but it involves some rewriting. Especially around using https://www.npmjs.com/package/greenlock-express which uses a newer version of your ACME APIs.

I simply wanted a bit more time to rewrite things and it appears you guys are stopping new registrations on ACMEv1 after 10/30 according to this post: End of Life Plan for ACMEv1

Not sure if my renewal is considered a “new registration” as I’ve been using you guys for years: https://crt.sh/?q=crowdcontrolrecords.com

Any help you guys can provide would be greatly appreciated.

#2

Hi @nackulous

there are so many v2 - clients.

Use one of these, perhaps with something like certonly, so you have to use other steps to install the certificate.

I don’t think Letsencrypt will change the “End of Life” plan.

#3

To be clear, “registration” is about creating an ACME account. It has nothing to do with certificates.

It’s typical for an ACME client to register an account when you first install it on a computer, and then keep using forever after. Most ACMEv1 users are not affected by the registration brownouts, unless they’re installing obsolete ACME clients on new servers, or their client does not save its account details and constantly registers new ones.

I don’t know if letsencrypt-express saves and reuses account information. Maybe its documentation makes that clear.

Did it display or log any sort of error message about why it failed to renew your certificate?

2 Likes
#4

So strange. I got it to work finally, but I am not certain I grok how/why it suddenly worked. Apoologies in advance for the multiple posts. This form won’t allow me to post more than 20 links per post!? So I will break it up…

My cert renewal process involves two steps:

  1. Running Express with testing() function
  2. Running Express without testing()

You’re probably wondering what I am talking about. Here’s the Express code related to letsencrypt-express (on my end)…

            // var LEX = require('letsencrypt-express').testing();
            // Gets you console logs explaining what's going on as well as a fake cert. I believe you MUST do this first in order for the live one to work.
        var LEX = require('letsencrypt-express');
            // Gets you the real live cert. Use this in production.
var domain1 = {
    domains: ['www.crowdcontrolrecords.com','crowdcontrolrecords.com'],
    email: 'info@crowdcontrolrecords.com',
    agreeTos: true
};
var lex = LEX.create({
    configDir: require('os').homedir() + '/letsencrypt/etc',
    approveRegistration: function (hostname, approve) { // leave `null` to disable automatic registration
        approve(null, domain1);
    }
});
#5

Normally I run express via custom systemctl I setup. Something like this: https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units When you guys asked what’s the response, I ran the status systemctl command and was reminded that it only gives you a few lines. So I stopped the express server and ran it directly via node blahServer.js and watched the responses when I hit the website and it attempted to renew certs.

Here’s what I got with .testing() enabled…

NOW CONNECTED TO DB
[LEX] testing mode turned on
[LEX] default server: https://acme-staging.api.letsencrypt.org/directory

###################################################

Open up a browser and visit this server

at its domain name.

ENJOY!

###################################################

Note: testing certs will be installed because .testing() was called.
remove .testing() to get live certs.

[LEX] automatic registration handling turned on for testing.

[LEX] creating sniCallback {
“configDir”: “/home/nick/letsencrypt/etc”,
“debug”: true,
“webrootPath”: “/tmp/acme-challenge”,
“privkeyPath”: “/home/nick/letsencrypt/etc/live/:hostname/privkey.pem”,
“fullchainPath”: “/home/nick/letsencrypt/etc/live/:hostname/fullchain.pem”,
“certPath”: “/home/nick/letsencrypt/etc/live/:hostname/cert.pem”,
“chainPath”: “/home/nick/letsencrypt/etc/live/:hostname/chain.pem”,
“server”: “https://acme-staging.api.letsencrypt.org/directory”,
“letsencrypt”: {
“backend”: {}
}
}
Server is now listening on port 443…
[LEX] no certs loaded for ‘www.crowdcontrolrecords.com
[LE] fetch
[letsencrypt/lib/common.js] fetchFromDisk
Error: ENOENT: no such file or directory, open ‘/home/nick/letsencrypt/etc/live/www.crowdcontrolrecords.com/privkey.pem’
at Error (native)
[LEX] fetch from disk result ‘www.crowdcontrolrecords.com’:
null
[LEX] ‘www.crowdcontrolrecords.com’ is not registered, requesting approval
[LEX] ‘www.crowdcontrolrecords.com’ registration approved, attempting register
[LE] register
[NLE]: begin registration
This Let’s Encrypt / ACME server has been updated with urls that this client doesn’t understand
{ ‘key-change’: ‘https://acme-staging.api.letsencrypt.org/acme/key-change’,
meta:
{ caaIdentities: [ ‘letsencrypt.org’ ],
‘terms-of-service’: ‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’,
website: ‘https://letsencrypt.org/docs/staging-environment/’ },
‘new-authz’: ‘https://acme-staging.api.letsencrypt.org/acme/new-authz’,
‘new-cert’: ‘https://acme-staging.api.letsencrypt.org/acme/new-cert’,
‘new-reg’: ‘https://acme-staging.api.letsencrypt.org/acme/new-reg’,
pAn5U_Z11hs: ‘Adding random entries to the directory’,
‘revoke-cert’: ‘https://acme-staging.api.letsencrypt.org/acme/revoke-cert’ }
[le/core.js] use account
Account ‘ed812d0d50e92225ecd36b053a8b7540’ was corrupt. No big deal (I think?). Creating a new one…
[LEX] ‘www.crowdcontrolrecords.com’ register completed Error: Registration request failed: {
“type”: “urn:acme:error:unauthorized”,
“detail”: “Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See End of Life Plan for ACMEv1 for details.”,
“status”: 403
}
at handleErr (/home/nick/release/develop_671a19a/node_modules/letiny-core/lib/register-new-account.js:101:17)
at getTerms (/home/nick/release/develop_671a19a/node_modules/letiny-core/lib/register-new-account.js:28:16)
at Request._callback (/home/nick/release/develop_671a19a/node_modules/letiny-core/lib/acme-client.js:113:7)
at Request.self.callback (/home/nick/release/develop_671a19a/node_modules/request/request.js:187:22)
at emitTwo (events.js:106:13)
at Request.emit (events.js:191:7)
at Request. (/home/nick/release/develop_671a19a/node_modules/request/request.js:1044:10)
at emitOne (events.js:96:13)
at Request.emit (events.js:188:7)
at IncomingMessage. (/home/nick/release/develop_671a19a/node_modules/request/request.js:965:12)
at emitNone (events.js:91:20)
at IncomingMessage.emit (events.js:185:7)
at endReadableNT (_stream_readable.js:934:12)
at _combinedTickCallback (internal/process/next_tick.js:74:11)
at process._tickCallback (internal/process/next_tick.js:98:9) undefined
cert is NOT looking good
[LEX] certs for ‘www.crowdcontrolrecords.com’ recently failed and are still in cool down
[LEX] certs for ‘www.crowdcontrolrecords.com’ recently failed and are still in cool down

#6

It looks like it’s attempting to register my domain vs renew! Maybe that’s the issue!? At any rate, I removed the .testing() and restarted the express server directly with node blahServer.js command and got the following response…

Server is now listening on port 443…
This Let’s Encrypt / ACME server has been updated with urls that this client doesn’t understand
{ MpUf9sMizlA: ‘Adding random entries to the directory’,
‘key-change’: ‘https://acme-v01.api.letsencrypt.org/acme/key-change’,
meta:
{ caaIdentities: [ ‘letsencrypt.org’ ],
‘terms-of-service’: ‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’,
website: ‘https://letsencrypt.org’ },
‘new-authz’: ‘https://acme-v01.api.letsencrypt.org/acme/new-authz’,
‘new-cert’: ‘https://acme-v01.api.letsencrypt.org/acme/new-cert’,
‘new-reg’: ‘https://acme-v01.api.letsencrypt.org/acme/new-reg’,
‘revoke-cert’: ‘https://acme-v01.api.letsencrypt.org/acme/revoke-cert’ }
GET /api/music/view-all/ 304 97.081 ms - -

//////////////////////////////////////////////////////////////////////////

I thought it wouldn’t work, but when I pointed my browser to crowdcontrolrecords.com voila! An updated cert appeared.

Very odd, but I’m very happy. Now I have months to update to greenlock-express (which uses ACMEv2 APIs) vs 8 days. LOL.

Any further info you guys can provide as to why it suddenly worked would be fantastic. I’d love to learn.

#7

It was attempting to register an account. As the link explains, account registration has been disabled on the ACMEv1 staging API.

The Let’s Encrypt staging and production environments use separate databases, including separate account databases.

I don’t know why the client was doing that. (I hope someone who knows how it works responds to this thread.) Maybe “testing” mode always registers new staging accounts. Maybe it always registers new accounts period. Maybe not.

Do you have logs from when it was failing to renew the certificate?

Let’s Encrypt has also temporarily disabled registration of production accounts sometimes – the link gives the schedule of temporary brownouts and when registrations will be permanently disabled.

Maybe the client always registers new production accounts. If so, you would have had problems during the last brownout, and will soon have problems again.

Maybe it coincidentally failed for other reasons. Your logs, if there are any, should show exactly what happened.

For that matter, do you have detailed logs from when it succeeded in renewing the certificate? They should show if it’s continually registering new accounts, at least.

1 Like
#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.