Failing to make progress with certbot and pebble

jernst · August 17, 2019, 3:43am

I’m running pebble 2.2.2 on Arch with config file:

{
  "pebble": {
    "listenAddress": "0.0.0.0:14000",
    "certificate": "/etc/pebble/ca.crt",
    "privateKey": "/etc/pebble/ca.key",
    "httpPort": 80,
    "tlsPort": 443,
    "managementListenAddress": "0.0.0.0:15000",
    "ocspResponderURL": ""
  }
}

and I have set up /etc/pebble/ca.{crt,key}.

On the same host, I’m running certbot like this:

TERM=dumb certbot register --email 'test@ubos.net' --agree-tos --non-interactive --server https://0.0.0.0:14000/dir --no-verify-ssl

and regardless what e-mail address I specify, I get a:

There is an existing account; registration of a duplicate account with this command is currently unsupported.

Q1: Where/how can I find the list of current accounts known by the current pebble instance? Does pebble store data persistently on disk somewhere?

Moving on, I attempt to actually obtain a cert similarly to how I do in it production against Letsencrypt:

TERM=dumb certbot certonly --webroot --email 'test@ubos.net' --agree-tos --no-self-upgrade --non-interactive --webroot-path '/ubos/http/wellknown' -d 'ubos-dev' --server https://0.0.0.0:14000/dir --no-verify-ssl

Pebble logs some invocations, certbot issues some insecure warnings, all fine I guess, but then fails with:

Account https://0.0.0.0:14000/my-account/1 not found.

Q2: Why is this? and: How did we get from the e-mail address to my-account/1?

Finally, I discover that there is a “management interface”. Hoping that it shows me everything I need to know I hit it with the browser, but it 404’s.

Q3: Is there a documentation somewhere how to use that “management interface”?

and of course the primary question: how do I make this work so I can test certificate issuance against a local pebble instead of Letsencrypt?

Thanks,

Johannes.

ferdiS · August 18, 2019, 9:13am

Most likely you’ll get an answer to your questions when you ask one of the developers of Pebble at Github.
There also is some documentation there, but I do not know if the management interface has been docmented or implemented yet. However, there are lots of Warnings about pebble being only usable for testing purposes and not being feature complete.
The answer to your first question is in the documentation on Github:

Lastly, Pebble will enforce it’s test-only usage by aggressively building in guardrails that make using it in a production setting impossible or very inconvenient. Pebble will not support non-volatile storage or persistence between executions. Pebble will also randomize keys/certificates used for issuance. Where possible Pebble will make decisions that force clients to implement ACME correctly (e.g. randomizing /directory endpoint URLs to ensure clients are not hardcoding URLs.)

_az · August 18, 2019, 10:16am

No, it’s only in memory. Stopping and starting Pebble again fully resets all state.

As a consequence:

Certbot will try to use past accounts it registered with Pebble, but Pebble will of course have forgotten about it after a restart. This tends to result in unhelpful account not found errors.

When I run Pebble, I usually do it like this:

rm -rf /etc/letsencrypt/accounts/localhost:14000 && pebble

This error is not Pebble-related, but due to Certbot not supporting multiple account registrations to a single --server. The previous rm command will fix that too.

jernst · August 19, 2019, 8:05pm

Aha! Thank you, this works.

Note: if would be nice if it were clear which error messages come from the client and which from the server.

system · September 18, 2019, 8:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.