Tim_L
September 24, 2019, 9:49am
1
Hello,
I am having an issue which started several hours ago when either creating a new SSL or renewing an existing SSL.
I am having the same issues on several other servers all of which were good until today.
My domain is: expatinsaigon.com
My web server is (include version): nginx version: nginx/1.14.0
The operating system my web server runs on is (include version): FreeBSD 11.2-RELEASE-p8
My hosting provider, if applicable, is: N/A
I can login to a root shell on my machine: Yes
I’m using a control panel to manage my site: No
The version of my client is: getssl V2.10
I ran this command: sslconfig expatinsaigon.com
sslconfig script:
#!/usr/bin/env bash
DOMAIN=$1
DOCROOT="/root/.getssl/DOMAIN/"
CONFIGFILE=" {DOCROOT}/getssl.cfg"
mkdir -p ${DOCROOT}
(cat <<- EOF
CA=“https://acme-v01.api.letsencrypt.org ”
PRIVATE_KEY_ALG=“rsa”
SANS=“www.{DOMAIN}"
ACL=('/var/www/letsencrypt/.well-known/acme-challenge')
USE_SINGLE_ACL="true"
DOMAIN_CERT_LOCATION="/usr/local/etc/nginx/certs/ {DOMAIN}.crt”
DOMAIN_KEY_LOCATION="/usr/local/etc/nginx/certs/{DOMAIN}.key"
CA_CERT_LOCATION="/usr/local/etc/nginx/certs/chain.crt"
DOMAIN_PEM_LOCATION="/usr/local/etc/nginx/certs/ {DOMAIN}.pem"
EOF
) > “${CONFIGFILE}”
/root/bin/getssl ${DOMAIN}
service nginx reload
It produced this output:
root@web01~ #sslconfig expatinsaigon.com
expatinsaigon.com : Certificate on remote domain does not match, ignoring remote certificate
creating key - /root/.getssl/expatinsaigon.com/expatinsaigon.com.key
Generating RSA private key, 4096 bit long modulus
…++
…++
e is 65537 (0x10001)
creating domain csr - /root/.getssl/expatinsaigon.com/expatinsaigon.com.csr
Registering account
getssl: Error registering account … JWS has no anti-replay nonce
Thank you in advance for your assistance!
Tim
_az
September 24, 2019, 9:51am
2
Open this line:
if [[ ${_USE_DEBUG} -eq 1 ]]; then
CURL="$CURL --trace-ascii $dp "
fi
# convert payload to url base 64
payload64="$(printf '%s' "${payload}" | urlbase64)"
debug payload64 "$payload64"
# get nonce from ACME server
nonceurl="$CA/directory"
nonce=$($CURL -I $nonceurl | grep "^Replay-Nonce:" | awk '{print $2}' | tr -d '\r\n ')
debug nonce "$nonce"
# Build header with just our public key and algorithm information
header='{"alg": "'"$jwkalg"'", "jwk": '"$jwk"'}'
# Build another header which also contains the previously received nonce and encode it as urlbase64
protected='{"alg": "'"$jwkalg"'", "jwk": '"$jwk"', "nonce": "'"${nonce}"'", "url": "'"${url}"'"}'
protected64="$(printf '%s' "${protected}" | urlbase64)"
debug protected "$protected"
change it to:
nonce=$($CURL -I $nonceurl | grep -i "^Replay-Nonce:" | awk '{print $2}' | tr -d '\r\n ')
Tim_L
September 24, 2019, 10:03am
3
Hi _az,
Thank you, here is what I am getting after making that change.
root@web01~ #sslconfig expatinsaigon.com
expatinsaigon.com : Certificate on remote domain does not match, ignoring remote certificate
Registering account
Verify each domain
Verifying expatinsaigon.com
expatinsaigon.com is already validated
Verifying www.expatinsaigon.com
www.expatinsaigon.com is already validated
Verification completed, obtaining certificate.
getssl: Sign failed:
_az
September 24, 2019, 10:07am
4
Hmm. It looks like there’s a few places in getssl that are affected by this new bug.
Rather than fixing each of them, it might be easier to change line 1138 from:
CURL="curl --silent --dump-header $CURL_HEADER "
to
CURL="curl --http1.1 --silent --dump-header $CURL_HEADER "
That will revert the HTTP headers back to the old (upper-case) style, which should get you going again.
But this should be reported to the getssl project.
Tim_L
September 24, 2019, 10:17am
5
Thank you _az, that did the trick. I appreciate your assistance.
Tim
system
Closed
October 24, 2019, 10:25am
6
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.