I can't connect to let's encrypt api in linux based machines while windows machine on same network does it correctly

runeazn · August 13, 2020, 4:00pm

I ran this command:
./dehydrated --register --accept-terms

It produced this output:

Generating account key...
Registering account key with ACME server...
Certificate authority doesn't allow registrations.
I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Dehydrated
I try to connect to the Let's encrypt API, however this fails therefore the dehydrated script I run returns:

Registering account key with ACME server... Certificate authority doesn't allow registrations.

I can successfully ping acme-v02.api.letsencrypt.org
However doing trace-route appears to fail in linux based machine

See picture: Windows->freebsd jail/freenas (homenas)->raspbian (rpi4)

stevenzhu · August 13, 2020, 4:26pm

Hi,

Can you please check your dehydrated version and make sure the software is registering on ACMEv2 API? The error message might occur because they are attempting to register on now depreciated ACMEv1 API.
P.S. To learn how, look it up on Dehydrated GitHub repo.

Thanks

runeazn · August 14, 2020, 9:10am

no it is using the new api.

runeazn · August 17, 2020, 9:58pm

No one can help me with this issue?

freessltools.com · August 17, 2020, 10:09pm

I'm not really familiar with your client, but having written my own client I am familiar with the error.

This is the server refusing to create an account. The registration process should be going to https://acme-v02.api.letsencrypt.org/acme/new-acct. It looks like your client is not following the protocol (or is misinterpreting the response from the server). Can you update your client?

Not sure about the tracert failure.

_az · August 17, 2020, 10:17pm

It’s hard to say what’s happening really without having access to your environment. What dehydrated thinks is happening is that the ACME directory is not providing a registration endpoint.

What I can suggest is to run dehydrated in tracing mode:

bash -xv dehydrated --register --accept-terms 2>&1 | tee -a dehydrated.log

and then look in dehydrated.log to see what’s happening. In particular, near this logging:

+ echo '+ Registering account key with ACME server...'
+ Registering account key with ACME server...
+ FAILED=false
+ [[ 2 -eq 1 ]]
+ [[ 2 -eq 2 ]]
+ [[ -z https://acme-staging-v02.api.letsencrypt.org/acme/new-acct ]]
+ [[ false = \f\a\l\s\e ]]
+ [[ 2 -eq 1 ]]
+ [[ -n '' ]]
+ signed_request https://acme-staging-v02.api.letsencrypt.org/acme/new-acct '{"termsOfServiceAgreed": true}'

and also earlier up:

["newAccount"]  "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct"
["newNonce"]    "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce"
["newOrder"]    "https://acme-staging-v02.api.letsencrypt.org/acme/new-order"
["revokeCert"]  "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"'

runeazn · August 17, 2020, 10:35pm

I can't really make up anything, but it seems the environment variable newaccount should be okay.

["newAccount"] "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct"
["newNonce"] "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce"
["newOrder"] "https://acme-staging-v02.api.letsencrypt.org/acme/new-order"
["revokeCert"] "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
["tNLEBNA14kU"] "Adding random entries to the directory"'

at the end of the log I get this:

++ openssl dgst -sha256 -binary
++ urlbase64
++ openssl base64 -e
++ tr -d '\n\r'
++ sed -e 's:=*$::g' -e y:+/:-:
++ [[ FreeBSD = \L\i\n\u\x ]]
++ [[ FreeB = \M\I\N\G\W ]]
++ sed -E -e 's:=*$::g' -e y:+/:-_:

thumbprint=CoZvXLt_aPUo6s7SP5k1GimC-SHiIdwBvSrRoO8HxqY

[[ yes = \y\e\s ]]

echo '+ Registering account key with ACME server...'

Registering account key with ACME server...

FAILED=false

[[ 2 -eq 1 ]]

[[ 2 -eq 2 ]]

[[ -z '' ]]

echo 'Certificate authority doesn'''t allow registrations.'
Certificate authority doesn't allow registrations.

FAILED=true

[[ true = \f\a\l\s\e ]]

[[ true = \t\r\u\e ]]

which only says it failed?

_az · August 17, 2020, 10:45pm

That's useful.

That first equality is ${API} -eq 2. That checks out, it's using the ACMEv2 API.

The second check is -z "${CA_NEW_ACCOUNT}". For some reason, CA_NEW_ACCOUNT is an empty string. It's not being picked up from the directory for some reason, despite earlier it being seen:

What version of dehydrated do you have?

dehydrated --version

I see that dehydrated recently merged some new JSON parsing via json.sh, something might be wrong there.

Also, how does this part of the log look?

++ printf %s '["dTu5wOJFAmQ"]   "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
["keyChange"]   "https://acme-staging-v02.api.letsencrypt.org/acme/key-change"
["meta","caaIdentities",0]      "letsencrypt.org"
["meta","caaIdentities"]        ["letsencrypt.org"]
["meta","termsOfService"]       "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
["meta","website"]      "https://letsencrypt.org/docs/staging-environment/"
["meta"]        {"caaIdentities":["letsencrypt.org"],"termsOfService":"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf","website":"https://letsencrypt.org/docs/staging-environment/"}
["newAccount"]  "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct"
["newNonce"]    "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce"
["newOrder"]    "https://acme-staging-v02.api.letsencrypt.org/acme/new-order"
["revokeCert"]  "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"'
++ get_json_string_value newAccount
++ local filter
++++ json_path newAccount ''
++++ '[' '!' newAccount = -p ']'
++++ printf '"%s"' newAccount
+++ printf 's/.*\[%s\]\s*"\([^"]*\)"/\\1/p' '"newAccount"'
++ filter='s/.*\["newAccount"\]\s*"\([^"]*\)"/\1/p'
++ sed -n 's/.*\["newAccount"\]\s*"\([^"]*\)"/\1/p'
+ CA_NEW_ACCOUNT=https://acme-staging-v02.api.letsencrypt.org/acme/new-acct

runeazn · August 17, 2020, 10:58pm

[[ 2 -eq 2 ]]
I set API=2 in config, but putting it on auto returns same value.

INFO: Using main config file /opt/dehydrated/config

Dehydrated by Lukas Schauer
https://dehydrated.io

Dehydrated version: 0.6.6
GIT-Revision: unknown

OS: FreeBSD 11.3-RELEASE-p11
Used software:
bash: 5.0.17(0)-release
curl: 7.71.0
awk, sed, mktemp, grep, diff: BSD base system versions
openssl: OpenSSL 1.0.2s-freebsd 28 May 2019

also the last part looks like this:

++ printf %s '["keyChange"] "https://acme-staging-v02.api.letsencrypt.org/acme/key-change"
["meta","caaIdentities",0] "letsencrypt.org"
["meta","caaIdentities"] ["letsencrypt.org"]
["meta","termsOfService"] "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
["meta","website"] "Staging Environment - Let's Encrypt"
["meta"] {"caaIdentities":["letsencrypt.org"],"termsOfService":"https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf","website":"https://letsencrypt.org/docs/staging-environment/"}
["newAccount"] "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct"
["newNonce"] "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce"
["newOrder"] "https://acme-staging-v02.api.letsencrypt.org/acme/new-order"
["orL971nJOwU"] "Adding random entries to the directory"
["revokeCert"] "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"'
++ get_json_string_value newAccount
++ local filter
++++ json_path newAccount ''
++++ '[' '!' newAccount = -p ']'
++++ printf '"%s"' newAccount
+++ printf 's/.[%s]\s"([^"])"/\1/p' '"newAccount"'
++ filter='s/.["newAccount"]\s*"([^"])"/\1/p'
++ sed -n 's/.["newAccount"]\s*"([^"]*)"/\1/p'

CA_NEW_ACCOUNT=

I see the CA_ACCOUNT is empty, so the json data is incorrectly parsed?

_az · August 17, 2020, 11:05pm

Seems that way. You could revert to 0.6.4, before the new JSON parsing went in.

@lukas2511 can you see what is happening? Seems like it could be a portability problem with FreeBSD’s sed, or something.

runeazn · August 17, 2020, 11:06pm

I downgraded to 0.6.5 and it now correctly parses CA_NEW_ACCOUNT as

++ printf %s '{
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "Staging Environment - Let's Encrypt"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert",
"uf4pE4Gn9mM": "Adding random entries to the directory"
}'
++ get_json_string_value newAccount
++ local filter
+++ printf 's/."%s": "([^"])"./\1/p' newAccount
++ filter='s/."newAccount": "([^"])"./\1/p'
++ sed -n 's/."newAccount": "([^"])"./\1/p'

CA_NEW_ACCOUNT=https://acme-staging-v02.api.letsencrypt.org/acme/new-acct

lukas2511 · August 18, 2020, 12:42am

mh yea, seems like a problem with freebsd sed compatibility. if somebody could debug this further that would be great, otherwise it has to wait until next week

system · September 17, 2020, 12:42am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.