I need help with acme.sh

Hello,

My domain is: test.test.fi

I ran this command:acme.sh --issue -d test.test.fi --alpn
It produced this output:

My web server is (include version): I use it only IMAP SSL mode and Postfix

I can login to a root shell on my machine (yes or no, or I don't know): YES

I have Ubuntu 14.04 LTS ans I cannot update the certbot because ubuntu is so old. So only option that I have found is use acme.sh. GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol

I just need three cert files to my server:

/etc/letsencrypt/live/test.test.fi/cert.pem
/etc/letsencrypt/live/test.test.fi/privkey.pem
/etc/letsencrypt/live/test.test.fi/fullchain.pem

Can anyone help me please?

This is the error message
[Fri Aug 13 10:16:50 EEST 2021] Sleep 10 and retry.
[Fri Aug 13 10:17:02 EEST 2021] Using CA: https://acme.zerossl.com/v2/DV90
[Fri Aug 13 10:17:02 EEST 2021] Standalone alpn mode.
[Fri Aug 13 10:17:02 EEST 2021] LISTEN 0 128 :::443 :::* users:(("apache2",30876,6),("apache2",17473,6),("apache2",17470,6),("apache2",13254,6),("apache2",12988,6),("apache2",10586,6),("apache2",10553,6),("apache2",9801,6),("apache2",6493,6),("apache2",5548,6),("apache2",5306,6),("apache2",2371,6))
[Fri Aug 13 10:17:02 EEST 2021] tcp port 443 is already used by 443
[Fri Aug 13 10:17:02 EEST 2021] Please stop it first
[Fri Aug 13 10:17:02 EEST 2021] _on_before_issue.

Sounds like it wants you to stop apache to free up port 443, so that it can run it's own TLS ALPN 01 challenge listener (which needs port 443 normally used by https).

Your question doesn't relate to Let's Encrypt because acme.sh is using ZeroSSL. For acme.sh (and ZeroSSL) questions you may need to ask for help at:
GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol or ZeroSSL

Thank You, The acme.ch use ZeroSSL by default but is support also Let's Encrypt.

I changed the port ./acme.sh --issue -d kytkin.pekant.fi --alpn --tlsport 8443 and now I just neet to find out how to CA Let's Encrypt.

Little progress here.
Command: ./acme.sh --issue -d kytkin.pekant.fi --alpn --tlsport 8443 --server https://acme-v02.api.letsencrypt.org/directory

[Fri Aug 13 10:42:23 EEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Aug 13 10:42:23 EEST 2021] Standalone alpn mode.
[Fri Aug 13 10:42:24 EEST 2021] Create account key ok.
[Fri Aug 13 10:42:24 EEST 2021] Registering account: https://acme-v02.api.letsencrypt.org/directory
[Fri Aug 13 10:42:25 EEST 2021] Register account Error: {
"type": "urn:ietf:params:acme:error:invalidEmail",
"detail": "Error creating new account :: invalid contact domain. Contact emails @example.com are forbidden",
"status": 400

So this says register account error. I have used acme vs 1 before and why this says an register account error? Or do I need to chage something on DNS or what?

I would expect that this is related to the account associated with kytkin.pekant.fi in its renewal configuration file (or the nonexistence of a renewal configuration file for kytkin.pekant.fi).

See if there's a file named:

/root/.acme.sh/kytkin.pekant.fi/kytkin.pekant.fi.conf

Yes there is file /root/.acme.sh/kytkin.pekant.fi/kytkin.pekant.fi.conf

I changed DEFAULT_CA=$CA_ZEROSSL -> DEFAULT_CA=$CA_LETSENCRYPT_V2 in acme.sh file and this is the result now.

root@kytkin ~/.acme.sh # ./acme.sh --issue -d kytkin.pekant.fi --alpn --tlsport 8443
[Fri Aug 13 11:22:59 EEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/d irectory
[Fri Aug 13 11:22:59 EEST 2021] Standalone alpn mode.
[Fri Aug 13 11:22:59 EEST 2021] Registering account: https://acme-v02.api.letsen crypt.org/directory
[Fri Aug 13 11:23:00 EEST 2021] Registered
[Fri Aug 13 11:23:00 EEST 2021] ACCOUNT_THUMBPRINT='buUl5iphP0-fE1rtqKA_0_YXCE6R bDoMoq6OeiycnwI'
[Fri Aug 13 11:23:00 EEST 2021] Creating domain key
[Fri Aug 13 11:23:01 EEST 2021] The domain key is here: /root/.acme.sh/kytkin.pe kant.fi/kytkin.pekant.fi.key
[Fri Aug 13 11:23:01 EEST 2021] Single domain='kytkin.pekant.fi'
[Fri Aug 13 11:23:01 EEST 2021] Getting domain auth token for each domain
[Fri Aug 13 11:23:02 EEST 2021] Getting webroot for domain='kytkin.pekant.fi'
[Fri Aug 13 11:23:02 EEST 2021] Verifying: kytkin.pekant.fi
[Fri Aug 13 11:23:02 EEST 2021] Starting tls server.
[Fri Aug 13 11:23:04 EEST 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Fri Aug 13 11:23:07 EEST 2021] kytkin.pekant.fi:Verify error:Cannot negotiate A LPN protocol

Is your external port 443 (facing the internet on your public ip address) mapped to your internal port 8443 (on your private webserver)?

The reason for the email error earlier was that you likely put a dummy email address when you first installed acme.sh. This can be corrected with:

acme.sh --update-account -m realemailaddress@somewhere.com

I put real email address. And apache is listening port 443 and there is no web address and yes it is public IP.

I stoppped apache and I tyied default 443 port. Now it says

[Fri Aug 13 11:45:35 EEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Aug 13 11:45:35 EEST 2021] Standalone alpn mode.
[Fri Aug 13 11:45:35 EEST 2021] Single domain='kytkin.pekant.fi'
[Fri Aug 13 11:45:35 EEST 2021] Getting domain auth token for each domain
[Fri Aug 13 11:45:37 EEST 2021] Getting webroot for domain='kytkin.pekant.fi'
[Fri Aug 13 11:45:37 EEST 2021] Verifying: kytkin.pekant.fi
[Fri Aug 13 11:45:37 EEST 2021] Starting tls server.
[Fri Aug 13 11:45:39 EEST 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Fri Aug 13 11:45:42 EEST 2021] kytkin.pekant.fi:Verify error:Connection refused

I see port 443 as closed:

https://www.yougetsignal.com/tools/open-ports/

Do you have a webserver already running on port 443?

Yes apache is listening that port but i is stopped now.

Try acme.sh again now that apache is stopped.

Yes I tried with default 443 port and this is the result

[Fri Aug 13 11:45:35 EEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Aug 13 11:45:35 EEST 2021] Standalone alpn mode.
[Fri Aug 13 11:45:35 EEST 2021] Single domain='kytkin.pekant.fi'
[Fri Aug 13 11:45:35 EEST 2021] Getting domain auth token for each domain
[Fri Aug 13 11:45:37 EEST 2021] Getting webroot for domain='kytkin.pekant.fi'
[Fri Aug 13 11:45:37 EEST 2021] Verifying: kytkin.pekant.fi
[Fri Aug 13 11:45:37 EEST 2021] Starting tls server.
[Fri Aug 13 11:45:39 EEST 2021] Pending, The CA is processing your order, please just wait. (1/30)
[Fri Aug 13 11:45:42 EEST 2021] kytkin.pekant.fi:Verify error:Connection refused

Did you remove this from your command:

--tlsport 8443

Yes I removed it

Reenable apache and let me know once you do. I want to test something.

Now it is started

Alright. Looks good. Stop apache again then run this:

./acme.sh --issue -d kytkin.pekant.fi --alpn --server https://acme-v02.api.letsencrypt.org/directory

root@kytkin ~/.acme.sh # ./acme.sh --issue -d kytkin.pekant.fi --alpn --server https://acme-v02.api.letsencrypt.org/directory
[Fri Aug 13 12:03:16 EEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Fri Aug 13 12:03:16 EEST 2021] Standalone alpn mode.
[Fri Aug 13 12:03:16 EEST 2021] Single domain='kytkin.pekant.fi'
[Fri Aug 13 12:03:16 EEST 2021] Getting domain auth token for each domain
[Fri Aug 13 12:03:17 EEST 2021] Create new order error. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt",
"status": 429