Let’s Encrypt is not renewing with bacme client

createchhk · June 15, 2024, 12:58am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
dance.createchhk.com

I ran this command:
./bacme -w root@createchhk.com:/var/www/dance.createchhk.com/web/ dance.createchhk.com

It produced this output:
/bacme: line 340: .well-known/acme-challenge/HTTP/1.1 100 ContinueHTTP/1.1 200 OKServer: nginxDate: Sat, 15 Jun 2024 00:26:57 GMTContent-Type: application/jsonContent-Length: 804Connection: keep-aliveBoulder-Requester: 1782933217Cache-Control: public, max-age=0, no-cacheLink: https://acme-v02.api.letsencrypt.org/directory;rel="index"Replay-Nonce: 5yfKMBJJRWMQtuIaXvIoCdj5qq-tgl6cTd4JYxGjSxgguCY7dSsX-Frame-Options: DENYStrict-Transport-Security: max-age=604800{ "identifier": { "type": "dns", "value": "dance.createchhk.com" }, "status": "pending", "expires": "2024-06-22T00:26:55Z", "challenges": [ { "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/364055945807/yG60Eg", "status": "pending", "token": "mq_7MyK91NVe3IvUr7Y7cg-ng0y6BYkDSogb4jVRtRY" }, { "type": "dns-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/364055945807/LrV5sA", "status": "pending", "token": "mq_7MyK91NVe3IvUr7Y7cg-ng0y6BYkDSogb4jVRtRY" }, { "type": "tls-alpn-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/364055945807/svctFw", "status": "pending", "token": "mq_7MyK91NVe3IvUr7Y7cg-ng0y6BYkDSogb4jVRtRY" } ]}: No such file or directory

My web server is (include version):
Apache

The operating system my web server runs on is (include version):
Fedora

My hosting provider, if applicable, is:
NA

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

(1) Note: I use this ACME client for years and it works (the last time it works is June 11 (just 4 days before), but suddenly it does not work. By the way, I believe the issue is not related to the OS or Apache version because I tried it in Alma Linux latest version , but it does not work too

(2) line 340 (as in the error message) contains the line:

echo "${KEYAUTHS[$i]}" > ".well-known/acme-challenge/${CHALLENGE_TOKENS[$i]}"

orangepizza · June 15, 2024, 1:04am

from logs your client didn't asked server to start any of those 3 types of challenge: because your client crashed while writing challenge file

createchhk · June 15, 2024, 2:36am

Thanks for your prompt response. I just change to use getssl (GitHub - srvrco/getssl: obtain free SSL certificates from letsencrypt ACME server Suitable for automating the process on remote servers.) and it works ! (strange that suddenly bacme fails... I think I need to notify the developer of bacme ASAP)

MikeMcQ · June 15, 2024, 2:48am

You may have gotten a cert but your Apache version 2.2.15 is not using it.

It sends out a leaf cert from Jun7 and a GlobalSign Root cert. It shouldn't be sending that root cert at all.

And, the leaf it sends for your dance subdomain is for your base domain and the www subdomain

Seems like your Apache cert config needs review. And, 2.2 is really very old. Has been end-of-life for about 7 years.
https://www.ssllabs.com/ssltest/analyze.html?d=dance.createchhk.com&hideResults=on&ignoreMismatch=on&latest

webprofusion · June 15, 2024, 5:00am

Out of interest, why not use Certbot or acme.sh like everyone else using Apache on linux does?

createchhk · June 15, 2024, 10:48am

Yes, this is a rather old server, we are in the process of discussing with the client to upgrade it to Alma Linux with latest version of apache and PHP 8.

createchhk · June 15, 2024, 10:50am

Yes the old BACME was installed by another network engineer, yes we are also testing to use acme.sh

vaikiele · June 24, 2024, 8:42am

bacme stopped working because, it does not parse JSON. Most of ACME protocol exchanges JSON encoded messages. bacme does not parse those but tries to extract the tidbits it needs using sed. For this bacme expect JSON keys to be in a specific order. It fails if the json keys are in wrong order. So currently bacme can succeed, but also fail.

I imagine letsencrypt started recently or since some time ago, to add random keys into the JSON, or change key order randomly, to force clients to actually use proper JSON parsing instead of "cheating" like bacme does.

As such improperly written clients that do not strictly adhere to standards are bound to fail

Osiris · June 24, 2024, 9:03am

Some 7 years ago:

vaikiele · June 24, 2024, 10:17am

It should be something more recent, since it worked until now. It started failing earlier for the staging side of things. It could also be unintentional. Order of keys in objects is not guaranteed after all.

No matter - there are plenty of clients to choose from.

I used bacme because it was nice and short (500 lines of code, vs. acme.sh 8000+ lines, vs. certbot ++python dependencies vs. lego whopping 100MB binary)

All I want is download a certificate using the very simplest method and not care about anything else. Unfortunately it is not quite so simple.

vaikiele · June 24, 2024, 11:22am

if anyone depends on bacme and needs a quick fix

culprit is here bacme · 86a434774a535f473fd71549c42fbbad1460f2c9 · Stephan Uhlmann / bacme · GitLab

patch like

-	CHALLENGE_URLS[$i]="$(echo "${RESPONSE}" | flatstring | sed 's/^.*"type": "http-01", "status": "pending", "url": "\([^"]*\)", "token": "\([^"]*\)".*$/\1/')"
+	CHALLENGE_URLS[$i]="$(echo "${RESPONSE}" | flatstring   | grep -Po '[^{]*"http-01"[^}]*' | sed 's/^.*"url": *"\([^"]*\)".*$/\1/')"
-	CHALLENGE_TOKENS[$i]="$(echo "${RESPONSE}" | flatstring | sed 's/^.*"type": "http-01", "status": "pending", "url": "\([^"]*\)", "token": "\([^"]*\)".*$/\2/')"
+	CHALLENGE_TOKENS[$i]="$(echo "${RESPONSE}" | flatstring | grep -Po '[^{]*"http-01"[^}]*' | sed 's/^.*"token": *"\([^"]*\)".*$/\1/')"

however this is a "dirty" method and you should really look into migrating to an other client that does JSON and not sed

javan · June 28, 2024, 5:14pm

Thanks!
Created a PR on a mirror repo, hope Stephan will come around soon. I guess his own site is going to drop dead because of the same problem soon - its cert is signed by Letsencrypt, too. : )
Oh, but it will be valid until July 21st. : D