myVesta / HestiaCP / VestaCP: fail issuance with async finalization

myvesta · April 5, 2023, 9:42pm

myVesta, HestiaCP and VestaCP hosting panels are also failing issuance

aarongable · April 5, 2023, 9:51pm

Hi @myvesta, thanks for the report! I've split this post into its own thread, because it looks to me like the Vesta ecosystem doesn't rely on Plesk, but instead has its own ACME client.

In between finalize and downloading the issued certifcate, that client needs to poll the order URL (with exponential backoff, please!) until the "certificate" field appears in the Order object. This will be similar to the polling that already happens for authorizations.

Making that change will allow the Vesta client to work with asynchronous finalization, to be compliant with RFC 8555, and to potentially work with ACME Servers other than Let's Encrypt in the future. Thanks!

aarongable · April 5, 2023, 9:58pm

(And if I could ask Vesta to add a user-agent header to all ACME requests, that would be really awesome, too.)

aarongable · April 5, 2023, 10:16pm

I've filed a bug against the Vesta project here: Vesta ACME client: support asynchronous finalization · Issue #2278 · serghey-rodin/vesta · GitHub

I hope the Vesta client is able to be updated! Let me know if you need any questions answered or any other tips on supporting asynchronous finalization.

jaapmarcus · April 5, 2023, 10:42pm

Can cofirm the bug aswell on HestiaCP

Following PR seems to solve the issue for "HestiaCP"

mcpherrinm · April 5, 2023, 10:44pm

We've disabled the brownout early because of problems like this

Twissell · April 6, 2023, 5:28am

@aarongable Hello!
And what about such ACME clients as dehydrated it will be broken soon?
Sorry for offtop, but there is no update for that client a long time

jaapmarcus · April 6, 2023, 5:49am

If it doesn't support the new "polling" system yes the will break

mcpherrinm · April 6, 2023, 6:32am

Dehydrated has worked properly for 3 years, so the problem is only with people using very old copies of it.

jaapmarcus · April 6, 2023, 8:20am

Both MyVestaCP and HestiaCP has been patched together with the user agent changes @aarongable made

As I can't patch VestCP Fix: Changes in Certificate request Lets Encrypt by jaapmarcus · Pull Request #157 · myvesta/vesta · GitHub should help the

@aarongable Thank you for providing the the needed information

myvesta · April 6, 2023, 9:34am

We are confirming fix for myVesta - Fix: Changes in Certificate request Lets Encrypt by jaapmarcus · Pull Request #157 · myvesta/vesta · GitHub
We released new version of myVesta with that fix.
Thanks to HestiaCP for helping us with fix

Also thank you @aarongable for informations

system · May 6, 2023, 9:34am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.