[solved] Some errors during certificat generation


#1

Please fill out the fields below so we can help you better.

My domain is: stylida.clicproxy.me

I ran this command: ./getssl stylida.clicproxy.me

It produced this output (the first time) :

$ ./getssl stylida.clicproxy.me
no certificate obtained from host
creating account key /home/david/.getssl/account.key
creating domain key - /home/david/.getssl/account.key
Generating RSA private key, 4096 bit long modulus
.........................................................................++
................................................................................++
e is 65537 (0x10001)
creating domain key - /home/david/.getssl/stylida.clicproxy.me/stylida.clicproxy.me.key
Generating RSA private key, 4096 bit long modulus
............................................................................................................++
..................................................++
e is 65537 (0x10001)
creating domain csr - /home/david/.getssl/stylida.clicproxy.me/stylida.clicproxy.me.csr
Registering account
error on acme server - trying again ....
getssl: Error registering account ... JWS has invalid anti-replay nonce SoiBpWx88yDd0UVImgKPSa5TNlLpTlaI0xPHsi0MFCo

It produced this output (the 2nd time, I’ve deleted the .getssl folder start from the begining again) :slight_smile:

 $ ./getssl stylida.clicproxy.me
no certificate obtained from host
creating account key /home/david/.getssl/account.key
creating domain key - /home/david/.getssl/account.key
Generating RSA private key, 4096 bit long modulus
......................................................................................++
...............++
e is 65537 (0x10001)
creating domain key - /home/david/.getssl/stylida.clicproxy.me/stylida.clicproxy.me.key
Generating RSA private key, 4096 bit long modulus
......++
........................................................++
e is 65537 (0x10001)
creating domain csr - /home/david/.getssl/stylida.clicproxy.me/stylida.clicproxy.me.csr
Registering account
error on acme server - trying again ....
Registered
Verify each domain
Verifing stylida.clicproxy.me
error on acme server - trying again ....
getssl: new-authz error: {
  "type": "urn:acme:error:unauthorized",
  "detail": "Must agree to subscriber agreement before any further actions",
  "status": 403
}

Here’s the config file :

$ grep -v '#' ~/.getssl/getssl.cfg |grep -v ^$
CA="https://acme-v01.api.letsencrypt.org"
ACCOUNT_EMAIL="stylida@clicproxy.com"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="/home/david/.getssl/account.key"
PRIVATE_KEY_ALG="rsa"
RENEW_ALLOW="30"
SERVER_TYPE="https"
CHECK_REMOTE="true"
SSLCONF="/usr/lib/ssl/openssl.cnf"

$ grep -v '#' ~/.getssl/stylida.clicproxy.me/getssl.cfg |grep -v ^$
CA="https://acme-v01.api.letsencrypt.org"
ACCOUNT_EMAIL="stylida@clicproxy.com"
ACL=('/home/david/public_html/stylida.clicproxy.me/.well-known/acme-challenge')
RENEW_ALLOW="30"

My operating system is (include version):

$ cat /etc/lsb-release 
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS"

My web server is (include version): apache2 (2.4.18-2ubuntu3.1)

My hosting provider, if applicable, is: Gandi

So I’ve encountered thoses errors during generation, then I do not know if cert/key file are valids.
Or if it was just a letsencrypt service which was in timeout/unavailable at this moment.

Thanks for your support,
David


#2

This is probably due to the issue at letsencrypt - please see the status page - https://letsencrypt.status.io/

Incident Status Partial Service Disruption : acme-v01.api.letsencrypt.org (Production)
October 31, 2016 5:44AM UTC[Investigating] We are looking into a problem causing some users to experience errors when attempting to issue a certificate.


#3

To test, can you change the CA temporarily to the “test” server

CA=“https://acme-staging.api.letsencrypt.org

in the getssl.cfg file.


#4

The Let’s Encrypt incident is closed and the certification generation work’s fine.
Thanks for your support.

Have a nice day,
David


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.