Test certificate registration does not work at https://acme-staging-v02.api.letsencrypt.org/directory 405 Method not allowed

Ilya_indigo · August 24, 2022, 8:46am

My domain is: ilya.cf

I run this command: h=ilya.cf && e=postmaster@$h && c=/tmp/certs-$h && mkdir -pm0700 $c && openssl ecparam -genkey -name prime256v1 -noout -out $c/$h.key && chmod 0600 $c/$h.key && openssl req -new -key $c/$h.key -out $c/$h.csr -subj "/CN=$h/emailAddress=$e" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubject AltName=DNS:$h,DNS:*.$h")) && le -s $c/$h.csr --dns --test > $c/$h.crt

It produced this output:

Received 2 authorizations URLs from the CA
+ ERROR: An error occurred while sending get-request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3426168764 (Status 405)

Details:
HTTP/2 405
server: nginx
date: Wed, 24 Aug 2022 08:21:55 GMT
content-type: application/problem+json
content-length: 103
cache-control: public, max-age=0, no-cache
link: https://acme-staging-v02.api.letsencrypt.org/directory;rel="index"

{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Method not allowed",
"status": 405
}

"le" is my fork of dehydrated 0.6.5, the differences and changes are not significant.

Without the --test parameter, I sign the certificate perfectly using the dns-01 method.
The --test parameter switches the URL from CA to CA_TEST and does nothing else!

CA="https://acme-v02.api.letsencrypt.org/directory"
CA_TEST="https://acme-staging-v02.api.letsencrypt.org/directory"

This used to work fine and I was registering both test certificates and valid certificates.

Now I can only register valid ones, and when I try to register a test certificate I get a message with a 405 response code. Why?

Nekit · August 24, 2022, 10:12am

What is le exactly? Mayhaps it's out of date.

Edit: should've read your post more closely…

dehydrated 0.6.5 was released almost 3 years ago, pretty sure there have been some api changes since then. Though I don't think there were any breaking changes in the last three months or so.

Ilya_indigo · August 24, 2022, 10:35am

Please read it again carefully.
This, not official, outdated. modified by me script, works fine with URL https://acme-v02.api.letsencrypt.org/directory and gives an error with URL https://acme-staging-v02.api.letsencrypt.org/directory
At the same time, at least a year ago, the same script worked fine with both URLs.

If you need, I can attach the script code.

MikeMcQ · August 24, 2022, 2:25pm

Normally that request is a POST. The message indicates a GET was used and received a 405 Method Not Allowed error.

The production system (for now) is more tolerant of these. But, the LE script you use should be updated for current protocol.

See this similar thread. It starts as a DNS issue but also has same GET / POST issue

Ilya_indigo · August 24, 2022, 3:14pm

Thank you, now I see what's going on.

curl -X GET https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3428731844
{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Method not allowed",
  "status": 405
}

curl -X POST https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/3428731844
{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "missing Content-Length header",
  "status": 411
}

Can you tell me how I need to modify the query by separating the URL from the data and what are the data names?

curl -X POST -d '?=acme&?=authz-v3&?=3428731844' POST https://acme-staging-v02.api.letsencrypt.org

MikeMcQ · August 24, 2022, 3:41pm

General programming advice is found many places on the internet. StackOverflow is good or even the curl manual.

My suggestion is to spend effort converting to an ACME client that is well supported. Something like certbot or acme.sh or another from this list by Let's Encrypt.

system · September 23, 2022, 3:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.