Update your client software to continue using Let's Encrypt - nodejs10.x

sagar89jadhav · May 12, 2021, 7:13am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: rcm.dev.actimize.travelex.net, rcm.sit.actimize.travelex.net, rcm.uat.actimize.travelex.net, rcm.preprod.actimize.travelex.net and rcm.production.actimize.travelex.net

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): Running AWS lambda function running on nodejs10.x

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Using code from "GitHub - ocelotconsulting/node-acme-lambda: Use AWS Lambda to manage SSL certificates for ACME providers like Let's Encrypt.".

Below is the config.js configutaion which am using -->

const defaultCertInfo = {
{% for cert in letsencrypt_certs %}
"{{cert}}": [{"name": "{{cert}}", "zoneLevels": 3}]
{% if not loop.last %},{% endif %}
{% endfor %}
}

module.exports = {
's3-account-bucket': process.env.S3_ACCOUNT_BUCKET || '{{letsencrypt_bucket_stack.stack_outputs.LEBucketName}}',
's3-cert-bucket': process.env.S3_CERT_BUCKET || '{{letsencrypt_bucket_stack.stack_outputs.LEBucketName}}',
's3-folder': process.env.S3_CERT_FOLDER || 'acme',
'certificate-info': process.env.S3_CERT_INFO ? JSON.parse(process.env.S3_CERT_INFO) : defaultCertInfo,
'acme-dns-retry': 30,
'acme-dns-retry-delay-ms': 2000,
'acme-account-file': process.env.ACME_ACCOUNT_FILE || 'acme-account',
'acme-account-email': process.env.ACME_ACCOUNT_EMAIL || '{{letsencrypt_email}}',
'acme-account-key-bits': 4096,
'acme-directory-url': 'https://acme-v02.api.letsencrypt.org',
'region': process.env.AWS_REGION || 'eu-west-1'
}

As the acme api url is pointing to "v02" but I am still getting notifications to update client software to use ACMEv2. How do I check if my client software is using V1 or V2?

Thanks.

JuergenAuer · May 12, 2021, 8:43am

Hi @sagar89jadhav

I don't use that ACME-client.

Check, if you can find the string "v01". May be you have an old config file.

webprofusion · May 12, 2021, 12:31pm

The github code specifically mentions acme v1, so I think you need to find something else to get your certificates.

sagar89jadhav · May 12, 2021, 12:37pm

Hi @JuergenAuer/@webprofusion ,

Thanks for the feedback. Yes, I did check the lambda function which is referring the old code having "config.js" file containing 'https://acme-v01.api.letsencrypt.org' url.

And I have customized "config.js" to use 'acme-directory-url': 'https://acme-v02.api.letsencrypt.org' however, for some reason the updated code is not getting reflected in lambda function. I think referring acme-v02 url should solve the problem. I need to fix this.

By the way do you have any other suggestion to use another nodeJs client software in future?
Thanks.

JuergenAuer · May 12, 2021, 12:40pm

Reading the answer of @webprofusion I don't think that will work.

That tool is 3 years old.

There were later changes (GET -> POST), so I don't think ACME-v2 will work.

petercooperjr · May 12, 2021, 12:57pm

Yeah, that project doesn't look like it's been updated in several years; though its README in Github does mention that you should be able to point acme-directory-url to the v2 API. But if it's not working, you may need to find another option.

A lot of interest in renewing Let's Encrypt certificates through Lambda died out when AWS Certificate Manager started offering free Amazon-issued certificates. Though of course, those are only useful from within AWS services (CloudFront et al.) and can't really be used on your own servers directly (though they do now have an interesting "enclave" system that lets you access the cert through PKCS11 from within an EC2 instance).

When I was trying to do something similar of getting Let's Encrypt certificates from Lambda, I ended up writing my own function using the ACME.js library. Feel free to look through what I did and use it as inspiration for your own implementation.

sagar89jadhav · May 14, 2021, 8:27am

Thanks @petercooperjr for sharing the detail. It will definitely help me to write some other function. I will first try to fix the existing code to use ACMEV02 url and see if new certs can be issued.

system · June 13, 2021, 8:28am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.