ZeroSSL portable 0.30 how to accept ToS

lordcochise · March 16, 2018, 3:45pm

I ran this command:
le64.exe

My web server is (include version):
Apache 2.4

The operating system my web server runs on is (include version):
Windows Server 2016

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I followed the directions from here: https://zerossl.com/usage.html

Not sure if this is more of a ZeroSSL thing or an ACMEv2 thing, but I’m trying out ZeroSSL’s portable win64 client to generate a wildcard cert (v 0.30) and it keeps failing at ‘must agree to terms of service’. I can find no standard command to agree unattended, and there’s no popup or prompt. What am I missing?

This is an initial registration so I’m including an email addr. intent is to have ECC keys generated. All files (except the cert) generate fine. The following is latest example (redacted):

le64.exe -key account.key -email "address@domain.com" -csr star.domain.com.csr -csr-key star.domain.com.key -crt star.domain.com.crt -domains “*.domain.com” -generate-missing -handle-as dns -api 2 -curve default -live

2018/03/16 11:26:23 [ ZeroSSL Crypt::LE client v0.30 started. ]
2018/03/16 11:26:23 Loading an account key from account.key
2018/03/16 11:26:23 Loading a CSR from star.domain.com.csr
2018/03/16 11:26:26 Registering the account key
2018/03/16 11:26:26 must agree to terms of service

leader · March 16, 2018, 5:24pm

Hello @lordcochise,

This is likely to happen only when new account key gets created and only against the API v2. This is going to be fixed in the version 0.31, which is already being tested and should be released either later today or tomorrow. Meanwhile re-running the client might make that issue go away.

sahsanu · March 16, 2018, 5:28pm

Use the above command but just change -api 2 to -api 1

le64.exe -key account.key -email "address@domain.com" -csr star.domain.com.csr -csr-key star.domain.com.key -crt star.domain.com.crt -domains “*.domain.com” -generate-missing -handle-as dns -api 1 -curve default -live

It will fail because api 1 doesn't support wildcards but it will register your account and will agreed the terms, now just change -api 1 to -api 2 and try again:

le64.exe -key account.key -email "address@domain.com" -csr star.domain.com.csr -csr-key star.domain.com.key -crt star.domain.com.crt -domains “*.domain.com” -generate-missing -handle-as dns -api 2 -curve default -live

@leader, could you please take a look?, seems that using -apì 2 doesn't agree the terms of service.

Cheers,
sahsanu

sahsanu · March 16, 2018, 5:29pm

I didn’t see your post before writing mine

lordcochise · March 16, 2018, 5:37pm

Thanks for your response - I went ahead and generated an account using ACME V1 for a different domain we own, it allowed the key to be registered, then I tried the above command again, key already registered, seems to go through now with *.domain.com request now.

leader · March 16, 2018, 6:33pm

Great workaround suggested with flipping api to 1 and back btw This should be fixed shortly. Previously in v1 new-reg would have successfully created an account without the terms agreed and then the next call would be to actually agree to TOS. In v2 newAccount errors back though if TOS is not accepted within that call, which basically makes agreeing to TOS as a separate step obsolete. Not entirely sure if that approach is better, but perhaps it allows avoiding having too many "incomplete" accounts...

leader · March 16, 2018, 7:34pm

The release page for ZeroSSL Windows binaries has now been updated with v0.31.

system · April 15, 2018, 7:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.