Quoting Jonas Smedegaard (2020-12-08 13:25:28) > Quoting Guilhem Moulin (2020-12-08 12:04:15) > > Could you suggest a better error message here? > > Generally, I think is might help if informed who says what. I.e. when > passing on an error message either received from Letsencrypt or captured > from stderr or spawned webserver, then a) mention the origin and b) > indent the fowarded message to tie it to previous local message: > > [jawa.homebase.dk] Valid until 2021-01-21 06:36:57 UTC, skipping > [mail.homebase.dk] request failed: rejected by Letsenctypt: > Error: Invalid order DNS:mail.homebase.dk, DNS:www.mail.homebase.dk > [mail.homebase.dk] Error: Couldn't issue X.509 certificate! > [internal error] spurious message from internal webserver: > accept: Invalid argument at /usr/libexec/lacme/webserver line 80. > [internal error] spurious message from internal webserver: > Connection to jawa.homebase.dk closed. > > You might consider using Log::Any - unless it is deliberate (for > security reasons?) to limit use of shared modules. > > More specifically, it might help if lacme could correlate the various > parts that me as operator might not be aware of. One of the errors I > made was failing to enable the apache2 snippet to the vhost, which means > requests initiated from Letscencrypt didn't get received by lacme. I > imagine that when lacme sends a request out and waits for a response, > then it could mention that no response was received at all. > > If lacme already does this, but only when debugging is enabled, then I > suggest to simply raise verbosity on failure.
I had another failure today (again probably my fault, concretely), where I had a closer look at the debug output. Here is the output from a normal run: jonas@auryn:~$ mylacme-jawa newOrder jawa.homebase.dk [email protected]'s password: [email protected]'s password: Error: Invalid order DNS:jawa.homebase.dk, DNS:www.jawa.homebase.dk, DNS:lists.homebase.dk, DNS:www.lists.homebase.dk, DNS:list.homebase.dk, DNS:mail.homebase.dk [jawa.homebase.dk] Error: Couldn't issue X.509 certificate! accept: Invalid argument at /usr/libexec/lacme/webserver line 80. Connection to jawa.homebase.dk closed. I know that I edited the config to add hosts lists.homebase.dk, www.lists.homebase.dk, and list.homebase.dk - but even then the above is not really helpful on guiding me torwards which of them failed. And if this was an even bigger setup and/or I did not have a prior success to compare against, if would be even harder. I suggest to emit summary info from each response from Letscencrypt in a new --verbose mode - e.g. like this: jonas@auryn:~$ mylacme-jawa newOrder jawa.homebase.dk [[issuer]] Info: valid entry DNS:jawa.homebase.dk [[issuer]] Info: valid entry DNS:list.homebase.dk [[issuer]] Info: valid entry DNS:lists.homebase.dk [[issuer]] Info: valid entry DNS:mail.homebase.dk [[issuer]] Info: valid entry DNS:www.lists.homebase.dk [[issuer]] Info: pending entry DNS:www.jawa.homebase.dk [[issuer]] Error: Invalid order DNS:jawa.homebase.dk, DNS:www.jawa.homebase.dk, DNS:lists.homebase.dk, DNS:www.lists.homebase.dk, DNS:list.homebase.dk, DNS:mail.homebase.dk [mail.homebase.dk] Error: Couldn't issue X.509 certificate! [[internal]] Warning: accept: Invalid argument at /usr/libexec/lacme/webserver line 80. [[internal]] Warning: Connection to jawa.homebase.dk closed. An output like the above would help clue me in on which of the vhosts I might have configured wrongly, causing the whole request to get rejected. While at it, I notice that for certs with many hosts attached it takes a while to complete a request, and (in non-verbose mode) it is not possible to know if it is connections hanging or things are going smooth. It would be nice if in non-verbose mode executed from a real terminal, a dot was emitted for each response from Letsencrypt. - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
