On Thu, Sep 12, 2019 at 9:00 AM Florian Obser <[email protected]> wrote:
> On Thu, Sep 12, 2019 at 12:42:58PM +0200, Henry Jensen wrote: > > Greetings, > > > > A tweet[0]from @romanzolotarev confused some people, including me. > > > > Basically he says, that if you wish co continue to use acme-client you > > have to upgrade to -current, because of the switch to ACME v02 API and > > the deprecation of v01. > > [citation needed] > I guess they ran out of space in their twitters. > > https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 > > > > > That would mean, that acme-client on -stable can no longer be used. > > > > Is that true, and if so, it is planned to publish a patch for stable? > > mostly not true and it is not planned to publish a patch for stable. > > No new accounts starting November 2019 and no new domains starting > June 2020. So existing domains can be renewed while 6.5 still receives > patches. > > Changing the api endpoint from 01 to 02 in 6.5 will not work. > > > > > > > [0] https://twitter.com/romanzolotarev/status/1172009006078074886 > > > > -- > I'm not entirely sure you are real. > > I upgraded to snapshot a device and was eager to use acme-client instead of certbot and the zillion of python dependencies,I removed the strip 2 and tested with ftp if the challenge path was accessible , because the server is nginx ( i PUT file and I also use some auto retry in proxy mode ) This device was previously using certbot and i created a new domain name to avoid overlapping. So far my attempts at creating the certificate failed :-( - CONF - # # $OpenBSD: acme-client.conf,v 1.7 2018/04/13 08:24:38 ajacoutot Exp $ # authority letsencrypt { api url "https://acme-v02.api.letsencrypt.org/directory"; account key "/etc/acme/letsencrypt-privkey.pem" }authority letsencrypt-staging { api url "https://acme-staging-v02.api.letsencrypt.org/directory"; account key "/etc/acme/letsencrypt-staging-privkey.pem" }domain siot.XXXXXXXXXX.com { domain key "/etc/ssl/private/siot.XXXXXXXXXX.com.key" domain certificate "/etc/ssl/siot.XXXXXXXXXX.com.crt" domain full chain certificate "/etc/ssl/siot.XXXXXXXXXX.com.fullchain.pem" challengedir "/var/www/acme/.well-known/acme-challenge" sign with letsencrypt } - NGINX serving - server { listen 80; server_name siot.XXXXXXXXXX.com; root /var/www/acme; location ~ /.well-known/acme-challenge/(.*) { try_files $uri =404; } } and access : current# curl --fail http://siot.XXXXXXXXXX.com/.well-known/acme-challenge/foobar lol current# cat /var/www/acme/.well-known/acme-challenge/foobar lol - acme OUPUT - acme-client: 172.65.32.248: tls_close: EOF without close notify acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": " siot.XXXXXXXXXX.com" }, "status": "pending", "expires": "2019-10-16T12:35:23Z", "challenges": [ { "type": "http-01", "status": "pending", "url": " https://acme-v02.api.letsencrypt.org/acme/chall-v3/701076860/ZeqP3g";, "token": "Iu3ZGDaCNUZOXnHqCra6sHAsJL4qdqwRKXgMszZJCJA" }, { "type": "dns-01", "status": "pending", "url": " https://acme-v02.api.letsencrypt.org/acme/chall-v3/701076860/K4SYKQ";, "token": "Iu3ZGDaCNUZOXnHqCra6sHAsJL4qdqwRKXgMszZJCJA" }, { "type": "tls-alpn-01", "status": "pending", "url": " https://acme-v02.api.letsencrypt.org/acme/chall-v3/701076860/iqKsWA";, "token": "Iu3ZGDaCNUZOXnHqCra6sHAsJL4qdqwRKXgMszZJCJA" } ] }] (797 bytes) acme-client: challenge, token: Iu3ZGDaCNUZOXnHqCra6sHAsJL4qdqwRKXgMszZJCJA, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/701076860/ZeqP3g, status: 0 acme-client: /var/www/acme/.well-known/acme-challenge/Iu3ZGDaCNUZOXnHqCra6sHAsJL4qdqwRKXgMszZJCJA: created acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/701076860/ZeqP3g: challenge acme-client: acme-v02.api.letsencrypt.org: cached acme-client: acme-v02.api.letsencrypt.org: cached acme-client: 172.65.32.248: tls_close: EOF without close notify acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/701076860/ZeqP3g";, "token": "Iu3ZGDaCNUZOXnHqCra6sHAsJL4qdqwRKXgMszZJCJA" }] (184 bytes) acme-client: acme-v02.api.letsencrypt.org: cached acme-client: acme-v02.api.letsencrypt.org: cached acme-client: 172.65.32.248: tls_close: EOF without close notify acme-client: transfer buffer: [{ "status": "pending", "expires": "2019-10-16T12:35:23Z", "identifiers": [ { "type": "dns", "value": " siot.XXXXXXXXXX.com" } ], "authorizations": [ " https://acme-v02.api.letsencrypt.org/acme/authz-v3/701076860"; ], "finalize": " https://acme-v02.api.letsencrypt.org/acme/finalize/68764372/1250153505"; }] (341 bytes) acme-client: order.status 0 acme-client: dochngreq: https://acme-v02.api.letsencrypt.org/acme/authz-v3/701076860 acme-client: acme-v02.api.letsencrypt.org: cached acme-client: acme-v02.api.letsencrypt.org: cached acme-client: 172.65.32.248: tls_close: EOF without close notify acme-client: transfer buffer: [{ "identifier": { "type": "dns", "value": " siot.XXXXXXXXXX.com" }, "status": "invalid", "expires": "2019-10-16T12:35:23Z", "challenges": [ { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "Fetching http://siot.XXXXXXXXXX.com/.well-known/acme-challenge/Iu3ZGDaCNUZOXnHqCra6sHAsJL4qdqwRKXgMszZJCJA: Connection refused", "status": 400 }, "url": " https://acme-v02.api.letsencrypt.org/acme/chall-v3/701076860/ZeqP3g";, "token": "Iu3ZGDaCNUZOXnHqCra6sHAsJL4qdqwRKXgMszZJCJA", "validationRecord": [ { "url": " http://siot.XXXXXXXXXX.com/.well-known/acme-challenge/Iu3ZGDaCNUZOXnHqCra6sHAsJL4qdqwRKXgMszZJCJA";, "hostname": "siot.XXXXXXXXXX.com", "port": "80", "addressesResolved": [ "137.74.163.78" ], "addressUsed": "137.74.163.78" } ] }, { "type": "dns-01", "status": "invalid", "url": " https://acme-v02.api.letsencrypt.org/acme/chall-v3/701076860/K4SYKQ";, "token": "Iu3ZGDaCNUZOXnHqCra6sHAsJL4qdqwRKXgMszZJCJA" }, { "type": "tls-alpn-01", "status": "invalid", "url": " https://acme-v02.api.letsencrypt.org/acme/chall-v3/701076860/iqKsWA";, "token": "Iu3ZGDaCNUZOXnHqCra6sHAsJL4qdqwRKXgMszZJCJA" } ] }] (1418 bytes) acme-client: challenge, token: Iu3ZGDaCNUZOXnHqCra6sHAsJL4qdqwRKXgMszZJCJA, uri: https://acme-v02.api.letsencrypt.org/acme/chall-v3/701076860/ZeqP3g, status: -1 acme-client: /var/www/acme/.well-known/acme-challenge/Iu3ZGDaCNUZOXnHqCra6sHAsJL4qdqwRKXgMszZJCJA: created acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/701076860/ZeqP3g: challenge acme-client: acme-v02.api.letsencrypt.org: cached acme-client: acme-v02.api.letsencrypt.org: cached acme-client: 172.65.32.248: tls_close: EOF without close notify acme-client: https://acme-v02.api.letsencrypt.org/acme/chall-v3/701076860/ZeqP3g: bad HTTP: 400 acme-client: transfer buffer: [{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Unable to update challenge :: authorization must be pending", "status": 400 }] (144 bytes) acme-client: bad exit: netproc(45009): 1 or [ same ] acme-client: transfer buffer: [{ "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/701182904/XC4VHQ";, "token": "FR6EfGGwgoAk0fzc6pm-h_tkQBwXRhBUk0rfGcfryeQ" }] (184 bytes) acme-client: acme-v02.api.letsencrypt.org: cached acme-client: acme-v02.api.letsencrypt.org: cached acme-client: 172.65.32.248: tls_close: EOF without close notify acme-client: transfer buffer: [{ "status": "invalid", "expires": "2019-10-16T12:46:26Z", "identifiers": [ { "type": "dns", "value": " siot.XXXXXXXXXX.com" } ], "authorizations": [ " https://acme-v02.api.letsencrypt.org/acme/authz-v3/701182904"; ], "finalize": " https://acme-v02.api.letsencrypt.org/acme/finalize/68764372/1250201227"; }] (341 bytes) acme-client: order.status -1 acme-client: bad exit: netproc(92213): 1 i am unsure of the kind i could have make but it feels the auth type is changing, or something not right in acme-client: [{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Unable to update challenge :: authorization must be pending", "status": 400 }] (144 bytes) I would really prefer using acme-client , i can compile path and test more. -- -- --------------------------------------------------------------------------------------------------------------------- Knowing is not enough; we must apply. Willing is not enough; we must do
