Description of problem: In some case the authorize return from letsencrypt has not validated all challenges, and there is a need of pooling pending one until they fail or succeed. I removed as well the useless need of perl(Data::Dumper) and added a nginx configuration template in this version. Commits are here : https://git.rapsys.eu/?p=acme;a=summary https://git.rapsys.eu/?p=acme;a=commitdiff;h=2a10253aea57d1e25280392a4f9b4e9420ece1b8 https://git.rapsys.eu/?p=acme;a=commitdiff;h=d17b7963e424d3574a4673e26ebd9aab38b741e6 https://git.rapsys.eu/?p=acme;a=commitdiff;h=3a2fe09540218ac59a327071c04938d8ffe2282c Version-Release number of selected component (if applicable): acme-0.9-4 How reproducible: Difficult, it happened here reliably only and on my dedicated server only one time. Steps to Reproduce: 1. acmeconf -r example.com 2. drop http traffic from outside with firewall 3. acmecert or acmecron to generate a certificate 4. The script will exit directly while silently failing instead of pooling pending test until they fail.
MGA6-32 on Asus A6000VM MATE Installed acme-0.9-4 first to see whether I can run those commands. It is not clear from above whether these should be run as normal user or as root, but in either case I get an unexpected result. at CLI: # acmeconf -r example.com { "thumbprint" : "/etc/acme/thumbprint", "term" : "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf", "pending" : "/tmp/acme.pending", "certificates" : [ { "cert" : "/etc/pki/tls/certs/example.com.pem", "key" : "/etc/pki/tls/private/example.com.pem", "account" : "/etc/acme/account.pem", "mail" : "webmaster@example.com", "domain" : "example.com", "domains" : [], "prod" : 0 } ] } then I launch a ping from another desktop, knowing it is rejected by this laptop, and then # acmecert Config file /etc/acme/config is not readable or invalid Indeed, there is no such file. The acmeconf seems to have done nothing in the /etc/acme/ directory , the file /etc/acme/thumbprint is empty before and after the acmeconf.
CC: (none) => herman.viaene
Hi, sorry, you should do a : acmeconf -r example.com > /etc/acme/config I didn't wanted to write with acmeconf the config file to avoid trashing a working config in case of mistakes. (I will maybe add a renaming later) If you have a fix public ip, I may point a valid test subdomain on it for your tests (or do a CNAME on a dyndns like domain). Best regards
It was in the man about acmeconf and in --help by the way :)
@Raphael Admit to being puzzled by the 'steps to reproduce'. Can you do this on a stand-alone machine? 1. # acmeconf -r example.com > /etc/acme/config [OK] 2. drop http traffic from outside with firewall Do you mean block incoming HTTP requests in the firewall? Just that, even if there are none? 3. # acmecert or # acmecron to generate a certificate Just these raw commands? 4. The script will exit directly while silently failing instead of pooling pending test until they fail. What script? The commands above? Does the fact of exiting directly indicate success? What would you expect *before* the update?
CC: (none) => lewyssmith
OK I went: # acmeconf -r example.com > /etc/acme/config no feedback, config file created launch ping command from other desktop # acmecert Email::Valid->address failed at /usr/lib/perl5/vendor_perl/5.22.3/Acme.pm line 135. Acme::new("Acme", 0, HASH(0x9a94aa8), HASH(0x9a81a80)) called at /usr/bin/acmecert line 127
The script will generate /etc/pki/tls/certs/example.com.pem if it succeed. There is no way to validate without a valid subdomain + email. My script validate there is a MX record for the configured email in /etc/acme/config. By "drop http traffic from outside with firewall", I mean drop the incomming traffic on configured apache (or nginx) from internet. So that the letsencrypt verification bot will fail after a tcp timeout and keep challenge pending for a long time before failure. Acmecert force the generation of a certificate even if one exists. (see man) Acmecron do that only if it don't exists and certificate is older than 60 days. (see man) If you want to validate, you need : - a valid mail configured in /etc/acme/config on a domain with MX record (any @yopmail.com will work for example) - a valid subdomain name which point on current public ip - a configured apache+php (should be automagic) or nginx+php (no magic here, only sample config provided) The goal of acme toolset is to generate valid https letsencrypt certificate. Sorry if it was not clear.
Trying M6/64 mainly for clean update BEFORE: acme-0.9-4.mga6 # acmeconf -r localdomain > /etc/acme/config # cat /etc/acme/config { "thumbprint" : "/etc/acme/thumbprint", "term" : "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf", "pending" : "/tmp/acme.pending", "certificates" : [ { "cert" : "/etc/pki/tls/certs/localdomain.pem", "key" : "/etc/pki/tls/private/localdomain.pem", "account" : "/etc/acme/account.pem", "mail" : "webmaster@localdomain", "domain" : "localdomain", "domains" : [], "prod" : 0 } ] } # acmecron Email::Valid->address failed at /usr/lib/perl5/vendor_perl/5.22.3/Acme.pm line 135. Acme::new("Acme", 0, HASH(0x3197b18), HASH(0x1d76ad0)) called at /usr/bin/acmecron line 132 # acmecert Email::Valid->address failed at /usr/lib/perl5/vendor_perl/5.22.3/Acme.pm line 135. Acme::new("Acme", 0, HASH(0x29a3f90), HASH(0x299c3f0)) called at /usr/bin/acmecert line 127 Putting my own e-mail address in the config file yielded instead: # acmecron localdomain's tld extraction failed at /usr/lib/perl5/vendor_perl/5.22.3/Acme.pm line 149. Acme::new("Acme", 0, HASH(0x63ead0), HASH(0x1a5fd50)) called at /usr/bin/acmecron line 132 # acmecert localdomain's tld extraction failed at /usr/lib/perl5/vendor_perl/5.22.3/Acme.pm line 149. Acme::new("Acme", 0, HASH(0x23e5b90), HASH(0x3807498)) called at /usr/bin/acmecert line 127 AFTER uneventful update: acme-1.1-1.mga6.noarch *** is this version number what is wanted? *** and repeating all the previous steps gave identical output, even though that was probably meaningless. @Raphael Accepting that I have put my proper e-mail address in the config file, if there is anything else I can change in it for a single system with Ethernet gateway to Internet, I shall be happy to try. If you can point me what else to change, please do. FWIW I have the following IP addresse: 192.168.0.10 (gateway 254). I should have an external one via the DSL box - if I can find it.
In consultation with QA team leaders, this is being validated as-is. Not up to our normal standards; just a clean update. Advisory devised from Description & bug RPM link.
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
Advisory : type: bugfix subject: Updated acme package fixes race condition while pooling letsencrypt check src: 6: core: - acme-1.1-1.mga6 description: Acmecron and acmecert was sometime broken while pooling letsencrypt check if it wasn't validated right away by their bot. The updated package fix this bug, remove an useless dependancy on perl(Data::Dumper) and add a nginx configuration template. references: - https://bugs.mageia.org/show_bug.cgi?id=21742 ID: MGASA-2017-0369
Closing as Mageia robot failed to do so due to lack of permissions, which has now been fixed.
Status: NEW => RESOLVEDResolution: (none) => FIXEDCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGAA-2017-0095.html