search

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.2k stars 1.99k forks source link

Let's Encrypt cert issuance fails due to old protocol (ACMEv1) #1662

Open lazerhawk opened 5 years ago

lazerhawk commented 5 years ago

Expected behavior:

Let's Encrypt cert is issued and installed during general install

Actual Behavior:

cert issuance fails due to using outdated ACME protocol version (ACMEv1)

Ansible task error

TASK [lets-encrypt : Perform initial configuration of acmetool] *** fatal: [162.209.11.147]: FAILED! => {"changed": true, "cmd": ["acmetool", "quickstart"], "delta": "0:00:01.010463", "end": "2019-10-18 02:20:29.377881", "msg": "non-zero return code", "rc": 1, "start": "2019-10-18 02:20:28.367418", "stderr": "20191018022029 [CRITICAL] acmetool: fatal: couldn't complete registration: HTTP error: 403 Forbidden\nmap[Content-Type:[application/problem+json] Content-Length:[280] Cache-Control:[public, max-age=0, no-cache] Replay-Nonce:[0102GOuWlT6DOzzt5ByE5HcUsIScmrRPoCqAnEwLMpXhZ3Q] Server:[nginx] Date:[Fri, 18 Oct 2019 02:20:29 GMT]]\n{\n \"type\": \"urn:acme:error:unauthorized\",\n \"detail\": \"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.\",\n \"status\": 403\n}", "stderr_lines": ["20191018022029 [CRITICAL] acmetool: fatal: couldn't complete registration: HTTP error: 403 Forbidden", "map[Content-Type:[application/problem+json] Content-Length:[280] Cache-Control:[public, max-age=0, no-cache] Replay-Nonce:[0102GOuWlT6DOzzt5ByE5HcUsIScmrRPoCqAnEwLMpXhZ3Q] Server:[nginx] Date:[Fri, 18 Oct 2019 02:20:29 GMT]]", "{", " \"type\": \"urn:acme:error:unauthorized\",", " \"detail\": \"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.\",", " \"status\": 403", "}"], "stdout": "\r 0 / 100 0.00%\r 0.00% \r 0.00% \r 0.00% \r 0.00% ", "stdout_lines": ["", " 0 / 100 0.00%", " 0.00% ", " 0.00% ", " 0.00% ", " 0.00% "]}

Let's Encrypt announcement

https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430

New account creation for new cert issuance under ACMEv1 stops October 1 2019, which is where we error out. Even if you already had a Let's Encrypt "account" (registered email address), the window is closing for issuance via ACMEv1

I think this also interfered with the rest of the install, as the listening https port returns a broken cert.

Steps to Reproduce:

  1. run install on rackspace

Ansible Information

Streisand Information

Enabled Roles

cpu commented 5 years ago

:wave: Leaving this note for any maintainers that might be interested in fixing this problem before it breaks new deployments of Streisand with the Let's Encrypt feature on Oct 31st. The ACME client (acmetool) used by Streisand needs to be updated to a version that supports RFC 8555 / ACME v2. There's a beta release available as of 5 days ago. One note of warning:

You will need to build this yourself as release automation is being renovated.

There's a choice here between:

  1. staying on acmetool and building the beta package manually.
  2. staying on acmetool and hoping the PPA gets a binary release before Oct 31st.
  3. switching to an alternative RFC 8555 compat. client (acme.sh, certbot, lego, whatever).

Edit: There's also a first-party ACME plugin for Ansible: https://docs.ansible.com/ansible/latest/modules/acme_certificate_module.html

lazerhawk commented 5 years ago

Uh, so it's November now...

mew1033 commented 5 years ago

Looks like this is fixed in #1668, it just needs to be merged.

zxti commented 4 years ago

Is there a way around this? As a user, it appears this has kept Streisand from working at all in getting a server up and running since Oct, and it's unclear when the PR will be merged, so just wondering if there's any workaround.

aaclarker commented 4 years ago

+1 this is causing a hard fail for me today. It crashes out of Ansible without having generated docs or leaving a progress report.

TASK [lets-encrypt : Perform initial configuration of acmetool] **********************************************
fatal: [***.***.***.***]: FAILED! => {"changed": true, "cmd": ["acmetool", "quickstart"], "delta": "0:00:00.386317", "end": "2019-12-01 02:29:36.462673", "msg": "non-zero return code", "rc": 1, "start": "2019-12-01 02:29:36.076356", "stderr": "20191201022936 [CRITICAL] acmetool: fatal: couldn't complete registration: HTTP error: 403 Forbidden\nmap[Server:[nginx] Date:[Sun, 01 Dec 2019 02:29:36 GMT] Content-Type:[application/problem+json] Content-Length:[280] Cache-Control:[public, max-age=0, no-cache] Replay-Nonce:[0101CYoodg8966r1Zz12KiN4jZ89Q-HYqu60MFKXA01GwYU]]\n{\n  \"type\": \"urn:acme:error:unauthorized\",\n  \"detail\": \"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.\",\n  \"status\": 403\n}", "stderr_lines": ["20191201022936 [CRITICAL] acmetool: fatal: couldn't complete registration: HTTP error: 403 Forbidden", "map[Server:[nginx] Date:[Sun, 01 Dec 2019 02:29:36 GMT] Content-Type:[application/problem+json] Content-Length:[280] Cache-Control:[public, max-age=0, no-cache] Replay-Nonce:[0101CYoodg8966r1Zz12KiN4jZ89Q-HYqu60MFKXA01GwYU]]", "{", "  \"type\": \"urn:acme:error:unauthorized\",", "  \"detail\": \"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.\",", "  \"status\": 403", "}"], "stdout": "\r 0 / 100    0.00%\r   0.00%  ", "stdout_lines": ["", " 0 / 100    0.00%", "   0.00%  "]}
thiras commented 4 years ago

This is blocking hard error. Should be patched ASAP. Please merge it if it's appropriate. @jlund

omidraha commented 4 years ago

I have the same issue for fresh installation of streisand:

streisand Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2

lazerhawk commented 4 years ago

Since #1668 got merged for initial ACME v2 support for initial setup, this has mostly been solved. Though please note users might want to wait for additional cleanup work still to be done to finish Let's Encrypt renewals correctly/completely (see #1688 awaiting merge, and there may be additional tinkering in #1668 ).

Many thanks to @nickgnazzo for getting us out of this pinch, and @nopdotcom for approving the merge.

bensteinberg commented 4 years ago

Is there a canonical way to upgrade acmetool or (better) move to letsencrypt on an existing streisand machine? I got my cert originally with acmetool, but just got an email from letsencrypt that includes

Beginning June 1, 2020, we will stop allowing new domains to validate using the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before then, or certificate issuance will fail.

Or is it preferable to spin up a new streisand instance that includes #1668?