acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
39.37k stars 4.97k forks source link

acme.sh doesn't detect the mydomain.com_ecc dir, installs old cert from mydomain.com dir #4793

Closed upr-kmd closed 1 year ago

upr-kmd commented 1 year ago

Steps to reproduce

1) Have some old certs in .acme.sh dir without ecc (mydomain.com) together with the mydomain.com_ecc dir 2) Try to issue the cert and then install it. 3) the --install command doesn't detect the _ecc dir and instead uses the old mydomain.com dir with an old cert.

The commands I'm using are a part of a script to automatically issue and update a cert in an OpenShift (Kubernetes distribution) cluster.

available providers: letsencrypt, zerossl

export PROVIDER=zerossl

export LE_API=$(oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././') export LE_WILDCARD=$(oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath='{.status.domain}')

${HOME}/.acme.sh/acme.sh --issue -d ${LE_API} -d .${LE_WILDCARD} --dns dns_azure --server ${PROVIDER} --force echo "ACME cert issue error code: ${?}" export CERTDIR=$HOME/certificates mkdir -p ${CERTDIR} ${HOME}/.acme.sh/acme.sh --install-cert -d ${LE_API} -d .${LE_WILDCARD} --cert-file ${CERTDIR}/cert.pem --key-file ${CERTDIR}/key.pem --fullchain-file ${CERTDIR}/fullchain.pem --ca-file ${CERTDIR}/ca.cer

The script used to work fine many times, and I have switched the free cert providers often for performance reasons (long times to verify the domain owned).

Debug log

acme.sh  --issue .....   --debug 2

old cert issued 2 months earlier with letsencrypt

[Mon Jun 12 20:02:13 CEST 2023] Running cmd: issue [Mon Jun 12 20:02:13 CEST 2023] _main_domain='api.subdomain.mydomain.com' [Mon Jun 12 20:02:13 CEST 2023] _alt_domains='*.apps.subdomain.mydomain.com' [Mon Jun 12 20:02:13 CEST 2023] Using config home:/home/pk/.acme.sh [Mon Jun 12 20:02:13 CEST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Mon Jun 12 20:02:13 CEST 2023] DOMAIN_PATH='/home/pk/.acme.sh/api.subdomain.mydomain.com' [Mon Jun 12 20:02:13 CEST 2023] Le_NextRenewTime='1689634787' [Mon Jun 12 20:02:13 CEST 2023] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory [Mon Jun 12 20:02:13 CEST 2023] _init api for server: https://acme-v02.api.letsencrypt.org/directory (...) [Mon Jun 12 20:02:19 CEST 2023] Your cert is in: /home/pk/.acme.sh/api.subdomain.mydomain.com/api.subdomain.mydomain.com.cer [Mon Jun 12 20:02:19 CEST 2023] Your cert key is in: /home/pk/.acme.sh/api.subdomain.mydomain.com/api.subdomain.mydomain.com.key [Mon Jun 12 20:02:19 CEST 2023] The intermediate CA cert is in: /home/pk/.acme.sh/api.subdomain.mydomain.com/ca.cer [Mon Jun 12 20:02:19 CEST 2023] And the full chain certs is there: /home/pk/.acme.sh/api.subdomain.mydomain.com/fullchain.cer [Mon Jun 12 20:02:19 CEST 2023] _on_issue_success [Mon Jun 12 20:02:19 CEST 2023] Running cmd: installcert [Mon Jun 12 20:02:19 CEST 2023] Using config home:/home/pk/.acme.sh [Mon Jun 12 20:02:19 CEST 2023] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Mon Jun 12 20:02:19 CEST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Mon Jun 12 20:02:19 CEST 2023] DOMAIN_PATH='/home/pk/.acme.sh/api.subdomain.mydomain.com' [Mon Jun 12 20:02:19 CEST 2023] Installing cert to: /home/pk/certificates/cert.pem [Mon Jun 12 20:02:19 CEST 2023] Installing CA to: /home/pk/certificates/ca.cer [Mon Jun 12 20:02:19 CEST 2023] Installing key to: /home/pk/certificates/key.pem [Mon Jun 12 20:02:19 CEST 2023] Installing full chain to: /home/pk/certificates/fullchain.pem

issuing the cert (now)

[Tue Sep 12 09:44:51 CEST 2023] Running cmd: issue [Tue Sep 12 09:44:51 CEST 2023] _main_domain='api.subdomain.mydomain.com' [Tue Sep 12 09:44:51 CEST 2023] _alt_domains='*.apps.subdomain.mydomain.com' [Tue Sep 12 09:44:51 CEST 2023] Using config home:/home/pk/.acme.sh [Tue Sep 12 09:44:51 CEST 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90' [Tue Sep 12 09:44:51 CEST 2023] _ACME_SERVER_HOST='acme.zerossl.com' [Tue Sep 12 09:44:51 CEST 2023] _ACME_SERVER_PATH='v2/DV90' [Tue Sep 12 09:44:51 CEST 2023] DOMAIN_PATH='/home/pk/.acme.sh/api.subdomain.mydomain.com_ecc' [Tue Sep 12 09:44:51 CEST 2023] 'dns_azure' does not contain 'dns' [Tue Sep 12 09:44:51 CEST 2023] Le_NextRenewTime='1699528665' [Tue Sep 12 09:44:51 CEST 2023] Using ACME_DIRECTORY: https://acme.zerossl.com/v2/DV90 [Tue Sep 12 09:44:51 CEST 2023] _init api for server: https://acme.zerossl.com/v2/DV90 (...) [Tue Sep 12 09:46:21 CEST 2023] Found cert chain [Tue Sep 12 09:46:21 CEST 2023] _end_n='25' [Tue Sep 12 09:46:21 CEST 2023] Le_LinkCert='https://acme.zerossl.com/v2/DV90/cert/KQf7CzjA690ZLtNnrkxHPg' [Tue Sep 12 09:46:21 CEST 2023] Cert success. [Tue Sep 12 09:46:21 CEST 2023] Your cert is in: /home/pk/.acme.sh/api.subdomain.mydomain.com_ecc/api.subdomain.mydomain.com.cer [Tue Sep 12 09:46:21 CEST 2023] Your cert key is in: /home/pk/.acme.sh/api.subdomain.mydomain.com_ecc/api.subdomain.mydomain.com.key [Tue Sep 12 09:46:21 CEST 2023] The intermediate CA cert is in: /home/pk/.acme.sh/api.subdomain.mydomain.com_ecc/ca.cer [Tue Sep 12 09:46:21 CEST 2023] And the full chain certs is there: /home/pk/.acme.sh/api.subdomain.mydomain.com_ecc/fullchain.cer [Tue Sep 12 09:46:21 CEST 2023] _on_issue_success [Tue Sep 12 09:46:21 CEST 2023] '' does not contain 'dns' [Tue Sep 12 09:46:21 CEST 2023] LE_WORKING_DIR='/home/pk/.acme.sh'

cert installation

[Tue Sep 12 09:46:21 CEST 2023] Running cmd: installcert [Tue Sep 12 09:46:21 CEST 2023] Using config home:/home/pk/.acme.sh [Tue Sep 12 09:46:21 CEST 2023] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Tue Sep 12 09:46:21 CEST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Tue Sep 12 09:46:21 CEST 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Tue Sep 12 09:46:21 CEST 2023] _ACME_SERVER_PATH='directory' [Tue Sep 12 09:46:21 CEST 2023] DOMAIN_PATH='/home/pk/.acme.sh/api.subdomain.mydomain.com' [Tue Sep 12 09:46:21 CEST 2023] Installing cert to: /home/pk/certificates/cert.pem [Tue Sep 12 09:46:21 CEST 2023] Installing CA to: /home/pk/certificates/ca.cer [Tue Sep 12 09:46:21 CEST 2023] Installing key to: /home/pk/certificates/key.pem [Tue Sep 12 09:46:21 CEST 2023] Installing full chain to: /home/pk/certificates/fullchain.pem [Tue Sep 12 10:19:37 CEST 2023] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Tue Sep 12 10:19:37 CEST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Tue Sep 12 10:19:37 CEST 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Tue Sep 12 10:19:37 CEST 2023] _ACME_SERVER_PATH='directory'

running the same commands on a different host with a clean .acme.sh dir:

[Tue Sep 12 08:07:35 UTC 2023] Running cmd: issue [Tue Sep 12 08:07:35 UTC 2023] _main_domain='api.subdomain.mydomain.com' [Tue Sep 12 08:07:35 UTC 2023] _alt_domains='*.apps.subdomain.mydomain.com' [Tue Sep 12 08:07:35 UTC 2023] Using config home:/home/pwk/.acme.sh [Tue Sep 12 08:07:35 UTC 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90' [Tue Sep 12 08:07:35 UTC 2023] _ACME_SERVER_HOST='acme.zerossl.com' [Tue Sep 12 08:07:35 UTC 2023] _ACME_SERVER_PATH='v2/DV90' [Tue Sep 12 08:07:35 UTC 2023] DOMAIN_PATH='/home/pwk/.acme.sh/api.subdomain.mydomain.com_ecc' (...) [Tue Sep 12 08:08:45 UTC 2023] Your cert is in: /home/pwk/.acme.sh/api.subdomain.mydomain.com_ecc/api.subdomain.mydomain.com.cer [Tue Sep 12 08:08:45 UTC 2023] Your cert key is in: /home/pwk/.acme.sh/api.subdomain.mydomain.com_ecc/api.subdomain.mydomain.com.key [Tue Sep 12 08:08:45 UTC 2023] The intermediate CA cert is in: /home/pwk/.acme.sh/api.subdomain.mydomain.com_ecc/ca.cer [Tue Sep 12 08:08:45 UTC 2023] And the full chain certs is there: /home/pwk/.acme.sh/api.subdomain.mydomain.com_ecc/fullchain.cer [Tue Sep 12 08:08:45 UTC 2023] _on_issue_success [Tue Sep 12 08:08:45 UTC 2023] '' does not contain 'dns' [Tue Sep 12 08:08:45 UTC 2023] LE_WORKING_DIR='/home/pwk/.acme.sh' [Tue Sep 12 08:08:45 UTC 2023] Running cmd: installcert [Tue Sep 12 08:08:45 UTC 2023] Using config home:/home/pwk/.acme.sh [Tue Sep 12 08:08:45 UTC 2023] default_acme_server [Tue Sep 12 08:08:45 UTC 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90' [Tue Sep 12 08:08:45 UTC 2023] _ACME_SERVER_HOST='acme.zerossl.com' [Tue Sep 12 08:08:45 UTC 2023] _ACME_SERVER_PATH='v2/DV90' [Tue Sep 12 08:08:45 UTC 2023] The domain 'api.subdomain.mydomain.com' seems to have a ECC cert already, lets use ecc cert. [Tue Sep 12 08:08:45 UTC 2023] DOMAIN_PATH='/home/pwk/.acme.sh/api.subdomain.mydomain.com_ecc' [Tue Sep 12 08:08:45 UTC 2023] Installing cert to: /home/pwk/certificates/cert.pem [Tue Sep 12 08:08:45 UTC 2023] Installing CA to: /home/pwk/certificates/ca.cer [Tue Sep 12 08:08:45 UTC 2023] Installing key to: /home/pwk/certificates/key.pem [Tue Sep 12 08:08:45 UTC 2023] Installing full chain to: /home/pwk/certificates/fullchain.pem

host1 with old and new cert dirs: drwxr-xr-x 3 pk pk 4096 Nov 2 2022 api.subdomain.mydomain.com drwxr-xr-x 2 pk pk 4096 Sep 11 09:56 api.subdomain.mydomain.com_ecc

host2 had no api.subdomain.mydomain.com nor api.subdomain.mydomain.com_ecc dirs.

github-actions[bot] commented 1 year ago

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

upr-kmd commented 1 year ago

I did use the latest version of acme.sh, I've upgraded the script today.

Neilpang commented 1 year ago
${HOME}/.acme.sh/acme.sh --install-cert   --ecc   ...........
upr-kmd commented 1 year ago

But how do I know if the cert is generated as ECC or not? the --issue option has no suboptions for that.

Neilpang commented 1 year ago

https://github.com/acmesh-official/acme.sh#10-issue-ecc-certificates

··· acme.sh --issue -k ec-256 ···

upr-kmd commented 1 year ago

Thanks