DEFAULT_CA settings may need to be specified before renewals

[tackynugget]

Hi,

2022-05-01 was the last time my UDMPro was able to auto-renew its SSL certificate. I just found that it hasn't been updating my certificate automatically since.

It turns out that even though my /mnt/data/ubios-cert/ubios-cert.env file was configured for DEFAULT_CA="letsencrypt" when /mnt/data/ubios-cert/ubios-cert.sh renew ran, it tried to use ZeroSSL and errored out like this:

Please specify at least one validation method: '--webroot', '--standalone', '--apache', '--nginx' or '--dns' etc

Even if I run /mnt/data/ubios-cert/ubios-cert setdefaultca before running either the renew or forcerenew parameters, it still tries to use ZeroSSL and errors out like this:

Attempting certificate renewal Removed old logfile [Wed Aug 17 03:56:17 UTC 2022] Renew: 'domain.tld' [Wed Aug 17 03:56:25 UTC 2022] Using CA: https://acme.zerossl.com/v2/DV90 [Wed Aug 17 03:56:25 UTC 2022] No EAB credentials found for ZeroSSL, let's get one [Wed Aug 17 03:56:25 UTC 2022] acme.sh is using ZeroSSL as default CA now. [Wed Aug 17 03:56:25 UTC 2022] Please update your account with an email address first. [Wed Aug 17 03:56:25 UTC 2022] acme.sh --register-account -m my@example.com [Wed Aug 17 03:56:25 UTC 2022] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA [Wed Aug 17 03:56:25 UTC 2022] Please check log file for more details: /acme.sh/acme.sh.log

I was able to re-initialize my cert and isolate the issue to the need to update the defaultCA by running

sh /mnt/data/ubios-cert/ubios-cert.sh setdefaultca
sh /mnt/data/ubios-cert/ubios-cert.sh initial

After this worked, I was able to force a renewal by adding --set-default-ca --server ${DEFAULT_CA} from the setdefaultca) section to the forcerenew) section (sorry, I don't know the right terminology), so line 135 became:

${PODMAN_CMD} --renew ${PODMAN_DOMAINS} --force --dns ${DNS_API_PROVIDER} --keylength 2048 ${PODMAN_LOG} --set-default-ca --server ${DEFAULT_CA} && deploy_cert

I was going to fork this and submit a pull request, but I wasn't sure if this is the most elegant way to fix this or whether there was a deeper root cause that needed to be addressed.

[alxwolf]

Thanks for making the effort to document this.

I've looked into it and here are my thoughts:

My first reaction was to to add the --set-default-ca --server ${DEFAULT_CA} to each call of renew or forcerenew. But doing this could lead to a situation where someone who issues multiple certificates (some from LE, others from ZeroSSL) is forcing only one issuer on all certs - that would not work, either, as it would try renewing a ZeroSSL certificate with a fall to LetsEncrypt, for example.

Usually, I'd expect acme.sh to pull the right issuer for an existing certificate from the <certname>/<certname>.conffile, using the Le_API='https://acme-v02.api.letsencrypt.org/directory' variable.

In your case, it seems(!) like the original certificate was issued using ZeroSSL, in that case "defaultca" is not applied but the "initially used" is being applied.

That's my best guess for now, therefore I suggest to not change anything right now but rather have a look in about 9 weeks if your cert "auto-updates" OK or not.

But, during todays research I noticed that it should be wise to pull the latest image for acme.sh before running it, so I will implement that separately.

[tackynugget]

Thanks.

I didn't know about the <certname>/<certname>.conf file. Interestingly, mine starts with an undocumented e_API variable:

e_API='https://acme-v02.api.letsencrypt.org/directory'
Le_API='https://acme-v02.api.letsencrypt.org/directory'

The /mnt/data/ubios-cert/acme.sh/account.conf also has

DEFAULT_ACME_SERVER='https://acme-v02.api.letsencrypt.org/directory'

I have never used ZeroSSL and there were no references to ZeroSSL in any of the above 3 files.

I'm wondering if an update to acme.sh is causing it to default to ZeroSSL and something is interfering with its ability to fallback to Let's Encrypt.

Your suggestion to wait 9 weeks makes sense. And I can appreciate the caution in not wanting to force the DEFAULT_CA variable from the ubios-cert.env file over a renewal.

[alxwolf]

the "e_API" seems to be some kind of "mistake" with the "L" being cut off... it should safe to just delete that line.

acme.sh switched to ZeroSSL as default CA in August 2021, anything issued after that date, using acme.sh V3.0, and without having set a default CA, got issued by ZeroSSL. So that may have been the case, in your case, but we'll probably never know as the old certificate will be gone by now.

DEFAULT_ACME_SERVER is set by --set-default-ca, and Le_API is set by either that DEFAULT_ACME_SERVER or a dedicated --server argument, to be chosen from this list.