It seems like lua-resty-auto-ssl uses an outdated version of dehydrated. This causes issues with proper decoding of JSON responses which in turn fails ACME request:
web_1 | 2021/03/17 06:29:52 [error] 19#19: *3 [lua] lets_encrypt.lua:40: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=.... HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain example.com --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config
web_1 | startup_hook
web_1 | Processing example.com
web_1 | + Signing domains...
web_1 | + Generating private key...
web_1 | + Generating signing request...
web_1 | + Requesting new certificate order from CA...
web_1 | err: + ERROR: An error occurred while sending post-request to https://ca:9000/acme/acme/new-order (Status 400)
web_1 |
web_1 | Details:
web_1 | HTTP/2 400
web_1 | cache-control: no-store
web_1 | content-type: application/problem+json
web_1 | link: <https://ca:9000/acme/acme/directory>;rel="index"
web_1 | replay-nonce: ...
web_1 | content-length: 186
web_1 | date: Wed, 17 Mar 2021 06:29:52 GMT
web_1 |
web_1 | {"type":"urn:ietf:params:acme:error:malformed","detail":"kid does not have required prefix; expected https://ca:9000/acme/acme/account/, but got https://ca:9000/acme/acme/new-account/"}
web_1 |
web_1 |
web_1 | , context: ssl_certificate_by_lua*, client: 172.20.0.1, server: 0.0.0.0:443
web_1 | 2021/03/17 06:29:52 [error] 19#19: *3 [lua] ssl_certificate.lua:97: issue_cert(): auto-ssl: issuing new certificate failed: dehydrated failure, context: ssl_certificate_by_lua*, client: 172.20.0.1, server: 0.0.0.0:443
web_1 | 2021/03/17 06:29:52 [error] 19#19: *3 [lua] ssl_certificate.lua:291: auto-ssl: could not get certificate for example.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 172.20.0.1, server: 0.0.0.0:443
It seems like
lua-resty-auto-ssl
uses an outdated version of dehydrated. This causes issues with proper decoding of JSON responses which in turn fails ACME request:I traced this to https://github.com/dehydrated-io/dehydrated/issues/689 which pointed me to https://github.com/dehydrated-io/dehydrated/issues/731. Indeed, using new version of
dehydrated
by replacing/usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated
in the container (tested with #0094147) fixes the problem.I believe dehydrated needs to be updated. WDYT?