Certificates issue - Githubissues

glani commented 1 year ago

I tried to issue letsencrypt certificates. I spawned a dedicated temporary instance:

[root@test-sslip-ip tls]# docker run -it --rm --name wildcard \
 -p 53:53/udp                       \
 -p 80:80                           \
 cunnie/wildcard-dns-http-server &
dig +short TXT does.not.matter.example.com @localhost
[3] 293031
"Set this TXT record: curl -X POST http://localhost/update -d  '{\"txt\":\"Certificate Authority validation token\"}'"

[root@test-sslip-ip tls]#  echo $FQDN
128-140-87-116.sslip.io
[root@test-sslip-ip tls]# echo $ACMEDNS_UPDATE_URL
http://localhost/update

But when I run:

docker run --rm -it \
  -v $PWD/tls:/acme.sh \
  -e ACMEDNS_UPDATE_URL \
  --net=host \
  neilpang/acme.sh \
    --issue \
    --debug \
    -d $FQDN \
    -d *.$FQDN \
    --dns dns_acmedns

I got:

[Sun Sep 17 05:48:24 UTC 2023] _is_idn_d='128-140-87-116.sslip.io'
[Sun Sep 17 05:48:24 UTC 2023] _idn_temp
[Sun Sep 17 05:48:24 UTC 2023] _is_idn_d='*.128-140-87-116.sslip.io'
[Sun Sep 17 05:48:24 UTC 2023] _idn_temp
[Sun Sep 17 05:48:24 UTC 2023] Lets find script dir.
[Sun Sep 17 05:48:24 UTC 2023] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sun Sep 17 05:48:24 UTC 2023] _script='/root/.acme.sh/acme.sh'
[Sun Sep 17 05:48:24 UTC 2023] _script_home='/root/.acme.sh'
[Sun Sep 17 05:48:24 UTC 2023] Using default home:/root/.acme.sh
[Sun Sep 17 05:48:24 UTC 2023] Using config home:/acme.sh
[Sun Sep 17 05:48:24 UTC 2023] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.7
[Sun Sep 17 05:48:24 UTC 2023] Running cmd: issue
[Sun Sep 17 05:48:24 UTC 2023] _main_domain='128-140-87-116.sslip.io'
[Sun Sep 17 05:48:24 UTC 2023] _alt_domains='*.128-140-87-116.sslip.io'
[Sun Sep 17 05:48:24 UTC 2023] Using config home:/acme.sh
[Sun Sep 17 05:48:25 UTC 2023] default_acme_server
[Sun Sep 17 05:48:25 UTC 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Sun Sep 17 05:48:25 UTC 2023] _ACME_SERVER_HOST='acme.zerossl.com'
[Sun Sep 17 05:48:25 UTC 2023] _ACME_SERVER_PATH='v2/DV90'
[Sun Sep 17 05:48:25 UTC 2023] DOMAIN_PATH='/acme.sh/128-140-87-116.sslip.io_ecc'
[Sun Sep 17 05:48:25 UTC 2023] 'dns_acmedns' does not contain 'dns'
[Sun Sep 17 05:48:25 UTC 2023] Using ACME_DIRECTORY: https://acme.zerossl.com/v2/DV90
[Sun Sep 17 05:48:25 UTC 2023] _init api for server: https://acme.zerossl.com/v2/DV90
[Sun Sep 17 05:48:25 UTC 2023] GET
[Sun Sep 17 05:48:25 UTC 2023] url='https://acme.zerossl.com/v2/DV90'
[Sun Sep 17 05:48:25 UTC 2023] timeout=
[Sun Sep 17 05:48:25 UTC 2023] _CURL='curl --silent --dump-header /acme.sh/http.header  -L  --trace-ascii /tmp/tmp.GvlWFGPylL  -g '
[Sun Sep 17 05:48:25 UTC 2023] ret='0'
[Sun Sep 17 05:48:25 UTC 2023] response='{
  "newNonce": "https://acme.zerossl.com/v2/DV90/newNonce",
  "newAccount": "https://acme.zerossl.com/v2/DV90/newAccount",
  "newOrder": "https://acme.zerossl.com/v2/DV90/newOrder",
  "revokeCert": "https://acme.zerossl.com/v2/DV90/revokeCert",
  "keyChange": "https://acme.zerossl.com/v2/DV90/keyChange",
  "meta": {
    "termsOfService": "https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf",
    "website": "https://zerossl.com",
    "caaIdentities": ["sectigo.com", "trust-provider.com", "usertrust.com", "comodoca.com", "comodo.com"],
    "externalAccountRequired": true
  }
}'
[Sun Sep 17 05:48:25 UTC 2023] ACME_KEY_CHANGE='https://acme.zerossl.com/v2/DV90/keyChange'
[Sun Sep 17 05:48:25 UTC 2023] ACME_NEW_AUTHZ
[Sun Sep 17 05:48:25 UTC 2023] ACME_NEW_ORDER='https://acme.zerossl.com/v2/DV90/newOrder'
[Sun Sep 17 05:48:25 UTC 2023] ACME_NEW_ACCOUNT='https://acme.zerossl.com/v2/DV90/newAccount'
[Sun Sep 17 05:48:25 UTC 2023] ACME_REVOKE_CERT='https://acme.zerossl.com/v2/DV90/revokeCert'
[Sun Sep 17 05:48:25 UTC 2023] ACME_AGREEMENT='https://secure.trust-provider.com/repository/docs/Legacy/20230516_Certificate_Subscriber_Agreement_v_2_6_click.pdf'
[Sun Sep 17 05:48:25 UTC 2023] ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce'
[Sun Sep 17 05:48:25 UTC 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Sun Sep 17 05:48:25 UTC 2023] _on_before_issue
[Sun Sep 17 05:48:25 UTC 2023] _chk_main_domain='128-140-87-116.sslip.io'
[Sun Sep 17 05:48:25 UTC 2023] _chk_alt_domains='*.128-140-87-116.sslip.io'
[Sun Sep 17 05:48:25 UTC 2023] 'dns_acmedns' does not contain 'no'
[Sun Sep 17 05:48:25 UTC 2023] Le_LocalAddress
[Sun Sep 17 05:48:25 UTC 2023] d='128-140-87-116.sslip.io'
[Sun Sep 17 05:48:25 UTC 2023] Check for domain='128-140-87-116.sslip.io'
[Sun Sep 17 05:48:25 UTC 2023] _currentRoot='dns_acmedns'
[Sun Sep 17 05:48:25 UTC 2023] d='*.128-140-87-116.sslip.io'
[Sun Sep 17 05:48:25 UTC 2023] Check for domain='*.128-140-87-116.sslip.io'
[Sun Sep 17 05:48:25 UTC 2023] _currentRoot='dns_acmedns'
[Sun Sep 17 05:48:25 UTC 2023] d
[Sun Sep 17 05:48:25 UTC 2023] 'dns_acmedns' does not contain 'apache'
[Sun Sep 17 05:48:25 UTC 2023] config file is empty, can not read CA_KEY_HASH
[Sun Sep 17 05:48:25 UTC 2023] _saved_account_key_hash
[Sun Sep 17 05:48:25 UTC 2023] Using config home:/acme.sh
[Sun Sep 17 05:48:25 UTC 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Sun Sep 17 05:48:25 UTC 2023] _ACME_SERVER_HOST='acme.zerossl.com'
[Sun Sep 17 05:48:25 UTC 2023] _ACME_SERVER_PATH='v2/DV90'
[Sun Sep 17 05:48:25 UTC 2023] _init api for server: https://acme.zerossl.com/v2/DV90
[Sun Sep 17 05:48:25 UTC 2023] length='ec-256'
[Sun Sep 17 05:48:25 UTC 2023] Using config home:/acme.sh
[Sun Sep 17 05:48:25 UTC 2023] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Sun Sep 17 05:48:25 UTC 2023] _ACME_SERVER_HOST='acme.zerossl.com'
[Sun Sep 17 05:48:25 UTC 2023] _ACME_SERVER_PATH='v2/DV90'
[Sun Sep 17 05:48:26 UTC 2023] _createkey for file:/acme.sh/ca/acme.zerossl.com/v2/DV90/account.key
[Sun Sep 17 05:48:26 UTC 2023] Use length 256
[Sun Sep 17 05:48:26 UTC 2023] Using ec name: prime256v1
[Sun Sep 17 05:48:26 UTC 2023] Create account key ok.
[Sun Sep 17 05:48:26 UTC 2023] EC key
[Sun Sep 17 05:48:26 UTC 2023] config file is empty, can not read CA_EAB_KEY_ID
[Sun Sep 17 05:48:26 UTC 2023] config file is empty, can not read CA_EAB_HMAC_KEY
[Sun Sep 17 05:48:26 UTC 2023] config file is empty, can not read CA_EMAIL
[Sun Sep 17 05:48:26 UTC 2023] No EAB credentials found for ZeroSSL, let's get one
[Sun Sep 17 05:48:26 UTC 2023] acme.sh is using ZeroSSL as default CA now.
[Sun Sep 17 05:48:26 UTC 2023] Please update your account with an email address first.
[Sun Sep 17 05:48:26 UTC 2023] acme.sh --register-account -m my@example.com
[Sun Sep 17 05:48:26 UTC 2023] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
[Sun Sep 17 05:48:26 UTC 2023] _on_issue_err
[Sun Sep 17 05:48:26 UTC 2023] Please add '--debug' or '--log' to check more details.
[Sun Sep 17 05:48:26 UTC 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Sun Sep 17 05:48:26 UTC 2023] _chk_vlist
[Sun Sep 17 05:48:26 UTC 2023] Diagnosis versions:
openssl:openssl
OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)
apache:
apache doesn't exist.
nginx:
nginx doesn't exist.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.4.4 on 31 Oct 2022 04:42:14
   running on Linux version #1 SMP PREEMPT_DYNAMIC Thu Aug 10 21:06:12 UTC 2023, release 5.14.0-354.el9.x86_64, machine x86_64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #define WITH_ABSTRACT_UNIXSOCKET 1
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #define WITH_INTERFACE 1
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_VSOCK 1
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #define WITH_READLINE 1
  #define WITH_TUN 1
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #undef WITH_LIBWRAP
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/

What can be the issue ? Thank you in advance.

cunnie commented 1 year ago

What can be the issue ?

Hi @glani : I suspect it might be the following lines:

[Sun Sep 17 05:48:26 UTC 2023] Please update your account with an email address first.
[Sun Sep 17 05:48:26 UTC 2023] acme.sh --register-account -m my@example.com
[Sun Sep 17 05:48:26 UTC 2023] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA

It appears that my instructions are stale. If you could submit a pull request to fix the documentation after you figure out how to make it work, I'd be most grateful.

cunnie commented 4 months ago

@glani — I'm closing this ticket because I haven't heard back from you, so I assume everything is going well.

cunnie / sslip.io

Certificates issue #32