search

debops / ansible-pki

Bootstrap and manage internal PKI, Certificate Authorities and OpenSSL/GnuTLS certificates
GNU General Public License v3.0
65 stars 29 forks source link

Errors during creation of new LetsEncrypt account via acme. #124

Closed Polichronucci closed 6 years ago

Polichronucci commented 6 years ago

This is the actual error:

$ cat /etc/pki/realms/REALM/acme/error.log             
Parsing account key...                                                         
Parsing CSR...                                                                 
Found domains: domain.ex                                            
Getting directory...                                                           
Directory found!                                                               
Registering account...                                                         
Traceback (most recent call last):                                             
  File "/usr/local/lib/pki/acme-tiny", line 197, in                    
    main(sys.argv[1:])                                                         
  File "/usr/local/lib/pki/acme-tiny", line 193, in main                       
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/local/lib/pki/acme-tiny", line 111, in get_crt                    
    account, code, acct_headers = _send_signed_request(directory['newAccount'], reg_payload, "Error registering")
KeyError: 'newAccount

@egon0 found that this is an issue with the actual tiny-acme code. Telling the debops.pki role to use the tiny-acme version "4ed13950c0" fixes this issue.

pki_acme_tiny_version: '4ed13950c0'
isaiaholoyede commented 6 years ago

I have the same issue. How can I fix this?

drybjed commented 6 years ago

You could remove the installed acme-tiny script and git repository, and set the above variable in the Ansible inventory. The next time you run debops.pki on a host, Ansible will download an older acme-tiny release which should work for now.

drybjed commented 6 years ago

This issue should now be fixed in the DebOps monorepo via https://github.com/debops/debops/pull/250.

isaiaholoyede commented 6 years ago

@drybjed I got a different error when after I tried again...

$ cat /etc/pki/realms/realms//acme/error.log

Parsing account key... Parsing CSR... Found domains: rccgoha.org, www.rccgoha.org Getting directory... Directory found! Registering account... Traceback (most recent call last): File "/usr/local/lib/pki/acme-tiny", line 197, in main(sys.argv[1:]) File "/usr/local/lib/pki/acme-tiny", line 193, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact) File "/usr/local/lib/pki/acme-tiny", line 111, in get_crt account, code, acct_headers = _send_signed_request(directory['newAccount'], reg_payload, "Error registering") TypeError: string indices must be integers

drybjed commented 6 years ago

@isaiaho Did you remove the existing PKI realm directory entirely? Can you show the contents of /etc/pki/realms/rccgoha.org/config/realm.conf?

isaiaholoyede commented 6 years ago

@drybjed This is now fixed. I deleted /etc/pki/realms/ and redeployed. Thank you very much.