search

do-know / Crypt-LE

Crypt::LE - Let's Encrypt / Buypass / ZeroSSL and other ACME-servers client and library in Perl for obtaining free SSL certificates (inc. generating RSA/ECC keys and CSRs). HTTP/DNS verification is supported out of the box, EAB (External Account Binding) supported, easily extended with plugins, easily dockerized.
https://Do-Know.com
Artistic License 2.0
353 stars 60 forks source link

Failed to receive the challenge. Invalid nonce (Custom server) #53

Closed oregano87 closed 4 years ago

oregano87 commented 4 years ago

I am trying to use Crypt-LE with my on-prem CA. But it does not work as you can see in the attached log. Crypt-LE is running on Windows 2016 with Strawberry Perl 5.30.1.1

C:\tmp>le.bat -server "https://pgwy.company.test/acme" --key account.key --email "admin-lecrypt@company.test" --csr domain.csr --csr-key domain.key --crt domain.crt --domains  "win.company.test" --generate-missing --log-config logfile.conf --debug
2020/03/18 10:03:31 [INFO] [ ZeroSSL Crypt::LE client v0.35 started. ]
2020/03/18 10:03:31 [INFO] Custom server URL 'https://pgwy.company.test/acme' is used.
2020/03/18 10:03:31 [INFO] Generating a new account key
2020/03/18 10:03:34 [DEBUG] Account key generated.
2020/03/18 10:03:34 [INFO] Saving generated account key into account.key
2020/03/18 10:03:34 [INFO] Generating a new CSR for domains win.company.test
2020/03/18 10:03:34 [INFO] New CSR will be based on a generated key
2020/03/18 10:03:35 [DEBUG] CSR generated.
2020/03/18 10:03:35 [INFO] Saving a new CSR into domain.csr
2020/03/18 10:03:35 [INFO] Saving a new CSR key into domain.key
2020/03/18 10:03:35 [DEBUG] Account email has been set to 'admin-lecrypt@company.test'
2020/03/18 10:03:35 [DEBUG] API version is set to 2.
2020/03/18 10:03:35 [DEBUG] Directory loaded successfully.
2020/03/18 10:03:35 [INFO] Registering the account key
Use of uninitialized value in concatenation (.) or string at C:/acme-clients/strawberry-perl-5.30.1.1-64bit-portable/perl/site/lib/Crypt/LE.pm line 763.
2020/03/18 10:03:35 [DEBUG] New key is now registered, reg path: https://pgwy.company.test/acme/directory/account/H0k7HAXolCN3vQzmhL0anw. You need to accept TOS at
Use of uninitialized value in concatenation (.) or string at C:/acme-clients/strawberry-perl-5.30.1.1-64bit-portable/perl/site/lib/Crypt/LE.pm line 777.
2020/03/18 10:03:35 [DEBUG] Registration success: TOS change status - , new registration flag - 1.
2020/03/18 10:03:35 [INFO] The key has been successfully registered. ID: unknown
2020/03/18 10:03:35 [DEBUG] TOS has NOT been changed, no need to accept again.
2020/03/18 10:03:36 [DEBUG] Could not finalize an order.
2020/03/18 10:03:36 [DEBUG] Requesting challenge.
2020/03/18 10:03:36 [DEBUG] Failed to receive the challenge. Invalid nonce
2020/03/18 10:03:36 [ERROR] Failed to receive the challenge. Invalid nonce
do-know commented 4 years ago

This is interesting. I can see one issue that certainly needs to be fixed (pulling an account ID, which is not numerical in this case). To better understand what is happening with the Nonce, could you tell me what kind of server are you running the client against? I suspect what might be happening there is that the server does not support the "shortcut" to try and immediately finalize an order based on the previously cached validation (that works for LE). If you could provide the log showing the responses received, which can be done if you use the debug option twice (--debug --debug), that would help I believe. Thanks.

oregano87 commented 4 years ago

The client is running against the CA of Nexus.

Here is the more detailed output

C:\tmp>le.bat -server "https://pgwy.company.test/acme" --key account.key --email "admin-lecrypt@company.test" --csr domain.csr --csr-key domain.key --crt domain.crt --domains  "win.company.test" --generate-missing --log-config logfile.conf --debug --debug
2020/03/18 14:55:32 [INFO] [ ZeroSSL Crypt::LE client v0.35 started. ]
2020/03/18 14:55:32 [INFO] Custom server URL 'https://pgwy.company.test/acme' is used.
2020/03/18 14:55:32 [INFO] Generating a new account key
2020/03/18 14:55:32 [DEBUG] Account key generated.
2020/03/18 14:55:32 [INFO] Saving generated account key into account.key
2020/03/18 14:55:32 [INFO] Generating a new CSR for domains win.company.test
2020/03/18 14:55:32 [INFO] New CSR will be based on a generated key
2020/03/18 14:55:32 [DEBUG] CSR generated.
2020/03/18 14:55:32 [INFO] Saving a new CSR into domain.csr
2020/03/18 14:55:32 [INFO] Saving a new CSR key into domain.key
2020/03/18 14:55:32 [DEBUG] Account email has been set to 'admin-lecrypt@company.test'
2020/03/18 14:55:34 [DEBUG] $VAR1 = {
          'status' => '200',
          'reason' => 'OK',
          'url' => 'https://pgwy.company.test/acme/directory',
          'protocol' => 'HTTP/1.1',
          'content' => '{"newNonce":"https://pgwy.company.test/acme/directory/new-nonce","newAccount":"https://pgwy.company.test/acme/directory/new-account","newOrder":"https://pgwy.company.test/acme/directory/new-order","revokeCert":"https://pgwy.company.test/acme/directory/revoke-cert","keyChange":"https://pgwy.company.test/acme/directory/key-change","meta":{"externalAccountRequired":false}}',
          'success' => 1,
          'headers' => {
                         'server' => 'Apache-Coyote/1.1',
                         'content-type' => 'application/json',
                         'date' => 'Wed, 18 Mar 2020 13:55:34 GMT',
                         'content-length' => '347',
                         'link' => '<https://pgwy.company.test/acme/directory>;rel="index"',
                         'replay-nonce' => 'RFVtselPMqnAI8ppSvSDhQ'
                       }
        };
2020/03/18 14:55:34 [DEBUG] API version is set to 2.
2020/03/18 14:55:34 [DEBUG] Directory loaded successfully.
2020/03/18 14:55:34 [INFO] Registering the account key
2020/03/18 14:55:35 [DEBUG] $VAR1 = {
          'headers' => {
                         'content-length' => '72',
                         'location' => 'https://pgwy.company.test/acme/directory/account/RDBuv60f6V529GlF9OHiNw',
                         'replay-nonce' => 'Zy103iOb-mM6sKsF-WPlMQ',
                         'link' => '<https://pgwy.company.test/acme/directory>;rel="index"',
                         'server' => 'Apache-Coyote/1.1',
                         'content-type' => 'application/json',
                         'date' => 'Wed, 18 Mar 2020 13:55:35 GMT'
                       },
          'success' => 1,
          'content' => '{"status":"valid","orders":"https://pgwy.company.test/acme/directory/orders"}',
          'url' => 'https://pgwy.company.test/acme/directory/new-account',
          'protocol' => 'HTTP/1.1',
          'reason' => 'Created',
          'status' => '201'
        };
Use of uninitialized value in concatenation (.) or string at C:/acme-clients/strawberry-perl-5.30.1.1-64bit-portable/perl/site/lib/Crypt/LE.pm line 763.
2020/03/18 14:55:35 [DEBUG] New key is now registered, reg path: https://pgwy.company.test/acme/directory/account/RDBuv60f6V529GlF9OHiNw. You need to accept TOS at
Use of uninitialized value in concatenation (.) or string at C:/acme-clients/strawberry-perl-5.30.1.1-64bit-portable/perl/site/lib/Crypt/LE.pm line 777.
2020/03/18 14:55:35 [DEBUG] Registration success: TOS change status - , new registration flag - 1.
2020/03/18 14:55:35 [INFO] The key has been successfully registered. ID: unknown
2020/03/18 14:55:35 [DEBUG] TOS has NOT been changed, no need to accept again.
2020/03/18 14:55:35 [DEBUG] $VAR1 = {
          'content' => '{"status":"pending","expires":"2020-03-18T14:05:35.569444800Z","identifiers":[{"type":"dns","value":"win.company.test"}],"authorizations":["https://pgwy.company.test/acme/directory/orders/PeItssZXuU2zhDLFxGXAUw/authz/BoYOQUbXaypz_TZkFjLSrA"],"finalize":"https://pgwy.company.test/acme/directory/orders/PeItssZXuU2zhDLFxGXAUw/finalize"}',
          'status' => '201',
          'reason' => 'Created',
          'protocol' => 'HTTP/1.1',
          'url' => 'https://pgwy.company.test/acme/directory/new-order',
          'headers' => {
                         'replay-nonce' => 'lr60OQwXFIaKx8URMMj93Q',
                         'location' => 'https://pgwy.company.test/acme/directory/orders/PeItssZXuU2zhDLFxGXAUw',
                         'link' => '<https://pgwy.company.test/acme/directory>;rel="index"',
                         'content-length' => '320',
                         'date' => 'Wed, 18 Mar 2020 13:55:35 GMT',
                         'server' => 'Apache-Coyote/1.1',
                         'content-type' => 'application/json'
                       },
          'success' => 1
        };
2020/03/18 14:55:36 [DEBUG] $VAR1 = {
          'protocol' => 'HTTP/1.1',
          'url' => 'https://pgwy.company.test/acme/directory/orders/PeItssZXuU2zhDLFxGXAUw/finalize',
          'reason' => 'Forbidden',
          'status' => '403',
          'content' => '{"type":"urn:ietf:params:acme:error:orderNotReady","detail":"Order is in unexpected state: PENDING"}',
          'success' => '',
          'headers' => {
                         'link' => '<https://pgwy.company.test/acme/directory>;rel="index"',
                         'content-length' => '100',
                         'date' => 'Wed, 18 Mar 2020 13:55:35 GMT',
                         'content-type' => 'application/problem+json',
                         'server' => 'Apache-Coyote/1.1'
                       }
        };
2020/03/18 14:55:36 [DEBUG] Could not finalize an order.
2020/03/18 14:55:36 [DEBUG] Requesting challenge.
2020/03/18 14:55:36 [DEBUG] $VAR1 = {
          'success' => '',
          'headers' => {
                         'link' => '<https://pgwy.company.test/acme/directory>;rel="index"',
                         'content-length' => '71',
                         'date' => 'Wed, 18 Mar 2020 13:55:35 GMT',
                         'content-type' => 'application/problem+json',
                         'server' => 'Apache-Coyote/1.1'
                       },
          'protocol' => 'HTTP/1.1',
          'url' => 'https://pgwy.company.test/acme/directory/orders/PeItssZXuU2zhDLFxGXAUw/authz/BoYOQUbXaypz_TZkFjLSrA',
          'reason' => 'Unauthorized',
          'status' => '401',
          'content' => '{"type":"urn:ietf:params:acme:error:badNonce","detail":"Invalid nonce"}'
        };
2020/03/18 14:55:36 [DEBUG] Failed to receive the challenge. Invalid nonce
2020/03/18 14:55:36 [ERROR] Failed to receive the challenge. Invalid nonce
do-know commented 4 years ago

I have disabled the LE specific shortcut and fixed the issue with pulling the id in beta version - https://github.com/do-know/Crypt-LE/tree/v36_beta

Could you check if it works for you? You just need to put le.pl and LE.pm on top of your currently installed ones.

oregano87 commented 4 years ago

Not working, sorry. Now: Challenge for domain crypt-le-acme.company.test does not contain required fields.

I think the issue in this case is in the Nexus CA. I have the same trouble with an other acme client. --> https://github.com/rmbolger/Posh-ACME/issues/227

The problem is that status is a required field for challenge objects. But certbot is working even without this field and in a special draft version of the RFC8555 this field was marked as optional. I have already the committment of Nexus that they will fix it.

But until I get a new release of Nexus, I cannot continue testing the client here.

2020/03/23 16:54:40 [INFO] [ ZeroSSL Crypt::LE client v0.36 started. ]
2020/03/23 16:54:40 [INFO] Custom server URL 'https://pgwy.company.test/acme' is used.
2020/03/23 16:54:40 [INFO] Loading an account key from C:\tmp\account.key
2020/03/23 16:54:40 [DEBUG] Account key loaded.
2020/03/23 16:54:40 [INFO] Loading a CSR from C:\tmp\domain.csr
2020/03/23 16:54:40 [DEBUG] Loaded domain names from CSR: crypt-le-acme.company.test
2020/03/23 16:54:40 [DEBUG] CSR loaded.
2020/03/23 16:54:40 [DEBUG] CSR key loaded
2020/03/23 16:54:40 [DEBUG] Account email has been set to 'cryptle@company.test'
2020/03/23 16:54:41 [DEBUG] $VAR1 = {
          'url' => 'https://pgwy.company.test/acme/directory',
          'success' => 1,
          'protocol' => 'HTTP/1.1',
          'status' => '200',
          'headers' => {
                         'server' => 'Apache-Coyote/1.1',
                         'content-type' => 'application/json',
                         'link' => '<https://pgwy.company.test/acme/directory>;rel="index"',
                         'replay-nonce' => 'JbXXKnjASSdmFrTuhRG5Qg',
                         'content-length' => '347',
                         'date' => 'Mon, 23 Mar 2020 15:54:41 GMT'
                       },
          'reason' => 'OK',
          'content' => '{"newNonce":"https://pgwy.company.test/acme/directory/new-nonce","newAccount":"https://pgwy.company.test/acme/directory/new-account","newOrder":"https://pgwy.company.test/acme/directory/new-order","revokeCert":"https://pgwy.company.test/acme/directory/revoke-cert","keyChange":"https://pgwy.company.test/acme/directory/key-change","meta":{"externalAccountRequired":false}}'
        };
2020/03/23 16:54:41 [DEBUG] API version is set to 2.
2020/03/23 16:54:41 [DEBUG] Directory loaded successfully.
2020/03/23 16:54:41 [INFO] Registering the account key
2020/03/23 16:54:41 [DEBUG] $VAR1 = {
          'protocol' => 'HTTP/1.1',
          'success' => 1,
          'url' => 'https://pgwy.company.test/acme/directory/new-account',
          'content' => '{"status":"valid","orders":"https://pgwy.company.test/acme/directory/orders"}',
          'reason' => 'OK',
          'status' => '200',
          'headers' => {
                         'date' => 'Mon, 23 Mar 2020 15:54:41 GMT',
                         'content-length' => '72',
                         'replay-nonce' => 'D2AQNWQIT2rljQct6ZuA-g',
                         'location' => 'https://pgwy.company.test/acme/directory/account/mUcyowpZhbXmz3SOk4Y-zA',
                         'link' => '<https://pgwy.company.test/acme/directory>;rel="index"',
                         'content-type' => 'application/json',
                         'server' => 'Apache-Coyote/1.1'
                       }
        };
2020/03/23 16:54:41 [DEBUG] Key is already registered, reg path: https://pgwy.company.test/acme/directory/account/mUcyowpZhbXmz3SOk4Y-zA.
2020/03/23 16:54:41 [DEBUG] $VAR1 = {
          'success' => 1,
          'url' => 'https://pgwy.company.test/acme/directory/account/mUcyowpZhbXmz3SOk4Y-zA',
          'protocol' => 'HTTP/1.1',
          'reason' => 'OK',
          'status' => '200',
          'headers' => {
                         'date' => 'Mon, 23 Mar 2020 15:54:41 GMT',
                         'content-length' => '72',
                         'content-type' => 'application/json',
                         'link' => '<https://pgwy.company.test/acme/directory>;rel="index"',
                         'server' => 'Apache-Coyote/1.1',
                         'replay-nonce' => 'otqvpAwWOVerQm5ezRglTg',
                         'location' => 'https://pgwy.company.test/acme/directory/account/mUcyowpZhbXmz3SOk4Y-zA'
                       },
          'content' => '{"status":"valid","orders":"https://pgwy.company.test/acme/directory/orders"}'
        };
2020/03/23 16:54:41 [DEBUG] Registration success: TOS change status - 0, new registration flag - 0.
2020/03/23 16:54:41 [INFO] The key is already registered. ID: unknown
2020/03/23 16:54:41 [DEBUG] TOS has NOT been changed, no need to accept again.
2020/03/23 16:54:41 [DEBUG] $VAR1 = {
          'reason' => 'Created',
          'headers' => {
                         'content-length' => '330',
                         'date' => 'Mon, 23 Mar 2020 15:54:41 GMT',
                         'location' => 'https://pgwy.company.test/acme/directory/orders/Nzypy9BCwUm-gR0trmGR8Q',
                         'replay-nonce' => 'Fr2ImOL4rjr4vwRlHbS50g',
                         'server' => 'Apache-Coyote/1.1',
                         'link' => '<https://pgwy.company.test/acme/directory>;rel="index"',
                         'content-type' => 'application/json'
                       },
          'status' => '201',
          'content' => '{"status":"pending","expires":"2020-03-23T16:04:41.498636100Z","identifiers":[{"type":"dns","value":"crypt-le-acme.company.test"}],"authorizations":["https://pgwy.company.test/acme/directory/orders/Nzypy9BCwUm-gR0trmGR8Q/authz/FLC5UxVfhjYBARahL7CtDw"],"finalize":"https://pgwy.company.test/acme/directory/orders/Nzypy9BCwUm-gR0trmGR8Q/finalize"}',
          'success' => 1,
          'url' => 'https://pgwy.company.test/acme/directory/new-order',
          'protocol' => 'HTTP/1.1'
        };
2020/03/23 16:54:41 [DEBUG] Requesting challenge.
2020/03/23 16:54:41 [DEBUG] $VAR1 = {
          'reason' => 'OK',
          'status' => '200',
          'headers' => {
                         'content-length' => '462',
                         'date' => 'Mon, 23 Mar 2020 15:54:41 GMT',
                         'replay-nonce' => 'vpdaNEWsI9doQ44HhXmxDQ',
                         'server' => 'Apache-Coyote/1.1',
                         'link' => '<https://pgwy.company.test/acme/directory>;rel="index"',
                         'content-type' => 'application/json'
                       },
          'content' => '{"status":"pending","expires":"2020-03-23T16:04:41.498636100Z","identifier":{"type":"dns","value":"crypt-le-acme.company.test"},"challenges":[{"type":"dns-01","url":"https://pgwy.company.test/acme/directory/orders/Nzypy9BCwUm-gR0trmGR8Q/authz/FLC5UxVfhjYBARahL7CtDw/dns-01","token":"33ryTGMXAlCkSTU_vexN5g"},{"type":"http-01","url":"https://pgwy.company.test/acme/directory/orders/Nzypy9BCwUm-gR0trmGR8Q/authz/FLC5UxVfhjYBARahL7CtDw/http-01","token":"33ryTGMXAlCkSTU_vexN5g"}]}',
          'success' => 1,
          'url' => 'https://pgwy.company.test/acme/directory/orders/Nzypy9BCwUm-gR0trmGR8Q/authz/FLC5UxVfhjYBARahL7CtDw',
          'protocol' => 'HTTP/1.1'
        };
2020/03/23 16:54:41 [DEBUG] Challenge for domain crypt-le-acme.company.test does not contain required fields.
2020/03/23 16:54:41 [DEBUG] Challenge for domain crypt-le-acme.company.test does not contain required fields.
2020/03/23 16:54:41 [DEBUG] Received no valid challenges for crypt-le-acme.company.test.
2020/03/23 16:54:41 [DEBUG] All domains failed
crypt-le-acme.company.test: No valid challenges
2020/03/23 16:54:41 [ERROR] All domains failed
crypt-le-acme.company.test: No valid challenges
do-know commented 4 years ago

Could you give it another go with v36b? I've been adding some changes recently and Nexus CM behaviour might now be covered as part of those. https://raw.githubusercontent.com/do-know/Crypt-LE/v36_beta/lib/Crypt/LE.pm

do-know commented 4 years ago

Presumably this has been solved (and it works in my tests), so closing.