search

j-c-m / ubnt-letsencrypt

Let's Encrypt setup instructions for Ubiquiti EdgeRouter
472 stars 68 forks source link

Router firmware update breaks cert setup #46

Closed sonnyb9 closed 2 years ago

sonnyb9 commented 2 years ago

How does one restore the working setup after a firmware upgrade? I installed EdgeRouter X v2.0.9-hotfix.4. Afterwards I began getting browser 404 errors when accessing the FQDN. The GUI is still accessible with the local IP, after the inevitable browser cert error complaining the cert was issued for the FQDN, not the IP.

sonnyb9 commented 2 years ago

Here's my debug output (substituted my.fqdn for the real domain and xxxx out anything that looked sensitive):

sudo /config/scripts/renew.acme.sh -d my.fqdn --debug [Wed Jul 20 10:55:04 EDT 2022] Stopping GUI service. [Wed Jul 20 10:55:05 EDT 2022] Starting temporary ACME challenge service. [Wed Jul 20 10:55:05 EDT 2022] Selected server: https://acme-v02.api.letsencrypt.org/directory [Wed Jul 20 10:55:05 EDT 2022] Lets find script dir. [Wed Jul 20 10:55:05 EDT 2022] SCRIPT='/config/.acme.sh/acme.sh' [Wed Jul 20 10:55:05 EDT 2022] _script='/config/.acme.sh/acme.sh' [Wed Jul 20 10:55:05 EDT 2022] _script_home='/config/.acme.sh' [Wed Jul 20 10:55:05 EDT 2022] Using config home:/config/.acme.sh https://github.com/acmesh-official/acme.sh v3.0.5 [Wed Jul 20 10:55:05 EDT 2022] Using server: https://acme-v02.api.letsencrypt.org/directory [Wed Jul 20 10:55:05 EDT 2022] Running cmd: issue [Wed Jul 20 10:55:05 EDT 2022] _main_domain='my.fqdn' [Wed Jul 20 10:55:05 EDT 2022] _alt_domains='no' [Wed Jul 20 10:55:05 EDT 2022] Using config home:/config/.acme.sh [Wed Jul 20 10:55:05 EDT 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed Jul 20 10:55:05 EDT 2022] DOMAIN_PATH='/config/.acme.sh/my.fqdn' [Wed Jul 20 10:55:05 EDT 2022] Le_NextRenewTime='1653019214' [Wed Jul 20 10:55:05 EDT 2022] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory [Wed Jul 20 10:55:05 EDT 2022] _init api for server: https://acme-v02.api.letsencrypt.org/directory [Wed Jul 20 10:55:05 EDT 2022] GET [Wed Jul 20 10:55:05 EDT 2022] url='https://acme-v02.api.letsencrypt.org/directory' [Wed Jul 20 10:55:05 EDT 2022] timeout= [Wed Jul 20 10:55:05 EDT 2022] _CURL='curl --silent --dump-header /config/.acme.sh/http.header -L -g ' [Wed Jul 20 10:55:06 EDT 2022] ret='0' [Wed Jul 20 10:55:06 EDT 2022] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change' [Wed Jul 20 10:55:06 EDT 2022] ACME_NEW_AUTHZ [Wed Jul 20 10:55:06 EDT 2022] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed Jul 20 10:55:06 EDT 2022] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct' [Wed Jul 20 10:55:06 EDT 2022] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert' [Wed Jul 20 10:55:06 EDT 2022] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf' [Wed Jul 20 10:55:06 EDT 2022] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Wed Jul 20 10:55:07 EDT 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory [Wed Jul 20 10:55:07 EDT 2022] _on_before_issue [Wed Jul 20 10:55:07 EDT 2022] _chk_main_domain='my.fqdn' [Wed Jul 20 10:55:07 EDT 2022] _chk_alt_domains [Wed Jul 20 10:55:07 EDT 2022] Le_LocalAddress [Wed Jul 20 10:55:07 EDT 2022] d='my.fqdn' [Wed Jul 20 10:55:07 EDT 2022] Check for domain='my.fqdn' [Wed Jul 20 10:55:07 EDT 2022] _currentRoot='/config/.acme.sh/webroot' [Wed Jul 20 10:55:07 EDT 2022] d [Wed Jul 20 10:55:07 EDT 2022] _saved_account_key_hash is not changed, skip register account. [Wed Jul 20 10:55:07 EDT 2022] Read key length:2048 [Wed Jul 20 10:55:07 EDT 2022] _createcsr [Wed Jul 20 10:55:07 EDT 2022] Single domain='my.fqdn' [Wed Jul 20 10:55:07 EDT 2022] Getting domain auth token for each domain [Wed Jul 20 10:55:07 EDT 2022] d [Wed Jul 20 10:55:07 EDT 2022] url='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed Jul 20 10:55:07 EDT 2022] payload='{"identifiers": [{"type":"dns","value":"my.fqdn"}]}' [Wed Jul 20 10:55:07 EDT 2022] RSA key [Wed Jul 20 10:55:08 EDT 2022] HEAD [Wed Jul 20 10:55:08 EDT 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Wed Jul 20 10:55:08 EDT 2022] _CURL='curl --silent --dump-header /config/.acme.sh/http.header -L -g -I ' [Wed Jul 20 10:55:08 EDT 2022] _ret='0' [Wed Jul 20 10:55:09 EDT 2022] POST [Wed Jul 20 10:55:09 EDT 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed Jul 20 10:55:09 EDT 2022] _CURL='curl --silent --dump-header /config/.acme.sh/http.header -L -g ' [Wed Jul 20 10:55:10 EDT 2022] _ret='0' [Wed Jul 20 10:55:10 EDT 2022] code='201' [Wed Jul 20 10:55:10 EDT 2022] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/462127990/108518900746' [Wed Jul 20 10:55:10 EDT 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/462127990/108518900746' [Wed Jul 20 10:55:10 EDT 2022] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/132723596516' [Wed Jul 20 10:55:10 EDT 2022] payload [Wed Jul 20 10:55:11 EDT 2022] POST [Wed Jul 20 10:55:11 EDT 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/132723596516' [Wed Jul 20 10:55:11 EDT 2022] _CURL='curl --silent --dump-header /config/.acme.sh/http.header -L -g ' [Wed Jul 20 10:55:11 EDT 2022] _ret='0' [Wed Jul 20 10:55:11 EDT 2022] code='200' [Wed Jul 20 10:55:11 EDT 2022] d='my.fqdn' [Wed Jul 20 10:55:11 EDT 2022] Getting webroot for domain='my.fqdn' [Wed Jul 20 10:55:11 EDT 2022] _w='/config/.acme.sh/webroot' [Wed Jul 20 10:55:11 EDT 2022] _currentRoot='/config/.acme.sh/webroot' [Wed Jul 20 10:55:12 EDT 2022] entry='"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/132723596516/bTT9Mw","token":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"' [Wed Jul 20 10:55:12 EDT 2022] token='CzPQBPmKQfn-AqNyOGWHL4MgRJGVNT-oQBKWrebnM9s' [Wed Jul 20 10:55:12 EDT 2022] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/132723596516/bTT9Mw' [Wed Jul 20 10:55:12 EDT 2022] keyauthorization='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' [Wed Jul 20 10:55:12 EDT 2022] dvlist='my.fqdn#xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx#https://acme-v02.api.letsencrypt.org/acme/chall-v3/132723596516/bTT9Mw#http-01#/config/.acme.sh/webroot' [Wed Jul 20 10:55:12 EDT 2022] d [Wed Jul 20 10:55:12 EDT 2022] vlist='my.fqdn#CzPQBPmKQfn-AqNyOGWHL4MgRJGVNT-oQBKWrebnM9s.5sIxldPjpBqDVnPkCgahpAeogGhL1WleBtD1T0gMhzM#https://acme-v02.api.letsencrypt.org/acme/chall-v3/132723596516/bTT9Mw#http-01#/config/.acme.sh/webroot,' [Wed Jul 20 10:55:12 EDT 2022] d='my.fqdn' [Wed Jul 20 10:55:12 EDT 2022] ok, let's start to verify [Wed Jul 20 10:55:12 EDT 2022] Verifying: my.fqdn [Wed Jul 20 10:55:12 EDT 2022] d='my.fqdn' [Wed Jul 20 10:55:12 EDT 2022] keyauthorization='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' [Wed Jul 20 10:55:12 EDT 2022] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/132723596516/bTT9Mw' [Wed Jul 20 10:55:12 EDT 2022] _currentRoot='/config/.acme.sh/webroot' [Wed Jul 20 10:55:12 EDT 2022] wellknown_path='/config/.acme.sh/webroot/.well-known/acme-challenge' [Wed Jul 20 10:55:12 EDT 2022] writing token:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx to /config/.acme.sh/webroot/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [Wed Jul 20 10:55:12 EDT 2022] Changing owner/group of .well-known to root:vyattacfg [Wed Jul 20 10:55:12 EDT 2022] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/132723596516/bTT9Mw' [Wed Jul 20 10:55:12 EDT 2022] payload='{}' [Wed Jul 20 10:55:12 EDT 2022] POST [Wed Jul 20 10:55:12 EDT 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/132723596516/bTT9Mw' [Wed Jul 20 10:55:12 EDT 2022] _CURL='curl --silent --dump-header /config/.acme.sh/http.header -L -g ' [Wed Jul 20 10:55:13 EDT 2022] _ret='0' [Wed Jul 20 10:55:13 EDT 2022] code='200' [Wed Jul 20 10:55:13 EDT 2022] trigger validation code: 200 [Wed Jul 20 10:55:13 EDT 2022] Pending, The CA is processing your order, please just wait. (1/30) [Wed Jul 20 10:55:13 EDT 2022] sleep 2 secs to verify again [Wed Jul 20 10:55:16 EDT 2022] checking [Wed Jul 20 10:55:16 EDT 2022] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/132723596516/bTT9Mw' [Wed Jul 20 10:55:16 EDT 2022] payload [Wed Jul 20 10:55:16 EDT 2022] POST [Wed Jul 20 10:55:16 EDT 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/132723596516/bTT9Mw' [Wed Jul 20 10:55:16 EDT 2022] _CURL='curl --silent --dump-header /config/.acme.sh/http.header -L -g ' [Wed Jul 20 10:55:17 EDT 2022] _ret='0' [Wed Jul 20 10:55:17 EDT 2022] code='200' [Wed Jul 20 10:55:17 EDT 2022] my.fqdn:Verify error:2606:4700:3030::6815:cbb: Invalid response from https://my.fqdn/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: 404 [Wed Jul 20 10:55:17 EDT 2022] Debug: get token url. [Wed Jul 20 10:55:17 EDT 2022] GET [Wed Jul 20 10:55:17 EDT 2022] url='http://my.fqdn/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' [Wed Jul 20 10:55:17 EDT 2022] timeout=1 [Wed Jul 20 10:55:17 EDT 2022] _CURL='curl --silent --dump-header /config/.acme.sh/http.header -L -g --connect-timeout 1' xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx[Wed Jul 20 10:55:18 EDT 2022] ret='0' [Wed Jul 20 10:55:18 EDT 2022] Debugging, skip removing: /config/.acme.sh/webroot/.well-known [Wed Jul 20 10:55:18 EDT 2022] pid [Wed Jul 20 10:55:18 EDT 2022] No need to restore nginx, skip. [Wed Jul 20 10:55:18 EDT 2022] _clearupdns [Wed Jul 20 10:55:18 EDT 2022] dns_entries [Wed Jul 20 10:55:18 EDT 2022] skip dns. [Wed Jul 20 10:55:18 EDT 2022] _on_issue_err [Wed Jul 20 10:55:18 EDT 2022] Please add '--debug' or '--log' to check more details. [Wed Jul 20 10:55:18 EDT 2022] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh [Wed Jul 20 10:55:18 EDT 2022] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/132723596516/bTT9Mw' [Wed Jul 20 10:55:18 EDT 2022] payload='{}' [Wed Jul 20 10:55:18 EDT 2022] POST [Wed Jul 20 10:55:18 EDT 2022] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/132723596516/bTT9Mw' [Wed Jul 20 10:55:18 EDT 2022] _CURL='curl --silent --dump-header /config/.acme.sh/http.header -L -g ' [Wed Jul 20 10:55:19 EDT 2022] _ret='0' [Wed Jul 20 10:55:19 EDT 2022] code='400' [Wed Jul 20 10:55:19 EDT 2022] socat doesn't exist. [Wed Jul 20 10:55:19 EDT 2022] Diagnosis versions: openssl:openssl OpenSSL 1.1.0l 10 Sep 2019 apache: apache doesn't exist. nginx: nginx doesn't exist. socat: [Wed Jul 20 10:55:19 EDT 2022] Stopping temporary ACME challenge service. [Wed Jul 20 10:55:20 EDT 2022] Starting GUI service.

sonnyb9 commented 2 years ago

I tried --force with the same resulting 404 error seen above.

sonnyb9 commented 2 years ago

I was able to get it to renew by going to my domain registrar Cloudflare and turning off the proxy setting for my.fqdn. I'd really prefer not to expose the real IP. But, at least the cert files are updated to today's date: ls -l /config/ssl/server.pem -rw-r--r-- 1 root vyattacf 3529 Jul 20 11:33 /config/ssl/server.pem arnoldo@ER-X:~$ ls -l /config/ssl/ca.pem -rw-r--r-- 1 root vyattacf 3751 Jul 20 11:33 /config/ssl/ca.pem

Unfortunately, I was still getting a 404 when trying to open my.fqdn in a browser. That was cleared by flushing DNS cache.

j-c-m commented 2 years ago

Cloudflare configuration issue, closing.