search

j-c-m / ubnt-letsencrypt

Let's Encrypt setup instructions for Ubiquiti EdgeRouter
472 stars 68 forks source link

`_ecc` suffix in the certificate leads to failure of reload command #47

Closed shimikano closed 1 year ago

shimikano commented 1 year ago

Hi and thank you for this script!

Plainly following the instructions, I ran into No such file or directory errors in context of the reload cmd, since the certificate files ended up being stored at /config/.acme.sh/subdomain.example.com_ecc (note the _ecc suffix) instead of the expected /config/.acme.sh/subdomain.example.com.

Here's the complete output:

$ sudo /config/scripts/renew.acme.sh -d subdomain.example.com
[...]
[Sun Feb  5 18:53:19 CET 2023] Your cert is in: /config/.acme.sh/subdomain.example.com_ecc/subdomain.example.com.cer
[Sun Feb  5 18:53:19 CET 2023] Your cert key is in: /config/.acme.sh/subdomain.example.com_ecc/subdomain.example.com.key
[Sun Feb  5 18:53:19 CET 2023] The intermediate CA cert is in: /config/.acme.sh/subdomain.example.com_ecc/ca.cer
[Sun Feb  5 18:53:19 CET 2023] And the full chain certs is there: /config/.acme.sh/subdomain.example.com_ecc/fullchain.cer
[Sun Feb  5 18:53:20 CET 2023] Run reload cmd: cat /config/.acme.sh/subdomain.example.com/subdomain.example.com.cer /config/.acme.sh/subdomain.example.com/subdomain.example.com.key > /config/ssl/server.pem; cp /config/.acme.sh/subdomain.example.com/ca.cer /config/ssl/ca.pem
cat: can't open '/config/.acme.sh/subdomain.example.com/subdomain.example.com.cer': No such file or directory
cat: can't open '/config/.acme.sh/subdomain.example.com/subdomain.example.com.key': No such file or directory
cp: can't stat '/config/.acme.sh/subdomain.example.com/ca.cer': No such file or directory
[Sun Feb  5 18:53:20 CET 2023] Reload error for :
[Sun Feb  5 18:53:20 CET 2023] Stopping temporary ACME challenge service.
[Sun Feb  5 18:53:21 CET 2023] Starting GUI service.

I temporarily worked around this by symlinking subdomain.example.com to subdomain.example.com_ecc, but of course, this is not a stable solution.

What would you propose to do?

Thank you.

j-c-m commented 1 year ago

It shouldn't be requesting an ecc certificate by default.

Try updating the acme.sh script

​curl -o /config/.acme.sh/acme.sh https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh

Remove the /config/.acme.sh/domain.com and /config/.acme.sh/domain.com_ecc and try again.

This might fix it, I'll look at updating the script as ecc certs were just recently added to acme.sh client.

From: shimikano @.> Sent: Sunday, February 5, 2023 11:25 AM To: j-c-m/ubnt-letsencrypt @.> Cc: Subscribed @.***> Subject: [j-c-m/ubnt-letsencrypt] _ecc suffix in the certificate leads to failure of reload command (Issue #47)

Hi and thank you for this script!

Plainly following the instructions, I ran into No such file or directory errors in context of the reload cmd, since the certificate files ended up being stored at /config/.acme.sh/subdomain.example.com_ecc (note the _ecc suffix) instead of the expected /config/.acme.sh/subdomain.example.com.

Here's the complete output:

$ sudo /config/scripts/renew.acme.sh -d subdomain.example.com [...] [Sun Feb 5 18:53:19 CET 2023] Your cert is in: /config/.acme.sh/subdomain.example.com_ecc/subdomain.example.com.cer [Sun Feb 5 18:53:19 CET 2023] Your cert key is in: /config/.acme.sh/subdomain.example.com_ecc/subdomain.example.com.key [Sun Feb 5 18:53:19 CET 2023] The intermediate CA cert is in: /config/.acme.sh/subdomain.example.com_ecc/ca.cer [Sun Feb 5 18:53:19 CET 2023] And the full chain certs is there: /config/.acme.sh/subdomain.example.com_ecc/fullchain.cer [Sun Feb 5 18:53:20 CET 2023] Run reload cmd: cat /config/.acme.sh/subdomain.example.com/subdomain.example.com.cer /config/.acme.sh/subdomain.example.com/subdomain.example.com.key > /config/ssl/server.pem; cp /config/.acme.sh/subdomain.example.com/ca.cer /config/ssl/ca.pem cat: can't open '/config/.acme.sh/subdomain.example.com/subdomain.example.com.cer': No such file or directory cat: can't open '/config/.acme.sh/subdomain.example.com/subdomain.example.com.key': No such file or directory cp: can't stat '/config/.acme.sh/subdomain.example.com/ca.cer': No such file or directory [Sun Feb 5 18:53:20 CET 2023] Reload error for : [Sun Feb 5 18:53:20 CET 2023] Stopping temporary ACME challenge service. [Sun Feb 5 18:53:21 CET 2023] Starting GUI service.

I temporarily worked around this by symlinking subdomain.example.com to subdomain.example.com_ecc, but of course, this is not a stable solution.

What would you propose to do?

Thank you.

— Reply to this email directly, view it on GitHubhttps://github.com/j-c-m/ubnt-letsencrypt/issues/47, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABLFTF4NNMC75MAZO6KVJF3WV7WDLANCNFSM6AAAAAAUR5ETNQ. You are receiving this because you are subscribed to this thread.Message ID: @.***>

j-c-m commented 1 year ago

It looks like it is default now to ec-256 (ecc) for new certs. I will need to update the script.

j-c-m commented 1 year ago

https://github.com/acmesh-official/acme.sh/issues/4416

j-c-m commented 1 year ago

For now I have forced RSA-2048 keys, re-run the install to fetch the newest script.

shimikano commented 1 year ago

I can confirm that commit 9689bb6 (using variables in the reload command) solves the issue.

Thank you.