Closed danrossi closed 7 years ago
I have the SOHO firewall config configured. The "WAN_IN" "WAN_LOCAL". is there a way to do the firewall part manually ?
Post full log and commands run.
I customised the acme script to add my email. I customised yours to add debug flag. This is the output
admin@ubnt:~$ sudo /config/scripts/renew.acme.sh -d host -i eth2
[Thu Aug 10 03:32:13 AEST 2017] Stopping gui service.
[Thu Aug 10 03:32:14 AEST 2017] Starting temporary acme challenge service.
[Thu Aug 10 03:32:15 AEST 2017] Lets find script dir.
[Thu Aug 10 03:32:15 AEST 2017] _SCRIPT_='/config/.acme.sh/acme.sh'
[Thu Aug 10 03:32:15 AEST 2017] _script='/config/.acme.sh/acme.sh'
[Thu Aug 10 03:32:15 AEST 2017] _script_home='/config/.acme.sh'
[Thu Aug 10 03:32:15 AEST 2017] Using config home:/config/.acme.sh
https://github.com/Neilpang/acme.sh
v2.7.3
[Thu Aug 10 03:32:15 AEST 2017] Using config home:/config/.acme.sh
[Thu Aug 10 03:32:15 AEST 2017] DOMAIN_PATH='/config/.acme.sh/host'
[Thu Aug 10 03:32:15 AEST 2017] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Thu Aug 10 03:32:15 AEST 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Thu Aug 10 03:32:15 AEST 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Thu Aug 10 03:32:15 AEST 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Thu Aug 10 03:32:15 AEST 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Thu Aug 10 03:32:15 AEST 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Thu Aug 10 03:32:15 AEST 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Thu Aug 10 03:32:15 AEST 2017] Le_NextRenewTime
[Thu Aug 10 03:32:16 AEST 2017] _on_before_issue
[Thu Aug 10 03:32:16 AEST 2017] Le_LocalAddress='publicip,'
[Thu Aug 10 03:32:16 AEST 2017] Check for domain='host'
[Thu Aug 10 03:32:16 AEST 2017] _currentRoot='/config/.acme.sh/webroot'
[Thu Aug 10 03:32:16 AEST 2017] _saved_account_key_hash is not changed, skip register account.
[Thu Aug 10 03:32:16 AEST 2017] Read key length:
[Thu Aug 10 03:32:16 AEST 2017] _createcsr
[Thu Aug 10 03:32:16 AEST 2017] Single domain='host'
[Thu Aug 10 03:32:17 AEST 2017] Getting domain auth token for each domain
[Thu Aug 10 03:32:17 AEST 2017] Getting webroot for domain='host'
[Thu Aug 10 03:32:17 AEST 2017] _w='/config/.acme.sh/webroot'
[Thu Aug 10 03:32:17 AEST 2017] _currentRoot='/config/.acme.sh/webroot'
[Thu Aug 10 03:32:17 AEST 2017] Getting new-authz for domain='host'
[Thu Aug 10 03:32:17 AEST 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Thu Aug 10 03:32:17 AEST 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Thu Aug 10 03:32:17 AEST 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Thu Aug 10 03:32:17 AEST 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Thu Aug 10 03:32:17 AEST 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Thu Aug 10 03:32:17 AEST 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Thu Aug 10 03:32:17 AEST 2017] Try new-authz for the 0 time.
[Thu Aug 10 03:32:17 AEST 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Thu Aug 10 03:32:17 AEST 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "host"}}'
[Thu Aug 10 03:32:17 AEST 2017] RSA key
[Thu Aug 10 03:32:18 AEST 2017] GET
[Thu Aug 10 03:32:18 AEST 2017] url='https://acme-v01.api.letsencrypt.org/directory'
[Thu Aug 10 03:32:18 AEST 2017] timeout
[Thu Aug 10 03:32:18 AEST 2017] _CURL='curl -L --silent --dump-header /config/.acme.sh/http.header '
[Thu Aug 10 03:32:18 AEST 2017] ret='0'
[Thu Aug 10 03:32:19 AEST 2017] POST
[Thu Aug 10 03:32:19 AEST 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Thu Aug 10 03:32:19 AEST 2017] _CURL='curl -L --silent --dump-header /config/.acme.sh/http.header '
[Thu Aug 10 03:32:21 AEST 2017] _ret='0'
[Thu Aug 10 03:32:21 AEST 2017] code='201'
[Thu Aug 10 03:32:21 AEST 2017] The new-authz request is ok.
[Thu Aug 10 03:32:21 AEST 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/hash/1717262100","token":"token"'
[Thu Aug 10 03:32:22 AEST 2017] token='token'
[Thu Aug 10 03:32:22 AEST 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/hash/1717262100'
[Thu Aug 10 03:32:22 AEST 2017] keyauthorization='key'
[Thu Aug 10 03:32:22 AEST 2017] dvlist='host#hash#https://acme-v01.api.letsencrypt.org/acme/challenge/hash/1717262100#http-01#/config/.acme.sh/webroot'
[Thu Aug 10 03:32:22 AEST 2017] vlist='host#hash#https://acme-v01.api.letsencrypt.org/acme/challenge/hash/1717262100#http-01#/config/.acme.sh/webroot,'
[Thu Aug 10 03:32:22 AEST 2017] ok, let's start to verify
[Thu Aug 10 03:32:22 AEST 2017] Verifying:host
[Thu Aug 10 03:32:22 AEST 2017] d='host'
[Thu Aug 10 03:32:22 AEST 2017] keyauthorization='key'
[Thu Aug 10 03:32:22 AEST 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/hashs/1717262100'
[Thu Aug 10 03:32:22 AEST 2017] _currentRoot='/config/.acme.sh/webroot'
[Thu Aug 10 03:32:22 AEST 2017] wellknown_path='/config/.acme.sh/webroot/.well-known/acme-challenge'
[Thu Aug 10 03:32:22 AEST 2017] writing token:token to /config/.acme.sh/webroot/.well-known/acme-challenge/tmUmKCiZHlcdxi40WH3hczbjKlWRdnAfiCl6zTtpBl4
[Thu Aug 10 03:32:22 AEST 2017] Changing owner/group of .well-known to root:root
[Thu Aug 10 03:32:22 AEST 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hash/1717262100'
[Thu Aug 10 03:32:22 AEST 2017] payload='{"resource": "challenge", "keyAuthorization": "token"}'
[Thu Aug 10 03:32:23 AEST 2017] POST
[Thu Aug 10 03:32:23 AEST 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hash/1717262100'
[Thu Aug 10 03:32:23 AEST 2017] _CURL='curl -L --silent --dump-header /config/.acme.sh/http.header '
[Thu Aug 10 03:32:24 AEST 2017] _ret='0'
[Thu Aug 10 03:32:25 AEST 2017] code='202'
[Thu Aug 10 03:32:25 AEST 2017] sleep 2 secs to verify
[Thu Aug 10 03:32:27 AEST 2017] checking
[Thu Aug 10 03:32:27 AEST 2017] GET
[Thu Aug 10 03:32:27 AEST 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hash/1717262100'
[Thu Aug 10 03:32:27 AEST 2017] timeout
[Thu Aug 10 03:32:27 AEST 2017] _CURL='curl -L --silent --dump-header /config/.acme.sh/http.header '
[Thu Aug 10 03:32:28 AEST 2017] ret='0'
[Thu Aug 10 03:32:28 AEST 2017] Pending
[Thu Aug 10 03:32:28 AEST 2017] sleep 2 secs to verify
[Thu Aug 10 03:32:30 AEST 2017] checking
[Thu Aug 10 03:32:30 AEST 2017] GET
[Thu Aug 10 03:32:30 AEST 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hash/1717262100'
[Thu Aug 10 03:32:30 AEST 2017] timeout
[Thu Aug 10 03:32:30 AEST 2017] _CURL='curl -L --silent --dump-header /config/.acme.sh/http.header '
[Thu Aug 10 03:32:30 AEST 2017] ret='0'
[Thu Aug 10 03:32:31 AEST 2017] host:Verify error:Fetching http://host/.well-known/acme-challenge/hash: Timeout
[Thu Aug 10 03:32:31 AEST 2017] Debug: get token url.
[Thu Aug 10 03:32:31 AEST 2017] GET
[Thu Aug 10 03:32:31 AEST 2017] url='http://host/.well-known/acme-challenge/hash'
[Thu Aug 10 03:32:31 AEST 2017] timeout='1'
[Thu Aug 10 03:32:31 AEST 2017] _CURL='curl -L --silent --dump-header /config/.acme.sh/http.header --connect-timeout 1'
[Thu Aug 10 03:32:31 AEST 2017] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7
[Thu Aug 10 03:32:31 AEST 2017] ret='7'
[Thu Aug 10 03:32:31 AEST 2017] Debugging, skip removing: /config/.acme.sh/webroot/.well-known/acme-challenge/hash
[Thu Aug 10 03:32:31 AEST 2017] pid
[Thu Aug 10 03:32:31 AEST 2017] No need to restore nginx, skip.
[Thu Aug 10 03:32:31 AEST 2017] _clearupdns
[Thu Aug 10 03:32:31 AEST 2017] skip dns.
[Thu Aug 10 03:32:31 AEST 2017] _on_issue_err
[Thu Aug 10 03:32:31 AEST 2017] Please add '--debug' or '--log' to check more details.
[Thu Aug 10 03:32:31 AEST 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Thu Aug 10 03:32:31 AEST 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hash/1717262100'
[Thu Aug 10 03:32:31 AEST 2017] payload='{"resource": "challenge", "keyAuthorization": "token"}'
[Thu Aug 10 03:32:32 AEST 2017] POST
[Thu Aug 10 03:32:32 AEST 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hash/1717262100'
[Thu Aug 10 03:32:32 AEST 2017] _CURL='curl -L --silent --dump-header /config/.acme.sh/http.header '
[Thu Aug 10 03:32:33 AEST 2017] _ret='0'
[Thu Aug 10 03:32:34 AEST 2017] code='400'
[Thu Aug 10 03:32:34 AEST 2017] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.1e 11 Feb 2013
apache:
apache doesn't exists.
nginx:
nginx doesn't exists.
nc:
nc: invalid option -- 'h'
BusyBox v1.19.0 (2017-08-03 01:19:05 PDT) multi-call binary.
Usage: nc [-iN] [-wN] [-l] [-p PORT] [-f FILE|IPADDR PORT] [-e PROG]
Open a pipe to IP:PORT or FILE
-e PROG Run PROG after connect
-l Listen mode, for inbound connects
(use -l twice with -e for persistent server)
-p PORT Local port
-w SEC Timeout for connect
-i SEC Delay interval for lines sent
Did you sanitize your actual host to -d host?
sorry yes I did. I can email full log. There is private keys and stuff in there I think.
???
Need full logs and router config to look further.
Oh sorry you never asked for that. that is not something that should go on here I think. especially when it might be exposing my personal lets encrypt account details. I can email them when I have another try. I just upgraded to the Gen 2 Erl3
just let me know how to do that sorry about that.
(nearly 4 years later, sorry)
Did you ever figure out the Firewall issue?
There was never enough information on this issue to determine anything. The firewall and web challenge has significantly changed since this issue was filed, I would expect everything to work fine.
The script gets as far as this. I also had to edit the acme script to include my email address.
[Wed Aug 9 18:49:18 AEST 2017] host:Verify error:Fetching http://host/.well-known/acme-challenge/S9_83SABeIYOQaHZ6xHo4L3BGkfoMgcLffgjm_Cc22o: Timeout [Wed Aug 9 18:49:18 AEST 2017] Debug: get token url. [Wed Aug 9 18:49:18 AEST 2017] GET [Wed Aug 9 18:49:18 AEST 2017] url='http://host/.well-known/acme-challenge/S9_83SABeIYOQaHZ6xHo4L3BGkfoMgcLffgjm_Cc22o' [Wed Aug 9 18:49:18 AEST 2017] timeout='1' [Wed Aug 9 18:49:18 AEST 2017] _CURL='curl -L --silent --dump-header /config/.acme.sh/http.header --connect-timeout 1' [Wed Aug 9 18:49:18 AEST 2017] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7 [Wed Aug 9 18:49:18 AEST 2017] ret='7' [Wed Aug 9 18:49:18 AEST 2017] Debugging, skip removing: /config/.acme.sh/webroot/.well-known [Wed Aug 9 18:49:18 AEST 2017] pid