search

kristapsdz / acme-client-portable

portable version of acme-client, a secure ACME client
https://kristaps.bsd.lv/acme-client
ISC License
101 stars 21 forks source link

Broken ipv6 #10

Closed Prototik closed 7 years ago

Prototik commented 7 years ago

Trying to get cert on ipv6-connected machine:

Started Check and renew ACME TLS certificates.
acme-client: /var/lib/acme/certs/DOMAIN/privkey.pem: domain key exists (not creating)
acme-client: /var/lib/acme/accounts/letsencrypt.pem: account key exists (not creating)
acme-client: https://acme-v01.api.letsencrypt.org/directory: directories
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:2d:480::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 2a02:26f0:2d:487::3d5
acme-client: acme-v01.api.letsencrypt.org: DNS: 23.206.21.80
acme-client: 2a02:26f0:2d:480::3d5: tls_connect_socket: acme-v01.api.letsencrypt.org, ssl verify setup failure
acme-client: https://acme-v01.api.letsencrypt.org/directory: bad comm
acme-client: bad exit: netproc(1745): 1
acme@DOMAIN.service: Main process exited, code=exited, status=1/FAILURE

Although ipv6 works like a charm:

$ curl -v https://acme-v01.api.letsencrypt.org/
*   Trying 2a02:26f0:2d:480::3d5...
* Connected to acme-v01.api.letsencrypt.org (2a02:26f0:2d:480::3d5) port 443 (#0)
...
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
...
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: acme-v01.api.letsencrypt.org
...
> 
< HTTP/1.1 200 OK
...
kristapsdz commented 7 years ago

I'm now seeing this also with old versions of libtls. The explanation is that old versions of libtls would lazy-load the default certificate after the chroot() (or pledge). Newer versions do this properly. I'll add some more compatibility bits in the next few checkins.

repsac-by commented 7 years ago

I see that @Prototik uses my package from Arch Linux AUR. It uses libressl version 2.4.3, but with acme-client 0.1.11 they worked perfectly. Now I tried to compile with libressl 2.5.0, and it seems that the error no longer exists.

By the way the problem is not only with ipv6

kristapsdz commented 7 years ago

Yes, it's a libtls problem. I'm adding some compatibility glue right now. The issue is that the new version of acme-client is doing strong validation, which requires the root ca to be loaded. Only recently did libtls fix the lazy-loading problem, so I'm working around it in http.c.

kristapsdz commented 7 years ago

Can you please check the current version of the GitHub source for whether this is fixed? On older versions of libtls, I now load the certificate directly into memory instead of relying on the broken ca_file function. Note: I use the CA file in /etc/ssl/cert.pem by default. On my Mac, it's in /usr/local/etc/libressl/cert.pem. This works on my Alpine linux, old OpenBSD, Mac, and FreeBSD systems.

repsac-by commented 7 years ago

Yes, now all is well with libressl 2.4.3

Thank you for the best acme client.

kristapsdz commented 7 years ago

Fixed in 0.1.14, which has these changes. Thank you for checking and reporting!

Prototik commented 7 years ago

@repsac-by probably you need to use an aur/libressl package instead building own version.

But anyway thanks everyone for the help, works nicely.

repsac-by commented 7 years ago

sorry for off topic

@Prototik, libressl из aur имеет пометку EXPRIMENTAL ONLY и полностью заменяет системный openssl, это совсем не решение. Я просто не хотел торопиться с переходом на libressl 2.5.0, по крайней мере я не предполагал, что там есть какие то новые функции которые могут потребоваться здесь так скоро.

Prototik commented 7 years ago

@repsac-by хм, тогда, возможно, стоит создать пакет libressl, который не будет заменять системный openssl. В любом случае - спасибо за пакетик.