Revserse Proxy Error - Auto-Encrypt - AcmeRequest Fails

[ajatoledo]

First, been using kill-the-newsletter for over a year now, and I love it; thanks for the great work!

Unable to Get Cert Today I was attempting to spin up a new instance of kill-the-newsletter, and it appears Auto-Encrypt included in the compiled version for 1.0.1 is using an outdated algorithm for CSR signing and, as a result, fails to get a CERT.

Below is the error I receive. Note, I removed my domain from the output below and replaced it with [kill-the-newsletter-server] so that is why it may look odd.

Email server started
   📕    ❨auto-encrypt❩ Directory is using endpoint https://acme-v02.api.letsencrypt.org/directory
   👤    ❨auto-encrypt❩ Creating identity (/home/[kill-the-newsletter-server]/kill-the-newsletter/data/keys/tls/production/account-identity.pem)
   🤖    ❨auto-encrypt❩ Provisioning Let’s Encrypt certificates for [kill-the-newsletter-server].example-services.com.
   📈    ❨auto-encrypt❩ Number of authorisations to validate: 1
   💗    ❨auto-encrypt❩ Authorisation was previously validated and is still valid.
   📝    ❨auto-encrypt❩ An authorisation was validated for the order! (1/1)
   🎊    ❨auto-encrypt❩ All authorisations validated.
   🔒    ❨auto-encrypt❩ HTTP server is now forwarding HTTP requests to HTTPS (302).
   💃    ❨auto-encrypt❩ Finalising order…
   👤    ❨auto-encrypt❩ Creating identity (/home/[kill-the-newsletter-server]/kill-the-newsletter/data/keys/tls/production/[kill-the-newsletter-server].com/certificate-identity.pem)
/tmp/caxa/kill-the-newsletter/dxvoiiwdvh/node_modules/@small-tech/auto-encrypt/lib/Order.js:178
        throw new Error(error)
              ^

Error: AcmeRequest.requestError: (400 urn:ietf:params:acme:error:badCSR Error finalizing order :: signature algorithm not supported)
    at Order.init (/tmp/caxa/kill-the-newsletter/dxvoiiwdvh/node_modules/@small-tech/auto-encrypt/lib/Order.js:178:15)
    at processTicksAndRejections (node:internal/process/task_queues:94:5)
    at async Function.getInstanceAsync (/tmp/caxa/kill-the-newsletter/dxvoiiwdvh/node_modules/@small-tech/auto-encrypt/lib/Order.js:47:5)
    at async Certificate.provisionCertificate (/tmp/caxa/kill-the-newsletter/dxvoiiwdvh/node_modules/@small-tech/auto-encrypt/lib/Certificate.js:248:19)
    at async Certificate.createSecureContext (/tmp/caxa/kill-the-newsletter/dxvoiiwdvh/node_modules/@small-tech/auto-encrypt/lib/Certificate.js:220:7)
    at async Certificate.getSecureContext (/tmp/caxa/kill-the-newsletter/dxvoiiwdvh/node_modules/@small-tech/auto-encrypt/lib/Certificate.js:47:7)
    at async TLSSocket.options.SNICallback [as _SNICallback] (/tmp/caxa/kill-the-newsletter/dxvoiiwdvh/node_modules/@small-tech/auto-encrypt/index.js:162:31)

I can run the kill-the-newsletter service without the proxy, so it looks like it's an issue with the reverse proxy.

[leafac]

Thanks for the report. I’ll investigate…

[zhaonc]

Hi just to report in case it helps: I had the same issue, and it appears upgrading @small-tech/auto-encrypt to v2.3.0 would fix this issue.

[leafac]

Thanks @zhaonc for the information.

As a quick fix, I updated @small-tech/auto-encrypt as you mentioned.

But a more proper solution is on the way. You may follow along in my livecoding sessions at https://youtube.com/@leafac.

[utack]

Is there a new tag somewhere so I can update the binary on my server?
That would be really neat, my site is down for now without certificate

[samirsheldenkar]

Hi just adding a +1 to this! Just installed on my server but have run into the same problem, please can you update with a new tag if the problem is fixed. Thanks

[leafac]

The solution I’m using for the time being a hack that I explain in the beginning of this coding session: https://www.youtube.com/watch?v=F5raHCLIgTY

I’m working on the the proper solution and it will come out soon…

[teslweb]

Hi, Is the self hosted option still possible?

running a wget for 2.3.0 and extracting as per the video doesn't seem to work .... I'd prefer to self host if there's a reasonably straight forward solution but if not I'll find another solution.

TIA

[teslweb]

Hi, Is the self hosted option still possible?

running a wget for 2.3.0 and extracting as per the video doesn't seem to work .... I'd prefer to self host if there's a reasonably straight forward solution but if not I'll find another solution.

TIA

Worked it out in the end.

Removed the Auto-Encrypt & Reverse Proxy using this https://github.com/leafac/kill-the-newsletter/issues/53 and popped it behind an Nginx reverse proxy and certbot for letsencrypt certs.

[leafac]

Hello again, y’all,

Starting with version 2.0.1 Kill the Newsletter! uses Caddy as a reverse proxy which provisions TLS certificates automatically. Update following the instructions on the changelog.

Best.