search

natemcmaster / LettuceEncrypt

Free, automatic HTTPS certificate generation for ASP.NET Core web apps
https://nuget.org/packages/LettuceEncrypt
Apache License 2.0
1.59k stars 154 forks source link

Creating ALPN self-signed cert infinite loop & "This CA Root certificate is not trusted" #203

Closed blaze6950 closed 3 years ago

blaze6950 commented 3 years ago

I configured LettuceEncrypt in my ASP.Net Core (.Net 5) app using this line in Startup.cs:

...
services.AddLettuceEncrypt();
...

Also, I have such a configuration in the appsettings.json:

...
"LettuceEncrypt": {
      // Set this to automatically accept the terms of service of your certificate authority.
      // If you don't set this in config, you will need to press "y" whenever the application starts
      "AcceptTermsOfService": true,

      // You must at least one domain name
      "DomainNames": [ "cashbutton.cc" ],

      // You must specify an email address to register with the certificate authority
      "EmailAddress": "cashbutton.cc@gmail.com"
  }
...

I run my app in the Docker container, so I use this command for starting a container:

sudo docker run -p 80:80 -p 443:443 -e ASPNETCORE_URLS="https://+;http://+" -v ~/x509stos/:/root/.dotnet/corefx/cryptography/x509stores/ -v /app/certs/:/app/accounts/acme-v02.api.letsencrypt.org/directory/ docker.pkg.github.com/cashbutton/backend/cashbutton:latest

Also, I've turned on the Trace log level, and during the initialization, I have such logs:

trce: LettuceEncrypt.Internal.AcmeCertificateLoader[0]
      ACME state transition: moving to ServerStartupState
trce: LettuceEncrypt.Internal.AcmeCertificateLoader[0]
      ACME state transition: moving to BeginCertificateCreationState
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Looking for account information in /app/accounts/acme-v02.api.letsencrypt.org/directory
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Parsing /app/accounts/acme-v02.api.letsencrypt.org/directory/129870925.json for account info
dbug: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Loaded account information from /app/accounts/acme-v02.api.letsencrypt.org/directory
info: LettuceEncrypt.Internal.AcmeClient[0]
      Using certificate authority https://acme-v02.api.letsencrypt.org/directory
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchAccount
crit: cashbutton.Startup[1]
      The backend was started. Run Id #285
info: Microsoft.Hosting.Lifetime[0]
      Now listening on: https://[::]:443
info: Microsoft.Hosting.Lifetime[0]
      Now listening on: http://[::]:80
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Production
info: Microsoft.Hosting.Lifetime[0]
      Content root path: /app
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchAccountDetails, https://acme-v02.api.letsencrypt.org/acme/acct/129870905
info: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Using existing account for mailto:cashbutton.cc@gmail.com
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchTOS
trce: LettuceEncrypt.Internal.TermsOfServiceChecker[0]
      Terms of service has been accepted per configuration options
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: UpdateTOS
info: LettuceEncrypt.Internal.AcmeStates.ServerStartupState[0]
      Using account 129870905
info: LettuceEncrypt.Internal.AcmeStates.ServerStartupState[0]
      Creating certificate for cashbutton.cc
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchOrderList
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchOrderDetails, (null)
dbug: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Creating new order for a certificate
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: NewOrder
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchAuthorizations, https://acme-v02.api.letsencrypt.org/acme/order/129870905/10942180805
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: FetchAuthorizationDetails, https://acme-v02.api.letsencrypt.org/acme/authz-v3/14650435502
dbug: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Requesting authorization to create certificate for cashbutton.cc
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: CreateChallenge, https://acme-v02.api.letsencrypt.org/acme/authz-v3/14650435502
trce: LettuceEncrypt.Internal.TlsAlpnChallengeResponder[0]
      Creating ALPN self-signed cert for cashbutton.cc and key authz PCm1C6TcVuWhdw8az2-_hso79ZOnVmM3wc0s6PvDeM4.DgyBWn_9J4fByiIApqUYIbwvhoeBR2y_qf6U6eic9hA
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Waiting for server to start accepting HTTP requests
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Requesting server to validate TLS/ALPN challenge
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: ValidateChallenge, https://acme-v02.api.letsencrypt.org/acme/chall-v3/14650435502/v-A-7Q
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: CreateChallenge, https://acme-v02.api.letsencrypt.org/acme/authz-v3/14650435502
trce: LettuceEncrypt.Internal.TlsAlpnChallengeResponder[0]
      Creating ALPN self-signed cert for cashbutton.cc and key authz PCm1C6TcVuWhdw8az2-_hso79ZOnVmM3wc0s6PvDeM4.DgyBWn_9J4fByiIApqUYIbwvhoeBR2y_qf6U6eic9hA
trce: LettuceEncrypt.Internal.CertificateSelector[0]
      Using ALPN challenge cert for cashbutton.cc
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Waiting for server to start accepting HTTP requests
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Requesting server to validate TLS/ALPN challenge
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: ValidateChallenge, https://acme-v02.api.letsencrypt.org/acme/chall-v3/14650435502/v-A-7Q
trce: LettuceEncrypt.Internal.CertificateSelector[0]
      Using ALPN challenge cert for cashbutton.cc
trce: LettuceEncrypt.Internal.CertificateSelector[0]
      Using ALPN challenge cert for cashbutton.cc
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: CreateChallenge, https://acme-v02.api.letsencrypt.org/acme/authz-v3/14650435502
trce: LettuceEncrypt.Internal.CertificateSelector[0]
      Using ALPN challenge cert for cashbutton.cc
trce: LettuceEncrypt.Internal.TlsAlpnChallengeResponder[0]
      Creating ALPN self-signed cert for cashbutton.cc and key authz PCm1C6TcVuWhdw8az2-_hso79ZOnVmM3wc0s6PvDeM4.DgyBWn_9J4fByiIApqUYIbwvhoeBR2y_qf6U6eic9hA
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Waiting for server to start accepting HTTP requests
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Requesting server to validate TLS/ALPN challenge
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: ValidateChallenge, https://acme-v02.api.letsencrypt.org/acme/chall-v3/14650435502/v-A-7Q
trce: LettuceEncrypt.Internal.CertificateSelector[0]
      Using ALPN challenge cert for cashbutton.cc
trce: LettuceEncrypt.Internal.CertificateSelector[0]
      Using ALPN challenge cert for cashbutton.cc
trce: LettuceEncrypt.Internal.CertificateSelector[0]
      Using ALPN challenge cert for cashbutton.cc
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: CreateChallenge, https://acme-v02.api.letsencrypt.org/acme/authz-v3/14650435502
trce: LettuceEncrypt.Internal.CertificateSelector[0]
      Using ALPN challenge cert for cashbutton.cc
trce: LettuceEncrypt.Internal.TlsAlpnChallengeResponder[0]
      Creating ALPN self-signed cert for cashbutton.cc and key authz PCm1C6TcVuWhdw8az2-_hso79ZOnVmM3wc0s6PvDeM4.DgyBWn_9J4fByiIApqUYIbwvhoeBR2y_qf6U6eic9hA
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Waiting for server to start accepting HTTP requests
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Requesting server to validate TLS/ALPN challenge
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: ValidateChallenge, https://acme-v02.api.letsencrypt.org/acme/chall-v3/14650435502/v-A-7Q
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: CreateChallenge, https://acme-v02.api.letsencrypt.org/acme/authz-v3/14650435502
trce: LettuceEncrypt.Internal.TlsAlpnChallengeResponder[0]
      Creating ALPN self-signed cert for cashbutton.cc and key authz PCm1C6TcVuWhdw8az2-_hso79ZOnVmM3wc0s6PvDeM4.DgyBWn_9J4fByiIApqUYIbwvhoeBR2y_qf6U6eic9hA
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Waiting for server to start accepting HTTP requests
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Requesting server to validate TLS/ALPN challenge
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: ValidateChallenge, https://acme-v02.api.letsencrypt.org/acme/chall-v3/14650435502/v-A-7Q
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: CreateChallenge, https://acme-v02.api.letsencrypt.org/acme/authz-v3/14650435502
trce: LettuceEncrypt.Internal.TlsAlpnChallengeResponder[0]
      Creating ALPN self-signed cert for cashbutton.cc and key authz PCm1C6TcVuWhdw8az2-_hso79ZOnVmM3wc0s6PvDeM4.DgyBWn_9J4fByiIApqUYIbwvhoeBR2y_qf6U6eic9hA
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Waiting for server to start accepting HTTP requests
trce: LettuceEncrypt.Internal.AcmeCertificateFactory[0]
      Requesting server to validate TLS/ALPN challenge
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: ValidateChallenge, https://acme-v02.api.letsencrypt.org/acme/chall-v3/14650435502/v-A-7Q
trce: LettuceEncrypt.Internal.AcmeClient[0]
      ACMEv2 action: CreateChallenge, https://acme-v02.api.letsencrypt.org/acme/authz-v3/14650435502
trce: LettuceEncrypt.Internal.TlsAlpnChallengeResponder[0]
      Creating ALPN self-signed cert for cashbutton.cc and key authz PCm1C6TcVuWhdw8az2-_hso79ZOnVmM3wc0s6PvDeM4.DgyBWn_9J4fByiIApqUYIbwvhoeBR2y_qf6U6eic9hA
...

I guess, something is going wrong, because when I trying to open my site in browser, Chrome doesn't load it due to the invalid certificate (NET::ERR_CERT_INVALID):

Subject: cashbutton.cc

Issuer: cashbutton.cc

Expires on: Jul 10, 2021

Current date: Jul 9, 2021

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIDATCCAemgAwIBAgIICow4w6+8nI4wDQYJKoZIhvcNAQENBQAwGDEWMBQGA1UE
AxMNY2FzaGJ1dHRvbi5jYzAeFw0yMTA3MDcyMjM0MTlaFw0yMTA3MDkyMjM0MTla
MBgxFjAUBgNVBAMTDWNhc2hidXR0b24uY2MwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDFvHCiKceyi2neWhVAz+b9FGdcgUskpswqOqhXiz9sZmzNnzmT
HRJSglKPjgmaynWnjcYSt+iJc3QqXRXDgjX5u1bGS1zGFq8o7rsqIrjB0goHAqTv
vf0GGYC5+tvJ8oeY0Vlcl0As8gICihHumUH2AjHMBdV3oRjDFTqxiqsRvOknnrZb
wyaXtXjDWdo1aN5LAl/w952E/ssuzmHFe98P5M1wABrhCuueNTHYYDYi5/JflJhm
2gS3v+wGhuf9VyZY8ptXsHLfKIOMcOagMFcm8dHy6SnELW85AwlffpeXD6/Q9nWw
UK1gBy7aOvkzxQq6+JgyzxuaToWEwEu93hDpAgMBAAGjTzBNMBgGA1UdEQQRMA+C
DWNhc2hidXR0b24uY2MwMQYIKwYBBQUHAR8BAf8EIgQggf7bNqOHIvtE+0OdPSS9
6QkPkXNycgiOmwDxAlMCyO0wDQYJKoZIhvcNAQENBQADggEBAHwXCkos96HJVr+6
UtPIGTLfOkoE70fhT4b5U9Y+cQWFN41w+Ixr2XKhSC6szmJbaDX7n24bVDGyJFJq
QVnPuTSauEPcKuLI7i4mqWpWnQx6vvGhOcE9HDh0AP68X7qqOZeM7mZhDmgoNvJk
nasDXbTfgyxYPrWAJTbG2a5Bo85K++lYOw4zjvgTFRA8jiUV/V12hjKGlmW+2/fV
3n0zZzPK4Zllvm2r3IkV9yNJeOSutYfvJTQrdxJrQtXMh03A27HTbd1diOWS0Qji
5ysVZaoAjZAZKtDapIgL6h/eBE8e6bNEQGgiGO4Ynex33O2047fwkBfyEq0ztHZ/
+CzWsIM=
-----END CERTIFICATE-----

Could anyone help me with this issue, pls

P.S. Excuse me for possible mistakes and wrong formatting

natemcmaster commented 3 years ago

Thanks for reporting. I was able to reproduce this bug and have patched it. Can you try the 1.1.1 release? https://github.com/natemcmaster/LettuceEncrypt/releases/tag/v1.1.1

blaze6950 commented 3 years ago

Thank you for the fast response! The 1.1.1 release works well!