Open dmilojevic opened 4 years ago
rofl0r
commented
4 years ago you could run the dehydrated script with proxychains4 bash -x /path/to/dehydrated so we can see which exact command is failing.
also please use latest git of proxychains, some issues have been fixed. that means you gotta compile it yourself.
dmilojevic
commented
4 years ago Hi. Thanks for the reply. I can't build proxychains on this installation from source at this moment, but will do soon on another one.
In the meantime, the following is the output of the command you suggested.
root@raspberrypi:/opt/dehydrated # proxychains4 bash -x /opt/dehydrated/dehydrated -c
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/arm-linux-gnueabihf/libproxychains.so.4
+ set -e
+ set -u
+ set -o pipefail
+ [[ -n '' ]]
+ [[ -z '' ]]
+ shopt -s nullglob
+ set -f
+ umask 077
+ exec
+ exec
+ VERSION=0.6.5
+ SOURCE=/opt/dehydrated/dehydrated
+ '[' -h /opt/dehydrated/dehydrated ']'
+++ dirname /opt/dehydrated/dehydrated
++ cd -P /opt/dehydrated
++ pwd
+ SCRIPTDIR=/opt/dehydrated
+ BASEDIR=/opt/dehydrated
+ ORIGARGS=-c
++ uname
+ OSTYPE=Linux
+ [[ ! '' = \N\O\O\P ]]
+ main -c
+ COMMAND=
+ [[ -z -c ]]
+ (( 1 ))
+ case "${1}" in
+ set_command sign_domains
+ [[ -z '' ]]
+ COMMAND=sign_domains
+ shift 1
+ (( 0 ))
+ case "${COMMAND}" in
+ command_sign_domains
+ init_system
+ load_config
+ [[ -z '' ]]
+ for check_config in "/etc/dehydrated" "/usr/local/etc/dehydrated" "${PWD}" "${SCRIPTDIR}"
+ [[ -f /etc/dehydrated/config ]]
+ for check_config in "/etc/dehydrated" "/usr/local/etc/dehydrated" "${PWD}" "${SCRIPTDIR}"
+ [[ -f /usr/local/etc/dehydrated/config ]]
+ for check_config in "/etc/dehydrated" "/usr/local/etc/dehydrated" "${PWD}" "${SCRIPTDIR}"
+ [[ -f /opt/dehydrated/config ]]
+ BASEDIR=/opt/dehydrated
+ CONFIG=/opt/dehydrated/config
+ break
+ CA=https://acme-v02.api.letsencrypt.org/directory
+ OLDCA=
+ CERTDIR=
+ ALPNCERTDIR=
+ ACCOUNTDIR=
+ CHALLENGETYPE=http-01
+ CONFIG_D=
+ CURL_OPTS=
+ DOMAINS_D=
+ DOMAINS_TXT=
+ HOOK=
+ HOOK_CHAIN=no
+ RENEW_DAYS=30
+ KEYSIZE=4096
+ WELLKNOWN=
+ PRIVATE_KEY_RENEW=yes
+ PRIVATE_KEY_ROLLOVER=no
+ KEY_ALGO=rsa
+ OPENSSL=openssl
+ OPENSSL_CNF=
+ CONTACT_EMAIL=
+ LOCKFILE=
+ OCSP_MUST_STAPLE=no
+ OCSP_FETCH=no
+ OCSP_DAYS=5
+ IP_VERSION=
+ CHAINCACHE=
+ AUTO_CLEANUP=no
+ DEHYDRATED_USER=
+ DEHYDRATED_GROUP=
+ API=auto
+ [[ -z /opt/dehydrated/config ]]
+ [[ -f /opt/dehydrated/config ]]
+ echo '# INFO: Using main config file /opt/dehydrated/config'
# INFO: Using main config file /opt/dehydrated/config
++ dirname /opt/dehydrated/config
+ BASEDIR=/opt/dehydrated
+ . /opt/dehydrated/config
++ CHALLENGETYPE=dns-01
++ HOOK=/opt/dehydrated/hook.sh
++ CA=https://acme-staging-v02.api.letsencrypt.org/directory
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ check_dependencies
+ openssl version
+ _sed ''
+ command -v grep
+ command -v mktemp
+ command -v diff
+ set +e
++ curl -V
++ head -n1
++ awk '{print $2}'
+ CURL_VERSION=7.64.0
+ retcode=0
+ set -e
+ [[ ! 0 = \0 ]]
+ [[ /opt/dehydrated != \/ ]]
+ BASEDIR=/opt/dehydrated
+ [[ -d /opt/dehydrated ]]
+ [[ -z '' ]]
+ [[ https://acme-staging-v02.api.letsencrypt.org/directory = \h\t\t\p\s\:\/\/\a\c\m\e\-\v\0\2\.\a\p\i\.\l\e\t\s\e\n\c\r\y\p\t\.\o\r\g\/\d\i\r\e\c\t\o\r\y ]]
++ echo https://acme-staging-v02.api.letsencrypt.org/directory
++ urlbase64
++ openssl base64 -e
++ tr -d '\n\r'
++ _sed -e 's:=*$::g' -e y:+/:-_:
++ [[ Linux = \L\i\n\u\x ]]
++ sed -r -e 's:=*$::g' -e y:+/:-_:
+ CAHASH=Hma4mHa4Lm4hm41maXmamampmmama4AmL4mwm3am3amaZamam8awmCa4macmZ2ma3ma0m6m5mg
+ [[ -z '' ]]
+ ACCOUNTDIR=/opt/dehydrated/accounts
+ [[ ! -e /opt/dehydrated/accounts/Hma4mHa4Lm4hm41maXmamampmmama4AmL4mwm3am3amaZamam8awmCa4macmZ2ma3ma0m6m5mg ]]
+ [[ -f /opt/dehydrated/accounts/Hma4mHa4Lm4hm41maXmamampmmama4AmL4mwm3am3amaZamam8awmCa4macmZ2ma3ma0m6m5mg/config ]]
+ ACCOUNT_KEY=/opt/dehydrated/accounts/Hma4mHa4Lm4hm41maXmamampmmama4AmL4mwm3am3amaZamam8awmCa4macmZ2ma3ma0m6m5mg/account_key.pem
+ ACCOUNT_KEY_JSON=/opt/dehydrated/accounts/Hma4mHa4Lm4hm41maXmamampmmama4AmL4mwm3am3amaZamam8awmCa4macmZ2ma3ma0m6m5mg/registration_info.json
+ ACCOUNT_ID_JSON=/opt/dehydrated/accounts/Hma4mHa4Lm4hm41maXmamampmmama4AmL4mwm3am3amaZamam8awmCa4macmZ2ma3ma0m6m5mg/account_id.json
+ [[ -f /opt/dehydrated/private_key.pem ]]
+ [[ -f /opt/dehydrated/private_key.json ]]
+ [[ -z '' ]]
+ CERTDIR=/opt/dehydrated/certs
+ [[ -z '' ]]
+ ALPNCERTDIR=/opt/dehydrated/alpn-certs
+ [[ -z '' ]]
+ CHAINCACHE=/opt/dehydrated/chains
+ [[ -z '' ]]
+ DOMAINS_TXT=/opt/dehydrated/domains.txt
+ [[ -z '' ]]
+ WELLKNOWN=/var/www/dehydrated
+ [[ -z '' ]]
+ LOCKFILE=/opt/dehydrated/lock
+ [[ -z '' ]]
++ openssl version -d
++ cut '-d"' -f2
+ OPENSSL_CNF=/usr/lib/ssl/openssl.cnf
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ [[ -n '' ]]
+ '[' '!' '' = noverify ']'
+ verify_config
+ [[ dns-01 == \h\t\t\p\-\0\1 ]]
+ [[ dns-01 == \d\n\s\-\0\1 ]]
+ [[ dns-01 = \d\n\s\-\0\1 ]]
+ [[ -z /opt/dehydrated/hook.sh ]]
+ [[ dns-01 = \h\t\t\p\-\0\1 ]]
+ [[ rsa == \r\s\a ]]
+ [[ -n '' ]]
+ [[ auto == \a\u\t\o ]]
+ [[ 5 =~ ^[0-9]+$ ]]
+ store_configvars
+ __KEY_ALGO=rsa
+ __OCSP_MUST_STAPLE=no
+ __PRIVATE_KEY_RENEW=yes
+ __KEYSIZE=4096
+ __CHALLENGETYPE=dns-01
+ __HOOK=/opt/dehydrated/hook.sh
+ __WELLKNOWN=/var/www/dehydrated
+ __HOOK_CHAIN=no
+ __OPENSSL_CNF=/usr/lib/ssl/openssl.cnf
+ __RENEW_DAYS=30
+ __IP_VERSION=
+ [[ -n /opt/dehydrated/lock ]]
++ dirname /opt/dehydrated/lock
+ LOCKDIR=/opt/dehydrated
+ [[ -w /opt/dehydrated ]]
+ trap remove_lock EXIT
++ http_request get https://acme-staging-v02.api.letsencrypt.org/directory
+++ _mktemp
+++ mktemp /tmp/dehydrated-XXXXXX
++ tempcont=/tmp/dehydrated-VgGoAi
+++ _mktemp
+++ mktemp /tmp/dehydrated-XXXXXX
++ tempheaders=/tmp/dehydrated-5qE9da
++ [[ -n '' ]]
++ set +e
++ [[ get = \h\e\a\d ]]
++ [[ get = \g\e\t ]]
+++ curl -A 'dehydrated/0.6.5 curl/7.64.0' -L -s -w '%{http_code}' -o /tmp/dehydrated-VgGoAi -D /tmp/dehydrated-5qE9da https://acme-staging-v02.api.letsencrypt.org/directory
++ statuscode=200
++ curlret=0
++ set -e
++ [[ ! 0 = \0 ]]
++ [[ ! 2 = \2 ]]
++ cat /tmp/dehydrated-5qE9da
bash: src/allocator_thread.c:235: getmessage: Assertion `hdr->datalen <= MSG_LEN_MAX' failed.
Aborted
root@raspberrypi:/opt/dehydrated # ++ cat /tmp/dehydrated-VgGoAi
Please note that cat of the second tmp files remains on the command line when the app crashes.
The contents of the 2 temporary files mentioned are as follows.
{
"BSaGI17Bhr6": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/17162",
"keyChange": "https://acme-staging-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org/docs/staging-environment/"
},
"newAccount": "https://acme-staging-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-staging-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-staging-v02.api.letsencrypt.org/acme/revoke-cert"
}
HTTP/2 200 server: nginx date: Fri, 22 Nov 2019 07:16:23 GMT content-type: application/json content-length: 724 cache-control: public, max-age=0, no-cache x-frame-options: DENY strict-transport-security: max-age=604800
rofl0r
commented
4 years ago thanks, the isolated curl command seems to work fine here on both debian and sabotage linux hosts, with latest git and both socks5/http proxies.
the issue you're facing could be either due to a bug fixed since, or some platform-specific issue (for example, on arm, abi for "char" is "unsigned char" unlike on other archs, which breaks some things - if that's the reason you could compile proxychains like CFLAGS=-fsigned-char ./configure ... etc...), or maybe it's due to all the other stuff the script does.
in the latter case, if you try the curl command manually, it would work.
Hello everybody.
I tried to find some more issues about this online but failed. Sorry if it has been addressed already.
I found out about proxychains4 few days ago. So far I've been using the default proxychains deployment from Raspbian (Debian for Raspberry Pi) Buster, which is 3.1-8.1. I started working on some scripts in which I wanted to parse the responses from the proxified and direct connections in the same way so I realized that only proxychains4 actually has a -q switch to help me achieve that easily. I am currently running proxychains4 version 4.13-4.
Anyway, everything else works fine except one (important) thing. Since this is running on Raspberry Pi constantly connected to the internet via VPN, I am using proxychains to renew my letsencrypt certificate via public IP assigned to me by my ISP (I am running SSH server on another device in my home network through which proxychains tunnels the request outside). I use dehydrated (https://github.com/lukas2511/dehydrated) for letsencrypt renewal and it worked fine for more than a year via proxychains3 but when I try to use it via proxychains4 there is an error message.
When I rerun dehydrated with proxychains3 or without proxychains, it works fully without any issues.
I would greatly appreciate if someone could help with this.
Thanks in advance!