Closed Gachapen closed 4 years ago
WouterTinus
commented
4 years ago There is a bug here but it's that the command line parser is not letting you know that your arguments are invalid. Try "wacs --target manual --host "example.com" --validation selfhosting --validationport 8080 --test --verbose"
Gachapen
commented
4 years ago Oh, sorry, my example command was wrong, but this was not actually the issue. I still get the same error:
[VERB] Verbose mode logging enabled
[VERB] Looking for settings.json in C:\win-acme
[DBUG] Config folder: C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org
[DBUG] Log path: C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Log
[DBUG] Cache path: C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Certificates
[VERB] Arguments: --target manual --host example.com --validation selfhosting --validationport 8080 --test --verbose
[DBUG] Renewal period: 55 days
[INFO] A simple Windows ACMEv2 client (WACS)
[INFO] Software version 2.1.7.807 (RELEASE, TRIMMED)
[INFO] ACME server https://acme-staging-v02.api.letsencrypt.org/
[VERB] SecurityProtocol setting: SystemDefault
[DBUG] Connection OK!
[INFO] IIS not detected
[INFO] Running with administrator credentials
[WARN] Scheduled task not configured yet
[INFO] Please report issues at https://github.com/win-acme/win-acme
[VERB] Test for international support: 語言 язык لغة
[INFO] Running in mode: Unattended, Test
[VERB] Adding 8.8.8.8 as DNS server
[VERB] Adding 1.1.1.1 as DNS server
[VERB] Adding 8.8.4.4 as DNS server
[INFO] Target generated using plugin Manual: example.com
[VERB] Targeted convert into 1 order(s)
[VERB] Checking [Manual] example.com
[VERB] Handle order 1/1: Main
[DBUG] Refreshing order...
[VERB] Loading ACME account signer...
[DBUG] Loading signer from C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Signer_v2
[VERB] Constructing ACME protocol client...
[DBUG] Send GET request to https://acme-staging-v02.api.letsencrypt.org/directory
[VERB] Request completed with status OK
[DBUG] Send HEAD request to https://acme-staging-v02.api.letsencrypt.org/acme/new-nonce
[VERB] Request completed with status OK
[DBUG] Loading account information from C:\ProgramData\win-acme\acme-staging-v02.api.letsencrypt.org\Registration_v2
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/order/13668293/92349288
[VERB] Request completed with status OK
[DBUG] Cached order has status pending, discarding
[VERB] Creating order for hosts: ["example.com"]
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/new-order
[VERB] Request completed with status Created
[VERB] Order https://acme-staging-v02.api.letsencrypt.org/acme/order/13668293/92635657 created
[VERB] Handle authorization 1/1
[DBUG] Send POST request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/56553613
[VERB] Request completed with status OK
[INFO] Authorize identifier example.com
[VERB] Initial authorization status: pending
[VERB] Challenge types available: ["http-01", "dns-01", "tls-alpn-01"]
[VERB] Initial challenge status: pending
[INFO] Authorizing example.com using http-01 validation (SelfHosting)
[EROR] Unable to activate HttpListener, this may be because of insufficient rights or a non-Microsoft webserver using port 80
[EROR] Error preparing for challenge answer
System.Net.HttpListenerException (6): The handle is invalid.
at System.Net.HttpListener.SetupV2Config()
at System.Net.HttpListener.Start()
at PKISharp.WACS.Plugins.ValidationPlugins.Http.SelfHosting.PrepareChallenge()
at PKISharp.WACS.Plugins.ValidationPlugins.Validation`1.PrepareChallenge(IChallengeValidationDetails challenge)
at PKISharp.WACS.RenewalExecutor.HandleChallenge(ExecutionContext context, TargetPart targetPart, Authorization authorization)
[VERB] Starting post-validation cleanup
[VERB] Post-validation cleanup was succesful
[EROR] Create certificate failed: Error preparing for challenge answerYes that looks strange, I've not seen that error before. Is there any chance that some other piece of software is using that port?
Gachapen
commented
4 years ago Indeed very strange. I did check the ports with both Get-Process -Id (Get-NetTCPConnection -LocalPort 8080).OwningProcess and netstat -a -b, and I found no processes using that port. I also tried random other ports to be sure.
I also checked the source for HttpListener. It does throw from SetupV2Config in two locations, but I did not find any clues as to why it would fail with ERROR_INVALID_HANDLE. https://github.com/microsoft/referencesource/blob/master/System/net/System/Net/HttpListener.cs
Maybe there is something wrong with the runtime on this system. Any idea on how to debug this?
webprofusion-chrisc
commented
4 years ago Perhaps check to see if a UrlAcl needs to be set to allow a listener on port 8080 (https://docs.microsoft.com/en-us/windows/win32/http/add-urlacl), if the machine is not new perhaps something else previously used port 8080 and adjusted the settings. Might not make a difference but might be worth a try.
WouterTinus
commented
4 years ago Going to write some documentation on how to diagnose http listener issues using this thread and #1418 as refererences.
mtnhomes
commented
4 years ago Going to write some documentation on how to diagnose http listener issues using this thread and #1418 as refererences.
We are very much looking forward to this! Our certificates are all in expired mode as we have not been able to get past the http listener issue!
WouterTinus
commented
4 years ago Documentation updated at https://www.win-acme.com/reference/plugins/validation/http/selfhosting and related bug #1621 fixed in 2.1.10.
Gachapen
commented
4 years ago @WouterTinus
Great, but I am still experiencing the same issue. I am starting to think that this is a bug / configuration error on my system, because even netsh gives me the same error:
C:\>netsh http show urlacl
URL Reservations:
-----------------
The handle is invalid.I've tried googling around, but can't seem to find anything useful regarding this. Note that this is running in a VM in Azure, and that nginx is running without issues. ~Also note that this is an attempt to upgrade from an older version (letsencrypt 1912.2.6907.35819) which worked just fine~ (we didn't use selfhosted mode in this version).
webprofusion-chrisc
commented
4 years ago Hi, check for invalid or duplicate ssl bindings:
Gachapen
commented
4 years ago @webprofusion-chrisc Thanks, but that registry folder is empty.
Describe the bug When running wacs with selfhosting validation, it is unable to activate the HttpListener because of the exception:
System.Net.HttpListenerException (6): The handle is invalidTo Reproduce
wacs --target manual --host "example.com" --validation selfhosting 8080 --test --verboseExpected behavior The command should complete without error, or stop to ask for additional options.
Log
Platform:
Additional context Same problem appears running in Windows PowerShell, PowerShell Core 6 and cmd.