Let's Encrypt certificate reissue error - outdated ACME

[comozoi]

Hello everyone,
Having a problem with Let's Encrypt - we cannot renew certificates with Let's Encrypt client due to the following error:

"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]    does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",

response='{"type":"urn:acme:error:malformed","detail":"Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]","status": 400}'



Found this notice: https://github.com/Neilpang/acme.sh/issues/1112

Any help appreciated.

[franco]

Hi there,

Yes, we have a ticket.

https://github.com/opnsense/plugins/issues/470

You could try updating acme.sh manually and report back:

# opnsense-code tools ports
# cd /usr/ports/security/acme.sh
# make
# make deinstall
# make install


Cheers,
Franco

[comozoi]

Thank you, I followed the steps, but same error appears.
In Firmware Acme client 1.12, Acme sh 2.7.4_1

[Tue Jan 9 00:37:08 EET 2018]    Diagnosis versions:
[Tue Jan 9 00:37:08 EET 2018]    socat doesn't exists.
[Tue Jan 9 00:37:08 EET 2018]    _chk_vlist
[Tue Jan 9 00:37:08 EET 2018]    Please check log file for more details: /var/log/acme.sh.log
[Tue Jan 9 00:37:08 EET 2018]    _on_issue_err
[Tue Jan 9 00:37:08 EET 2018]    Update account error.
[Tue Jan 9 00:37:08 EET 2018]    code='400'
[Tue Jan 9 00:37:08 EET 2018]    response='{"type":"urn:acme:error:malformed","detail":"Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]","status": 400}'
Date: Mon, 08 Jan 2018 22:37:07    GMT
Expires: Mon, 08 Jan 2018 22:37:07    GMT
Expires: Mon, 08 Jan 2018 22:37:07    GMT
[Tue Jan 9 00:37:08 EET 2018]    responseHeaders='HTTP/1.1 100 Continue
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]    does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",

[franco]

Sorry I am an idiot. I never merged these changes... let me create a branch in a second....

[franco]

Let's try this again

# opnsense-code tools ports
# cd /usr/ports/security/acme.sh
# git checkout acme_sh
# make
# make deinstall
# make install


Cheers,
Franco

[comozoi]

Thank you.
Tried with 2.7.5_1
Same error.

Date    Message
[Tue Jan 9 14:14:58 EET 2018]    Diagnosis versions:
[Tue Jan 9 14:14:58 EET 2018]    socat doesn't exists.
[Tue Jan 9 14:14:58 EET 2018]    _chk_vlist
[Tue Jan 9 14:14:58 EET 2018]    Please check log file for more details: /var/log/acme.sh.log
[Tue Jan 9 14:14:58 EET 2018]    _on_issue_err
[Tue Jan 9 14:14:58 EET 2018]    Update account error.
[Tue Jan 9 14:14:58 EET 2018]    code='400'
[Tue Jan 9 14:14:58 EET 2018]    response='{"type":"urn:acme:error:malformed","detail":"Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]","status": 400}'
Date: Tue, 09 Jan 2018 12:14:58    GMT
Expires: Tue, 09 Jan 2018 12:14:58    GMT
Expires: Tue, 09 Jan 2018 12:14:58    GMT
[Tue Jan 9 14:14:58 EET 2018]    responseHeaders='HTTP/1.1 100 Continue
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]    does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
[Tue Jan 9 14:14:58 EET 2018]    original='{
[Tue Jan 9 14:14:58 EET 2018]    _ret='0'
[Tue Jan 9 14:14:57 EET 2018]    _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '

[franco]

I'll try to get hold of the maintainer to fix this for 17.7.12 / 18.1.


Thank you for testing,
Franco

[bahansen.us]

Hello,

I'm a new user to OPNSense.  I'm trying to setup Let's Encrypt and followed the direction to use the staging environment.  I seem to be having the same issue where the Let's Encrypt servers are stuck on api.acme*.  I found this thread and confirmed I'm using the 17.7.12 (installed) version.

Thank You