18.1.1 & acme client

[elektroinside]

Think this was fixed, was it a patch that fixed it?

[Fri Feb  2 14:10:45 EET 2018] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
  "status": 400
}'

[franco]

Still not quite, have to ask Frank on the status... acme.sh was updated, but did not fix this (expectations that it would were not clear anyway at least that is what one user reported testing it).


Cheers,
Franco

[elektroinside]

Okay Franco,

Thank you!

[bigops]

I have always found the ACME client to be a pain to use especially when you have to renew a certificate and you are using the DNS validation.  ZeroSSL is much more easier to use and then to import the certificate. 

[fraenki]

Think this was fixed, was it a patch that fixed it?

[Fri Feb  2 14:10:45 EET 2018] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
  "status": 400
}'

I've been pretty sure that acme.sh 2.7.5 would fix this error:
https://github.com/opnsense/plugins/issues/470

Apparently I was wrong. It will not be fixed until acme.sh 2.7.6 is released. I'll reopen this issue.


Regards
- Frank

[elektroinside]

No worries

Thank you.

[eshield]

Hello,

Some additional info to 400 tos error:

PHP Warning:  cert_action_validator(): Node no longer exists in
/usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122
PHP Warning:  cert_action_validator(): Node no longer exists in /usr/local/opnsense/scripts/OPNsense/AcmeClient/certhelper.php on line 122

Crash always happens after cert issue attempt.

[franco]

It's a cosmetic PHP issue since 7.0, ticket here....

https://github.com/opnsense/plugins/issues/333


Cheers,
Franco

[elektroinside]

I had enough of that agreement error so I "hacked" acme.sh to take the correct one.
I also needed to comment a validation because of a freak error, but it worked... got a new cert.

[eshield]

acme.sh 2.7.6 has been released 3 days ago, any ETA on LE package update?

Thanks.

[franco]

As soon as it hits FreeBSD as it is tested as it is shipped in OPNsense.


Cheers,
Franco

[eshield]

ouch! well, updated acme.sh by myself and everything works fine 

[franco]

Nice!  Will you share your solution with everyone?

[eshield]

Nice!  Will you share your solution with everyone?

There is no special magic involved. I just replaced /usr/local/sbin/acme.sh with a new one and set permissions to 0555 using WinSCP 

[elektroinside]

Confirming it works (replacing with the new one)
No other hacks, just chmod 0555

FYI, without 0555, it will fail to validate this:

Code: [Select]

    if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ] || [ "$Le_ForceNewDomainKey" = "1" ]; then
      if ! createDomainKey "$_main_domain" "$_key_length"; then
        _err "Create domain key error."
        _clearup
        _on_issue_err "$_post_hook"
        return 1
      fi
    fi