OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: Edtech on June 15, 2019, 08:26:23 am
-
Since version 19.1.x (since the April or May version), the account creation fails in the acme-client plugin.
Certification is blocked upon receipt of the account footprint. If you then try to restart the renewal or creation of a certificate, it fails with an error 400 "KeyID header contained an invalid account URL".
[Sat Jun 15 08:10:46 CEST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sat Jun 15 08:10:46 CEST 2019] Use length 4096
[Sat Jun 15 08:10:46 CEST 2019] Using RSA: 4096
[Sat Jun 15 08:10:50 CEST 2019] Create account key ok.
[Sat Jun 15 08:10:50 CEST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sat Jun 15 08:10:50 CEST 2019] Using config home:/var/etc/acme-client/home
[Sat Jun 15 08:10:50 CEST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sat Jun 15 08:10:50 CEST 2019] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Sat Jun 15 08:10:50 CEST 2019] GET
[Sat Jun 15 08:10:50 CEST 2019] url='https://acme-v02.api.letsencrypt.org/directory'
[Sat Jun 15 08:10:50 CEST 2019] timeout=
[Sat Jun 15 08:10:50 CEST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Sat Jun 15 08:10:51 CEST 2019] ret='0'
[Sat Jun 15 08:10:51 CEST 2019] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Sat Jun 15 08:10:51 CEST 2019] ACME_NEW_AUTHZ
[Sat Jun 15 08:10:51 CEST 2019] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sat Jun 15 08:10:51 CEST 2019] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Sat Jun 15 08:10:51 CEST 2019] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Sat Jun 15 08:10:51 CEST 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Sat Jun 15 08:10:51 CEST 2019] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sat Jun 15 08:10:51 CEST 2019] ACME_VERSION='2'
[Sat Jun 15 08:10:51 CEST 2019] RSA key
[Sat Jun 15 08:10:54 CEST 2019] Registering account
[Sat Jun 15 08:10:54 CEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Sat Jun 15 08:10:54 CEST 2019] payload='{"contact": ["mailto: --------------"], "termsOfServiceAgreed": true}'
[Sat Jun 15 08:10:54 CEST 2019] HEAD
[Sat Jun 15 08:10:54 CEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sat Jun 15 08:10:54 CEST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Sat Jun 15 08:10:55 CEST 2019] _ret='0'
[Sat Jun 15 08:10:55 CEST 2019] POST
[Sat Jun 15 08:10:55 CEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Sat Jun 15 08:10:55 CEST 2019] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Sat Jun 15 08:10:56 CEST 2019] _ret='0'
[Sat Jun 15 08:10:56 CEST 2019] code='201'
[Sat Jun 15 08:10:56 CEST 2019] Registered
[Sat Jun 15 08:10:56 CEST 2019] _accUri='https://acme-v02.api.letsencrypt.org/acme/acct/59288491'
[Sat Jun 15 08:10:56 CEST 2019] Calc CA_KEY_HASH='--------------------------------------------'
[Sat Jun 15 08:10:56 CEST 2019] ACCOUNT_THUMBPRINT='--------------------------------------------'
[Sat Jun 15 08:14:03 CEST 2019] Create new order error. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:malformed",
"detail": "KeyID header contained an invalid account URL: \"https://acme-v02.api.letsencrypt.org/acme/acct/59288491\"",
"status": 400
}
-
I seem to have the same issue on 19.7, fake certs are fine, but prod certs fail with error 400 as you pointed out.
Have you found a solution to your problem ?
-
I too am facing this. Perhaps could have something to do with sending the wrong (or not at all) "kid" header:
https://community.letsencrypt.org/t/acme-v2-strict-jws-kid-header-processing/63321
-
I've found a workaround by using a second account. After changing the account for a certificate entry, the issue process stopped with 'register account'-messages. The second try succeeded.
After switching from staging to production, I had to switch again: 1st try with account 2: 'invalid account URL'-error, 2nd try with account 1: 'register account'-stop, 3rd try with account 1: success.
OPNsense 20.1.a_75-amd64
-
Looks like I also encountered this. I successfully setup HAPRoxy with Let's Encrypt against the staging environment. But when I swiched to the production environment I got this response as well. No amount of switching accounts, retrying has solved this so far. Even switching back to staging results in errors. DUe to the various things I changed to understand what is happening I am no longer sure my setup is correct but I would have expected to be able to switch to production after I got things stable against the staging environment.
Any suggestions about that? (not about my current issue, I might have changed too many things now and have to start from scratch)
Addition: I just realise this is in the Legacy forum but I am running the current version (19.7.2) with uptodate plugins.
-
To all the users that arrive here after googling:
Please open a bug report here....
https://github.com/opnsense/plugins/issues
...and provide as many details as possible, especially all steps required to reliably reproduce this issue.
Here you'll find a guideline what information should be included in every report:
https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
Thanks.
- Frank