OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: comozoi on January 08, 2018, 09:06:23 pm

Title: Let's Encrypt certificate reissue error - outdated ACME
Post by: comozoi on January 08, 2018, 09:06:23 pm
Hello everyone,
Having a problem with Let's Encrypt - we cannot renew certificates with Let's Encrypt client due to the following error:

"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]    does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",

response='{"type":"urn:acme:error:malformed","detail":"Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]","status": 400}'



Found this notice: https://github.com/Neilpang/acme.sh/issues/1112

Any help appreciated.
Title: Re: Let's Encrypt certificate reissue error - outdated ACME
Post by: franco on January 08, 2018, 09:55:34 pm
Hi there,

Yes, we have a ticket.

https://github.com/opnsense/plugins/issues/470

You could try updating acme.sh manually and report back:

# opnsense-code tools ports
# cd /usr/ports/security/acme.sh
# make
# make deinstall
# make install


Cheers,
Franco
Title: Re: Let's Encrypt certificate reissue error - outdated ACME
Post by: comozoi on January 08, 2018, 11:49:07 pm
Thank you, I followed the steps, but same error appears.
In Firmware Acme client 1.12, Acme sh 2.7.4_1

[Tue Jan 9 00:37:08 EET 2018]    Diagnosis versions:
[Tue Jan 9 00:37:08 EET 2018]    socat doesn't exists.
[Tue Jan 9 00:37:08 EET 2018]    _chk_vlist
[Tue Jan 9 00:37:08 EET 2018]    Please check log file for more details: /var/log/acme.sh.log
[Tue Jan 9 00:37:08 EET 2018]    _on_issue_err
[Tue Jan 9 00:37:08 EET 2018]    Update account error.
[Tue Jan 9 00:37:08 EET 2018]    code='400'
[Tue Jan 9 00:37:08 EET 2018]    response='{"type":"urn:acme:error:malformed","detail":"Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]","status": 400}'
Date: Mon, 08 Jan 2018 22:37:07    GMT
Expires: Mon, 08 Jan 2018 22:37:07    GMT
Expires: Mon, 08 Jan 2018 22:37:07    GMT
[Tue Jan 9 00:37:08 EET 2018]    responseHeaders='HTTP/1.1 100 Continue
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]    does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",

Title: Re: Let's Encrypt certificate reissue error - outdated ACME
Post by: franco on January 08, 2018, 11:50:47 pm
Sorry I am an idiot. I never merged these changes... let me create a branch in a second....
Title: Re: Let's Encrypt certificate reissue error - outdated ACME
Post by: franco on January 08, 2018, 11:53:25 pm
Let's try this again 8)

# opnsense-code tools ports
# cd /usr/ports/security/acme.sh
# git checkout acme_sh
# make
# make deinstall
# make install


Cheers,
Franco
Title: Re: Let's Encrypt certificate reissue error - outdated ACME
Post by: comozoi on January 09, 2018, 01:10:18 pm
Thank you.
Tried with 2.7.5_1
Same error.

Date    Message
[Tue Jan 9 14:14:58 EET 2018]    Diagnosis versions:
[Tue Jan 9 14:14:58 EET 2018]    socat doesn't exists.
[Tue Jan 9 14:14:58 EET 2018]    _chk_vlist
[Tue Jan 9 14:14:58 EET 2018]    Please check log file for more details: /var/log/acme.sh.log
[Tue Jan 9 14:14:58 EET 2018]    _on_issue_err
[Tue Jan 9 14:14:58 EET 2018]    Update account error.
[Tue Jan 9 14:14:58 EET 2018]    code='400'
[Tue Jan 9 14:14:58 EET 2018]    response='{"type":"urn:acme:error:malformed","detail":"Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]","status": 400}'
Date: Tue, 09 Jan 2018 12:14:58    GMT
Expires: Tue, 09 Jan 2018 12:14:58    GMT
Expires: Tue, 09 Jan 2018 12:14:58    GMT
[Tue Jan 9 14:14:58 EET 2018]    responseHeaders='HTTP/1.1 100 Continue
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]    does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
[Tue Jan 9 14:14:58 EET 2018]    original='{
[Tue Jan 9 14:14:58 EET 2018]    _ret='0'
[Tue Jan 9 14:14:57 EET 2018]    _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header '
Title: Re: Let's Encrypt certificate reissue error - outdated ACME
Post by: franco on January 10, 2018, 08:40:11 am
I'll try to get hold of the maintainer to fix this for 17.7.12 / 18.1.


Thank you for testing,
Franco
Title: Re: Let's Encrypt certificate reissue error - outdated ACME
Post by: bahansen.us on January 20, 2018, 11:53:29 pm
Hello,

I'm a new user to OPNSense.  I'm trying to setup Let's Encrypt and followed the direction to use the staging environment.  I seem to be having the same issue where the Let's Encrypt servers are stuck on api.acme*.  I found this thread and confirmed I'm using the 17.7.12 (installed) version.

Thank You