Error while registering account with ACME server

[sahildeliwala]

I'm getting errors for domains. as it is not able to generate new certificates and thus ends up loading fallback certificates. Do we need to upgrade anything?

Below are my logs for the errors.

2017/11/16 08:53:15 [error] 3256#0: 9 [lua] ssl_certificate.lua:92: issue_cert(): auto-ssl: issuing new certificate failed: deh ydrated failure, context: ssl_certificate_by_lua, client: 188.166.65.148, server: 0.0.0.0:443
2017/11/16 08:53:15 [error] 3256#0: 9 [lua] ssl_certificate.lua:256: auto-ssl: could not get certificate for domain.com - usin g fallback - failed to get or issue certificate, context: ssl_certificate_by_lua, client: 188.166.65.148, server: 0.0.0.0:443
2017/11/16 08:54:14 [error] 3610#0: *5 [lua] lets_encrypt.lua:40: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=8c9 5ffa6d282a47d7e65e2c94c66c21b9a89a257c6f2e92bbdba648e09e7fd3d HOOK_SERVER_PORT=8999 /usr/local/bin/resty-auto-ssl/dehydrated --c ron --no-lock --domain wagikdev.tk --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/bin/res ty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config

• Generating account key...
• Registering account key with ACME server...

Error registering account key. See message above for more information.
err: # !! WARNING !! Extra configuration directory /etc/resty-auto-ssl/letsencrypt/conf.d exists, but no configuration found in it.

• ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-reg (Status 400)

Details:
{
"type": "urn:acme:error:malformed",
"detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current ag reement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]",
"status": 400
}

rm: cannot remove '/etc/resty-auto-ssl/letsencrypt/domains.txt': No such file or directory
, context: ssl_certificate_by_lua*, client: 188.166.65.148, server: 0.0.0.0:443

[fjros]

Hi @sahildeliwala!

@GUI said he'll fix the issue this week.

If you need a temporary workaround, add the following line in /etc/resty-auto-ssl/letsencrypt/config:

LICENSE="https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"

(Don't leave such config in a production env for too long, or it'll fail if Let's Encrypt terms of service ever change again)

[brianlund]

Wouldn't it be better to use:
LICENSE="https://acme-v01.api.letsencrypt.org/terms" or
LICENSE="https://acme-staging.api.letsencrypt.org/terms" which seems to redirect to the current terms?

(and isn't the variable called CA_TERMS?)

[sahildeliwala]

@fjros @brianlund Thanks for prompt response
I've tried this but certificate still has issue. It displays "Fake LE Intermediate X1" as certificate issuer and shows privacy error in browser

[brianlund]

@sahildeliwala From your original message, it seems you are running against the staging endpoint, so you'll always get the "Fake LE Intermediate X1" certificate.

[sahildeliwala]

@brianlund how can we change this to request proper certificate? do we need to setup server variable in config as well? or any flags?

[brianlund]

@sahildeliwala if you don't explicitly point to the staging endpoint, it should default to production. Do you have any configuration mentioning staging under /etc/resty-auto-ssl/ ? Has this setup been working before?

[sahildeliwala]

@brianlund "staging" is mentioned Nowhere

This is 3rd time I'm setting this up now. Never faced this issue before.

contents of /etc/resty-auto-ssl/letsencrypt/config

#This file will be overwritten by resty-auto-ssl.
# Place any customizations in /etc/resty-auto-ssl/letsencrypt/conf.d

CONFIG_D="/etc/resty-auto-ssl/letsencrypt/conf.d"
LOCKFILE="/etc/resty-auto-ssl/letsencrypt/locks/lock"
WELLKNOWN="/etc/resty-auto-ssl/letsencrypt/.acme-challenges"

Contents of /etc/resty-auto-ssl/letsencrypt/config.d/config (File I created now)
LICENSE="https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"

[brianlund]

What about in /etc/resty-auto-ssl/letsencrypt/conf.d ?

[sahildeliwala]

Contents of /etc/resty-auto-ssl/letsencrypt/conf.d/config (File I created now)
LICENSE="https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"

[brianlund]

config.d or conf.d?

[sahildeliwala]

Yeah sorry its conf.d/config

[brianlund]

Ok. First thing is that I believe settings to picked up from conf.d/ the file probably need to be named config.sh (or something else with the suffix .sh), try that first.

Also could you answer if this setup used to work?

[sahildeliwala]

I've never have to setup any additional configs before. It would work smoothly before. this is just cause I think the url for accepting terms is changed. I've changed that but still it has issue.

[brianlund]

Try renaming the file to config.sh - then check the debug output to see if you're still getting the same error message.

[sahildeliwala]

@brianlund Renaming it to .sh worked!
Thank you very much for you help.

[GUI]

This should be fixed in lua-resty-auto-ssl v0.11.1 that's now available on luarocks. Thanks for reporting the issue!

More details over in #13 (comment).