Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue with --tls --test on "asuswrt stock firmware" #1266

Closed
stevebovy opened this issue Feb 15, 2018 · 20 comments
Closed

Issue with --tls --test on "asuswrt stock firmware" #1266

stevebovy opened this issue Feb 15, 2018 · 20 comments

Comments

@stevebovy
Copy link

Steps to reproduce

./acme.sh --issue -d home.miscbitbag.org --test --tls --pre-hook "service stop_webdav" --home /jffs/acme.sh --debug --log

--log

Debug log

admin-280@RT-AC66U_B1:/jffs/acme.sh# ./acme.sh --issue -d home.miscbitbag.org --test --tls --pre-hook "service stop_webdav" --home
/jffs/acme.sh --debug --log
[Wed Feb 14 22:18:07 PST 2018] Lets find script dir.
[Wed Feb 14 22:18:07 PST 2018] SCRIPT='./acme.sh'
[Wed Feb 14 22:18:07 PST 2018] _script='/jffs/acme.sh/acme.sh'
[Wed Feb 14 22:18:07 PST 2018] _script_home='/jffs/acme.sh'
[Wed Feb 14 22:18:07 PST 2018] Using config home:/jffs/acme.sh
https://github.com/Neilpang/acme.sh
v2.7.7
[Wed Feb 14 22:18:07 PST 2018] Using config home:/jffs/acme.sh
[Wed Feb 14 22:18:07 PST 2018] Using stage ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Wed Feb 14 22:18:07 PST 2018] DOMAIN_PATH='/jffs/acme.sh/home.miscbitbag.org'
[Wed Feb 14 22:18:08 PST 2018] Using ACME_DIRECTORY: https://acme-staging.api.letsencrypt.org/directory
[Wed Feb 14 22:18:08 PST 2018] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Wed Feb 14 22:18:08 PST 2018] GET
[Wed Feb 14 22:18:08 PST 2018] url='https://acme-staging.api.letsencrypt.org/directory'
[Wed Feb 14 22:18:08 PST 2018] timeout=
[Wed Feb 14 22:18:08 PST 2018] _CURL='curl -L --silent --dump-header /jffs/acme.sh/http.header -g '
[Wed Feb 14 22:18:08 PST 2018] ret='0'
[Wed Feb 14 22:18:08 PST 2018] ACME_KEY_CHANGE='https://acme-staging.api.letsencrypt.org/acme/key-change'
[Wed Feb 14 22:18:08 PST 2018] ACME_NEW_AUTHZ='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Wed Feb 14 22:18:08 PST 2018] ACME_NEW_ORDER='https://acme-staging.api.letsencrypt.org/acme/new-cert'
[Wed Feb 14 22:18:08 PST 2018] ACME_NEW_ACCOUNT='https://acme-staging.api.letsencrypt.org/acme/new-reg'
[Wed Feb 14 22:18:08 PST 2018] ACME_REVOKE_CERT='https://acme-staging.api.letsencrypt.org/acme/revoke-cert'
[Wed Feb 14 22:18:08 PST 2018] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Wed Feb 14 22:18:08 PST 2018] ACME_NEW_NONCE
[Wed Feb 14 22:18:08 PST 2018] ACME_VERSION
[Wed Feb 14 22:18:08 PST 2018] Le_NextRenewTime
[Wed Feb 14 22:18:09 PST 2018] _on_before_issue
[Wed Feb 14 22:18:09 PST 2018] Run pre hook:'service stop_webdav'

Done.
[Wed Feb 14 22:18:09 PST 2018] Le_LocalAddress
[Wed Feb 14 22:18:09 PST 2018] Check for domain='home.miscbitbag.org'
[Wed Feb 14 22:18:09 PST 2018] _currentRoot='tls'
[Wed Feb 14 22:18:10 PST 2018] Standalone tls mode.
[Wed Feb 14 22:18:10 PST 2018] _checkport='443'
[Wed Feb 14 22:18:10 PST 2018] _checkaddr
[Wed Feb 14 22:18:10 PST 2018] Using: netstat
[Wed Feb 14 22:18:10 PST 2018] _saved_account_key_hash is not changed, skip register account.
[Wed Feb 14 22:18:11 PST 2018] Read key length:
[Wed Feb 14 22:18:11 PST 2018] _createcsr
[Wed Feb 14 22:18:11 PST 2018] Single domain='home.miscbitbag.org'
[Wed Feb 14 22:18:11 PST 2018] Getting domain auth token for each domain
[Wed Feb 14 22:18:11 PST 2018] Getting webroot for domain='home.miscbitbag.org'
[Wed Feb 14 22:18:11 PST 2018] _w='tls'
[Wed Feb 14 22:18:11 PST 2018] _currentRoot='tls'
[Wed Feb 14 22:18:11 PST 2018] Getting new-authz for domain='home.miscbitbag.org'
[Wed Feb 14 22:18:11 PST 2018] _init api for server: https://acme-staging.api.letsencrypt.org/directory
[Wed Feb 14 22:18:11 PST 2018] Try new-authz for the 0 time.
[Wed Feb 14 22:18:11 PST 2018] url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Wed Feb 14 22:18:11 PST 2018] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "home.miscbitbag.org"}}'
[Wed Feb 14 22:18:11 PST 2018] RSA key
[Wed Feb 14 22:18:11 PST 2018] GET
[Wed Feb 14 22:18:11 PST 2018] url='https://acme-staging.api.letsencrypt.org/directory'
[Wed Feb 14 22:18:11 PST 2018] timeout=
[Wed Feb 14 22:18:12 PST 2018] _CURL='curl -L --silent --dump-header /jffs/acme.sh/http.header -g '
[Wed Feb 14 22:18:12 PST 2018] ret='0'
[Wed Feb 14 22:18:12 PST 2018] POST
[Wed Feb 14 22:18:12 PST 2018] _post_url='https://acme-staging.api.letsencrypt.org/acme/new-authz'
[Wed Feb 14 22:18:12 PST 2018] _CURL='curl -L --silent --dump-header /jffs/acme.sh/http.header -g '
[Wed Feb 14 22:18:13 PST 2018] _ret='0'
[Wed Feb 14 22:18:13 PST 2018] code='201'
[Wed Feb 14 22:18:13 PST 2018] The new-authz request is ok.
[Wed Feb 14 22:18:13 PST 2018] entry
[Wed Feb 14 22:18:13 PST 2018] Error, can not get domain token entry home.miscbitbag.org
[Wed Feb 14 22:18:13 PST 2018] pid
[Wed Feb 14 22:18:13 PST 2018] No need to restore nginx, skip.
[Wed Feb 14 22:18:13 PST 2018] _clearupdns
[Wed Feb 14 22:18:13 PST 2018] skip dns.
[Wed Feb 14 22:18:13 PST 2018] _on_issue_err
[Wed Feb 14 22:18:13 PST 2018] Please check log file for more details: /jffs/acme.sh/acme.sh.log
[Wed Feb 14 22:18:14 PST 2018] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2j 26 Sep 2016
apache:
apache doesn't exists.
nginx:
nginx doesn't exists.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
Usage:
socat [options]
options:
-V print version and feature information to stdout, and exit
-h|-? print a help text describing command line options and addresses
-hh like -h, plus a list of all common address option names
-hhh like -hh, plus a list of all available address option names
-d increase verbosity (use up to 4 times; 2 are recommended)
-D analyze file descriptors before loop
-ly[facility] log to syslog, using facility (default is daemon)
-lf log to file
-ls log to stderr (default if no other log)
-lm[facility] mixed log mode (stderr during initialization, then syslog)
-lp set the program name used for logging
-lu use microseconds for logging timestamps
-lh add hostname to log messages
-v verbose data traffic, text
-x verbose data traffic, hexadecimal
-b<size_t> set data buffer size (8192)
-s sloppy (continue on error)
-t wait seconds before closing second channel
-T total inactivity timeout in seconds
-u unidirectional mode (left to right)
-U unidirectional mode (right to left)
-g do not check option groups
-L try to obtain lock, or fail
-W try to obtain lock, or wait
-4 prefer IPv4 if version is not explicitly specified
-6 prefer IPv6 if version is not explicitly specified
bi-address:
pipe[,] groups=FD,FIFO
!!

single-address:
[,]
address-head:
abstract-client: groups=FD,SOCKET,RETRY,UNIX
abstract-connect: groups=FD,SOCKET,RETRY,UNIX
abstract-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,UNIX
abstract-recv: groups=FD,SOCKET,RETRY,UNIX
abstract-recvfrom: groups=FD,SOCKET,CHILD,RETRY,UNIX
abstract-sendto: groups=FD,SOCKET,RETRY,UNIX
create: groups=FD,REG,NAMED
exec: groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
fd: groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
gopen: groups=FD,FIFO,CHR,BLK,REG,SOCKET,NAMED,OPEN,TERMIOS,UNIX
interface: groups=FD,SOCKET
ip-datagram:: groups=FD,SOCKET,RANGE,IP4,IP6
ip-recv: groups=FD,SOCKET,RANGE,IP4,IP6
ip-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP4,IP6
ip-sendto:: groups=FD,SOCKET,IP4,IP6
ip4-datagram:: groups=FD,SOCKET,RANGE,IP4
ip4-recv: groups=FD,SOCKET,RANGE,IP4
ip4-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP4
ip4-sendto:: groups=FD,SOCKET,IP4
ip6-datagram:: groups=FD,SOCKET,RANGE,IP6
ip6-recv: groups=FD,SOCKET,RANGE,IP6
ip6-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP6
ip6-sendto:: groups=FD,SOCKET,IP6
open: groups=FD,FIFO,CHR,BLK,REG,NAMED,OPEN,TERMIOS
openssl:: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,OPENSSL
openssl-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP,OPENSSL
pipe: groups=FD,FIFO,NAMED,OPEN
proxy::: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,HTTP
pty groups=FD,NAMED,TERMIOS,PTY
sctp-connect:: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,SCTP
sctp-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,SCTP
sctp4-connect:: groups=FD,SOCKET,CHILD,RETRY,IP4,SCTP
sctp4-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,SCTP
sctp6-connect:: groups=FD,SOCKET,CHILD,RETRY,IP6,SCTP
sctp6-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,SCTP
socket-connect::: groups=FD,SOCKET,CHILD,RETRY
socket-datagram:::: groups=FD,SOCKET,RANGE
socket-listen::: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE
socket-recv:::: groups=FD,SOCKET,RANGE
socket-recvfrom:::: groups=FD,SOCKET,CHILD,RANGE
socket-sendto:::: groups=FD,SOCKET
socks4::: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
socks4a::: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
stderr groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
stdin groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
stdio groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
stdout groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
system: groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
tcp-connect:: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP
tcp-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP
tcp4-connect:: groups=FD,SOCKET,CHILD,RETRY,IP4,TCP
tcp4-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,TCP
tcp6-connect:: groups=FD,SOCKET,CHILD,RETRY,IP6,TCP
tcp6-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,TCP
tun[:/] groups=FD,CHR,NAMED,OPEN,INTERFACE
udp-connect:: groups=FD,SOCKET,IP4,IP6,UDP
udp-datagram:: groups=FD,SOCKET,RANGE,IP4,IP6,UDP
udp-listen: groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,UDP
udp-recv: groups=FD,SOCKET,RANGE,IP4,IP6,UDP
udp-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP4,IP6,UDP
udp-sendto:: groups=FD,SOCKET,IP4,IP6,UDP
udp4-connect:: groups=FD,SOCKET,IP4,UDP
udp4-datagram:: groups=FD,SOCKET,RANGE,IP4,UDP
udp4-listen: groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,UDP
udp4-recv: groups=FD,SOCKET,RANGE,IP4,UDP
udp4-recvfrom:: groups=FD,SOCKET,CHILD,RANGE,IP4,UDP
udp4-sendto:: groups=FD,SOCKET,IP4,UDP
udp6-connect:: groups=FD,SOCKET,IP6,UDP
udp6-datagram:: groups=FD,SOCKET,RANGE,IP6,UDP
udp6-listen: groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP6,UDP
udp6-recv: groups=FD,SOCKET,RANGE,IP6,UDP
udp6-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP6,UDP
udp6-sendto:: groups=FD,SOCKET,IP6,UDP
unix-client: groups=FD,SOCKET,NAMED,RETRY,UNIX
unix-connect: groups=FD,SOCKET,NAMED,RETRY,UNIX
unix-listen: groups=FD,SOCKET,NAMED,LISTEN,CHILD,RETRY,UNIX
unix-recv: groups=FD,SOCKET,NAMED,RETRY,UNIX
unix-recvfrom: groups=FD,SOCKET,NAMED,CHILD,RETRY,UNIX
unix-sendto: groups=FD,SOCKET,NAMED,RETRY,UNIX
admin-280@RT-AC66U_B1:/jffs/acme.sh#

acme.sh  --issue .....   --debug 2
@FernandoMiguel
Copy link

FernandoMiguel commented Feb 15, 2018 via email

@stevebovy
Copy link
Author

stevebovy commented Feb 15, 2018 via email

@FernandoMiguel
Copy link

FernandoMiguel commented Feb 15, 2018 via email

@stevebovy
Copy link
Author

stevebovy commented Feb 15, 2018 via email

@FernandoMiguel
Copy link

FernandoMiguel commented Feb 15, 2018 via email

@stevebovy
Copy link
Author

stevebovy commented Feb 15, 2018 via email

@FernandoMiguel
Copy link

FernandoMiguel commented Feb 15, 2018 via email

@stevebovy
Copy link
Author

stevebovy commented Feb 15, 2018 via email

@stevebovy
Copy link
Author

stevebovy commented Feb 15, 2018 via email

@FernandoMiguel
Copy link

this doesnt seem to load
http://home.miscbitbag.org/.well-known/acme-challenge/7SzHcIaRIkaLD6rdPjS-5QMp-_uwwfTxQFkUhN7VKuE

ps: please use code to make comments more readable

@Neilpang
Copy link
Member

#1251

@Neilpang
Copy link
Member

https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode

@stevebovy
Copy link
Author

stevebovy commented Feb 15, 2018 via email

@stevebovy
Copy link
Author

this doesnt seem to load
http://home.miscbitbag.org/.well-known/acme-challenge/7SzHcIaRIkaLD6rdPjS-5QMp-_uwwfTxQFkUhN7VKuE

That's because it does not exist !!! When the cert was created it was not saved in the stand-alone
web root; there-fore the verification process fails

In Stand - Alone Mode where is the web-root ?????

When the cert is issued it should be saved somewhere (I hope ) ???

In stand alone mode where is it saved ???

@stevebovy
Copy link
Author

Note: I do not see anything in my firewall iptables that would block port 80:

admin-280@RT-AC66U_B1:/tmp/home/root# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere state INVALID
PTCSRVWAN all -- anywhere anywhere
PTCSRVLAN all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
DROP tcp -- anywhere anywhere tcp dpt:8082
ACCEPT tcp -- anywhere anywhere tcp dpt:https
INPUT_ICMP icmp -- anywhere anywhere
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain ACCESS_RESTRICTION (0 references)
target prot opt source destination

Chain FUPNP (0 references)
target prot opt source destination

Chain INPUT_ICMP (1 references)
target prot opt source destination
RETURN icmp -- anywhere anywhere icmp echo-request
RETURN icmp -- anywhere anywhere icmp timestamp-request
ACCEPT icmp -- anywhere anywhere

Chain PControls (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain PTCSRVLAN (1 references)
target prot opt source destination

Chain PTCSRVWAN (1 references)
target prot opt source destination

Chain SECURITY (0 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/SYN
RETURN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,ACK/RST
RETURN icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5
DROP icmp -- anywhere anywhere icmp echo-request
RETURN all -- anywhere anywhere

Chain default_block (0 references)
target prot opt source destination

Chain logaccept (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "ACCEPT "
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere state NEW LOG level warning tcp-sequence tcp-options ip-options prefix "DROP "
DROP all -- anywhere anywhere

@stevebovy
Copy link
Author

Your SOCAT server command is not compatible with my ROUTER OS

#todo listen address
$_NC TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork SYSTEM:"sleep 0.5; echo HTTP/1.1 200 OK; echo ; echo $content; echo;" &
serverproc="$!"

Most ROUTERS us busybox

admin-280@RT-AC66U_B1:/tmp/home/root# sleep 0.5
sleep: invalid number '0.5'
admin-280@RT-AC66U_B1:/tmp/home/root#

admin-280@RT-AC66U_B1:/tmp/home/root# sleep
BusyBox v1.17.4 (2018-01-31 17:28:03 CST) multi-call binary.

Usage: sleep [N]...

Pause for a time equal to the total of the args given, where each arg can
have an optional suffix of (s)econds, (m)inutes, (h)ours, or (d)ays

@Neilpang
Copy link
Member

@stevebovy how about sleep 1 ?

@stevebovy
Copy link
Author

stevebovy commented Feb 17, 2018 via email

@Neilpang
Copy link
Member

sleep 1, fixed.

@stevebovy
Copy link
Author

stevebovy commented Feb 21, 2018 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@FernandoMiguel @Neilpang @stevebovy