Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZeroSSL no longer issuing/renewing certificates properly? #4046

Closed
LoganDark opened this issue Apr 21, 2022 · 16 comments
Closed

ZeroSSL no longer issuing/renewing certificates properly? #4046

LoganDark opened this issue Apr 21, 2022 · 16 comments

Comments

@LoganDark
Copy link

LoganDark commented Apr 21, 2022
edited

Steps to reproduce

Try to renew an existing ZeroSSL certificate, that has successfully renewed before. I am using an EC-384 certificate

Debug log

I cannot provide full information due to its sensitive nature, but I can provide a censored version.

[<censored>] checking
[<censored>] url='https://acme.zerossl.com/v2/DV90/chall/<censored>'
[<censored>] payload
[<censored>] Use cached jwk for file: /<censored>/.acme.sh/ca/acme.zerossl.com/v2/DV90/account.key
[<censored>] Use _CACHED_NONCE='<censored>'
[<censored>] nonce='<censored>'
[<censored>] POST
[<censored>] _post_url='https://acme.zerossl.com/v2/DV90/chall/<censored>'
[<censored>] body='{"protected": "<censored>", "payload": "", "signature": "<censored>"}'
[<censored>] _postContentType='application/jose+json'
[<censored>] Http already initialized.
[<censored>] _CURL='curl --silent --dump-header /<censored>/.acme.sh/http.header  -L  -g '
[<censored>] _ret='0'
[<censored>] responseHeaders='HTTP/2 200
server: nginx
date: <censored>
content-type: application/json
content-length: 164
replay-nonce: <censored>
cache-control: max-age=-1
access-control-allow-origin: *
link: <https://acme.zerossl.com/v2/DV90>;rel="index"
link: <https://acme.zerossl.com/v2/DV90/authz/<censored>>;rel="up"
retry-after: 10
strict-transport-security: max-age=15552000
'
[<censored>] code='200'
[<censored>] original='{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/<censored>","status":"processing","token":"<censored>"}'
[<censored>] response='{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/<censored>","status":"processing","token":"<censored>"}'
[<censored>] original='{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/<censored>","status":"processing","token":"<censored>"}'
[<censored>] response='{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/<censored>","status":"processing","token":"<censored>"}'
[<censored>] status='processing'
[<censored>] Processing, The CA is processing your order, please just wait. (42/600)

acme.sh seems to be functioning perfectly and ZeroSSL is simply taking absolutely forever to process the certificate.

Will likely switch to a different CA over this, please let me know if you know one that will sign EC-521 certificates.

Edit: Timed out after 600 checks
@Neilpang
Copy link
Member

please try ec-521 with every CA here: https://github.com/acmesh-official/acme.sh/wiki/Server

And then let me know the result.

Thanks

@LoganDark
Copy link
Author

LoganDark commented Apr 21, 2022
edited

please try ec-521 with every CA here: https://github.com/acmesh-official/acme.sh/wiki/Server

And then let me know the result.

Thanks

won't that require a bunch of new accounts?

also, can I change CA with renew or do I have to completely delete the folder and start over?

@LoganDark
Copy link
Author

LoganDark commented Apr 21, 2022
edited

whatever;

  1. can't register for buypass. The request must include a value for the "externalAccountBinding" field.
    acme.sh --server https://api.buypass.com/acme/directory --register-account --accountemail <email> gives the exact same error.

    Registering account: https://api.buypass.com/acme/directory
url='https://acme.zerossl.com/v2/DV90/newAccount'
payload='{"contact": ["mailto:<censored>"], "termsOfServiceAgreed": true}'

    providing -m parameter to --issue command gives the same error still.

  2. can't register for sslcom. same error as above.

  3. can't register for google either. same error as above.

@LoganDark
Copy link
Author

LoganDark commented Apr 22, 2022
edited

@Neilpang do you have any solution for the above issue? ZeroSSL is still timing out and I can't try any other servers :/

ZeroSSL has a service notifications page here, they say they've resolved all issues but it seems they still haven't.

@MindTooth
Copy link

Solution:

--server letsencrypt

LE just works, while ZeroSSL doesn't and give no useful error. Even the status page is green, yet doesn't work...

@Neilpang
Copy link
Member

sometimes, zerossl fails with errors, but it just retries till timeout.
There is no error message returning from the CA.

You can use this website to check if there is any configuration error on your end:

https://letsdebug.net/

@Neilpang
Copy link
Member

the letsencrypt CA always can return a useful error message to us.
you can try with letsencrypt first. and check the CAA record of your domain.

@LoganDark
Copy link
Author

LoganDark commented Apr 25, 2022
edited

sometimes, zerossl fails with errors, but it just retries till timeout. There is no error message returning from the CA.

You can use this website to check if there is any configuration error on your end:

https://letsdebug.net/

what would cause ZeroSSL to start returning errors when nothing has changed since the last time I successfully renewed a ZeroSSL certificate?

I contacted ZeroSSL and they just told me that they've been having issues with their CA provider.

the letsencrypt CA always can return a useful error message to us.
you can try with letsencrypt first. and check the CAA record of your domain.

Can't sign up for letsencrypt because of the externalAccountBinding error lmao

@MindTooth
Copy link

sometimes, zerossl fails with errors, but it just retries till timeout. There is no error message returning from the CA.

You can use this website to check if there is any configuration error on your end:

https://letsdebug.net/

Is there a way for me to pause acme.sh or stop it from removing the DNS entries for me to use the site?

@Neilpang
Copy link
Member

removing the DNS entries

What entries do you mean?

@LoganDark
Copy link
Author

removing the DNS entries

What entries do you mean?

the TXT records used by dns validation.

@Neilpang
Copy link
Member

there is no way to stop it yet.
but why do you need to keep it?

@LoganDark
Copy link
Author

I'd recommend opening another issue for that unrelated problem @MindTooth

@ShanQincheng
Copy link

Solution:

--server letsencrypt

LE just works, while ZeroSSL doesn't and give no useful error. Even the status page is green, yet doesn't work...

This answer solved my problem.
Besides, I found that ZeroSSL only went wrong when applying more than one domain at one time.

@LoganDark
Copy link
Author

LoganDark commented Apr 30, 2022
edited

Would be nice if I could renew my certificate before it expires. I can't seem to renew ZeroSSL and I can't switch to any other server. What should I do?

@LoganDark
Copy link
Author

I just tried switching to letsencrypt_test and it worked this time. Let's Encrypt told me that my server was returning 403 for the acme challenge. Just checked and it was my anti-bot protection.

So it seems you were correct that ZeroSSL just spins forever and never returns any error if anything goes wrong. That is incredibly annoying. Maybe you should add a troubleshooting guide

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@LoganDark @Neilpang @ShanQincheng @MindTooth