Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Confconsole Let's Encrypt - badNonce - JWS has no anti-replay nonce #1359

Open
JedMeister opened this issue Sep 27, 2019 · 14 comments

Comments

@JedMeister
Copy link
Member

commented Sep 27, 2019

A recent update to Let's Encrypt has caused issues with older versions of Dehydrated (the Let's Encrypt client we use with Confconsole). And soon after, the v1 API was deprecated and only users with existing certificates can access the v1 API endpoint.

So there are a number of issues that have all occurred within a brief period of time. This post has got a bit messy, so I've completely rewritten it [Oct 18th 2019].


Setting up. These instructions should be run in a single shell session. If you run the separate steps at separate times or in separate shells, then you will need to re-run this first setup bit:

# set vars to use
DEHYD_ETC=/etc/dehydrated
SHARE=/usr/share/confconsole/letsencrypt
CONFIG="$DEHYD_ETC/confconsole.config"
GH_URL=https://raw.githubusercontent.com/turnkeylinux/confconsole/master
GH_HOOK=share/letsencrypt/dehydrated-confconsole.hook.sh
CC_HOOK="$DEHYD_ETC/confconsole.hook.sh"
SH_HOOK=$SHARE/dehydrated-confconsole.hook.sh

Now the actual steps to fix the issues:

  1. Update Dehydrated:
# add stretch-backports repo and updated dehydrated:
echo "deb http://http.debian.net/debian stretch-backports main" > /etc/apt/sources.list.d/backports.list
apt update
apt install -t stretch-backports dehydrated
  1. Download the updated TurnKey hook script:
wget $GH_URL/$GH_HOOK -O $SH_HOOK
cp $SH_HOOK $CC_HOOK
  1. Update the config to use the v2 API end point:
echo 'CA="https://acme-v02.api.letsencrypt.org/directory"' >> $CONFIG
  1. Manually run the new Dehydrated to accept the terms of service for Let's Encrypt:
/usr/bin/dehydrated --register --accept-terms
  1. Launch Confconsole and attempt to get a new certificate.

If you wish to just run the script directly (rather than via confconsole), this should do the trick:

/usr/lib/confconsole/plugins.d/Lets_Encrypt/dehydrated-wrapper

Hopefully you should now have a working certificate...! 😄 Don't forget to enable auto cert updates (via confconsole - if you haven't already).

Users with multiple domains should also be aware of #1360. It doesn't appear to cause problems when only one domain is used (and I've tested with 2 and it seemed ok). I plan to look into that a bit closer ASAP, but no ETA.


Users who have previously addressed this issue by updating Dehydrated via some other method can leave their system as is if they wish. Or alternatively, they can install the version from the stretch backports repo (as above; they should be roughly the same version). Note that if the package has been held, then the hold will need to be removed first. I.e.:

apt-mark unhold dehydrated

[Previous ramblings removed for clarity]

@JedMeister

This comment has been minimized.

Copy link
Member Author

commented Sep 28, 2019

I just updated the OP to fix up some mistakes.

Also @thmai11 thanks for your post on the forums. Deepest apologies that I accidentally deleted your website user account 😭 (I was intending to add you to the "contributor" group so future posts will avoid the spam filters - but on auto pilot I accidentally clicked 'cancel' instead of 'save'.)

@kalian

This comment has been minimized.

Copy link

commented Oct 1, 2019

/etc/dehydrated/confconsole.hook.sh : line 54
this_hookscript_is_broken__dehydrated_is_working_fine___please_ignore_unknown_hooks_in_your_script: command not found
(((((((

@thmai11

This comment has been minimized.

Copy link

commented Oct 1, 2019

@kalian Look like you did not update the hook script "/etc/dehydrated/confconsole.hook.sh"

@kalian

This comment has been minimized.

Copy link

commented Oct 1, 2019

my bad....i miss this))))))

@JedMeister

This comment has been minimized.

Copy link
Member Author

commented Oct 1, 2019

FWIW, I've just updated the OP with details of the related Debian bug report. If you follow the link, editing the Dehydrated script itself is an alternate option to resolving this issue.

The fix I'd already documented is still an option.

@spyrule

This comment has been minimized.

Copy link

commented Oct 2, 2019

Typo error in your instructions:

# assuming same shell session as above codeblock
cp /usr/share/$FILE /etc/dehydrated/confconsole.hook.sh

should read:

# assuming same shell session as above codeblock
cp /usr/share/confconsole/$FILE /etc/dehydrated/confconsole.hook.sh
@JedMeister

This comment has been minimized.

Copy link
Member Author

commented Oct 3, 2019

@spyrule - Oops! Thanks for the heads up. I've fixed it in the OP.

@deutrino

This comment has been minimized.

Copy link

commented Oct 16, 2019

This definitely just bit me with the Gitea ISO image current as of yesterday.

@JedMeister

This comment has been minimized.

Copy link
Member Author

commented Oct 16, 2019

@deutrino - Yes I need to consolidate all this info into a simple step-by-step. In the meantime, please let me know if you have any issues apply the fix.

@timhibberd

This comment has been minimized.

Copy link

commented Oct 17, 2019

@JedMeister you refer to updating the OP (Original Post??) what OP? Also...could you restate the solution...the trail above is a bit confusing as to how to patch LE or whether there is a safe patch. Cheers :-)

@JedMeister

This comment has been minimized.

Copy link
Member Author

commented Oct 17, 2019

@timhibberd - Done. It was a mess, so I've given it a good tidy up... 😄

@timhibberd

This comment has been minimized.

Copy link

commented Oct 17, 2019

Thanks for the update Jed...much appreciated :-)

For those who are reading this issue for the first time...the tidied up instructions are at the top of this issue. Ignore the reference to OP (Original Post).

@deutrino

This comment has been minimized.

Copy link

commented Oct 18, 2019

I took the easy way out and just added '-i' to the script as was described in the (now-removed portion of the) original post.. I assume it's fine to go thru the now-edited procedure in the OP regardless?

@JedMeister

This comment has been minimized.

Copy link
Member Author

commented Oct 19, 2019

Hey @deutrino - If that previous workaround works for you, it should continue to work until mid next year (when the v1 API is completely shut down). I removed it though because it will only work for users who already have a cert. For users who don't yet have a cert, the above needs to be followed.

However, if you want to get ahead of the switch to the v2 API, then you can follow the (now clarified and consolidated) steps in the top post. The change you made to the dehydrated script will be overwritten by the new version (from backports), but the new version includes that fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.