Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certrequest is failing with api-v2 #332

Open
kaikrueger opened this issue Apr 8, 2020 · 7 comments
Open

certrequest is failing with api-v2 #332

kaikrueger opened this issue Apr 8, 2020 · 7 comments

Comments

@kaikrueger
Copy link

I have compile the current version of acmetool on an ubuntu18

acmetool quickstart works fine but when I run acmetool want <domain>
I get the following error message:

20200408071127 [ERROR] acmetool.storageops: Target(<domain>;https://acme-v02.api.letsencrypt.org/directory;0): failed to request certificate: the following errors occurred:
exhausted all possible challenges in authorization "https://acme-v02.api.letsencrypt.org/acme/authz-v3/xxxxx" [due to inner error: the following errors occurred:
Get "http://<domain>/.well-known/acme-challenge/xxxxxxxxxxxxxx": dial tcp 1<ip>:80: connect: connection refused; 
could not install DNS challenge, no hooks succeeded; 
challenge type not supported]

In the tcpdump I can see, that noone is trying to connect to my host on port 80.
From an other host I can access to http://<domain>/.well-known/acme-challenge/xxxxxxxxxxxxxx.

Has anybody an idea wants going wrong?
Thanks.
@Mrten
Copy link

Mrten commented Apr 24, 2020

I used to run it like this:

acmetool  --xlog.severity=debug > dump 2>&1

Have always made my config by hand, so no detailed clues.

@kaikrueger
Copy link
Author

Thanks, now I can figure the cause of the problem:

20200427082524 [DEBUG] acmetool.reshttp: acquire port "[::]:80" "xxxxxxxxx"
20200427082524 [DEBUG] acmetool.reshttp: failed to listen on [::]:80: listen tcp 0.0.0.0:80: bind: address already in use
20200427082524 [DEBUG] acmetool.reshttp: acquire port ":80" "xxxxxxxxxx"
20200427082524 [DEBUG] acmetool.reshttp: failed to listen on :80: listen tcp :80: bind: address already in use

It seems that this version of acmetool must run as root and the webserver must have been stopped first.

So the Rootless setup is not working anymore. Did I miss something or is that wanted?

@sbuller
Copy link

sbuller commented May 2, 2020

I may be off base here, but binding to low ports is restricted.
https://unix.stackexchange.com/questions/10735/allowing-a-user-to-let-listen-to-a-port-below-1024

Good luck.

@kaikrueger
Copy link
Author

I see, that I should clarify:

Up to now it was possible to run acmetool reconcile as a cronlob without stopping the webserver (apache, nginx,...)
This version of acmetool is starting itself a webserver on port 80 and it seems that you are not even able to tell him to start it on an other port.

maybe I'm wrong, but the only way to reconcile seems to be a script like this:

systemctl  stop nginx
/usr/bin/acmetool  reconcile 
systemctl  start nginx

@CL-Jeremy
Copy link

I think the strategies have remained the same as before with v0.0.x. It also doesn't make sense to have acmetool listening on other ports (unless you are using DNS-01, for which custom hooks are needed, cf. Wiki).

The symptoms you describe here seems to suggest that you have chosen a different authentication method than intended. I have tested on my own computer (Mac) that selecting WEBROOT works as expected. Try running acmetool quickstart again to specify that. With WEBROOT nothing should be spawned by the tool.

Also, Ubuntu has imported the packaged version at https://launchpad.net/ubuntu/+source/acmetool/0.2.1-2, so systemd units should be working as expected.

@hailfinger
Copy link

@CL-Jeremy Of course it makes sense to have acmetool listening on other ports. The documentation even mentions it.

@kaikrueger I had the same problem and fixed it.
Rootless operation is still possible, but you need to work around a few pitfalls. /var/run/acme needs to be owned by the user acme, and the builtin self-test will cause funny failures for non-root operation on nonstandard ports. I recommend tracing your nftables rules (if applicable) and checking whether /var/lib/acme/desired/myhostname-someid needs a few more lines similar to

request:
  challenge:
    http-ports:
      - 0.0.0.0:4402

Note that the self-tests do funny stuff like connecting to 127.0.1.1 (not 127.0.0.1), so make sure the self-tests can successfully connect to the builtin acmetool instance of a web server, and also check if you need to specify 0.0.0.0:4402 as http-ports instead of just 4402.

@backstube
Copy link

Hi @kaikrueger, thanks for posting this issue. Using acmetool myself for several years, a few weeks/months back it stopped renewing certificates (unnoticed). My acmetool's error and debug log is nearly identical to the one you posted above.

I did the required upgrade to 0.2.1 because of Let's Encrypt APIv2. With that, not a single reconcile run was successful.

Did you manage to run it successfully? I'd be more than happy to hear how!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@sbuller @kaikrueger @Mrten @CL-Jeremy @backstube @hailfinger