Koozali.org: home of the SME Server

Obsolete Releases => SME 9.x Contribs => Topic started by: waldviertler on June 03, 2021, 11:36:55 AM

Title: Letsencrypt and dehydrated problem switching from API1 to API2
Post by: waldviertler on June 03, 2021, 11:36:55 AM: Hello

I used dehydrated for the last years without problems - and now I got the message that I have to switch to API2.

So I changed the config:
Code: [Select]
#!/bin/bash #CA="https://acme-v02.api.letsencrypt.org/directory" WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge" HOOK="/usr/bin/hook-script.sh" BASEDIR="/etc/dehydrated" CONTACT_EMAIL=mail@adress.com API="2" PARAM_ACCEPT_TERMS="yes"

But It still get the path to API1 with
Code: [Select]
[root@www ~]# dehydrated -e # dehydrated configuration # INFO: Using main config file /etc/dehydrated/config declare -- CA="https://acme-v01.api.letsencrypt.org/directory" declare -- LICENSE="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" declare -- CERTDIR="/etc/dehydrated/certs" declare -- CHALLENGETYPE="http-01" declare -- DOMAINS_D="" declare -- DOMAINS_TXT="/etc/dehydrated/domains.txt" declare -- HOOK="/usr/bin/hook-script.sh" declare -- HOOK_CHAIN="no" declare -- RENEW_DAYS="30" declare -- ACCOUNT_KEY="/etc/dehydrated/accounts/long path/account_key.pem" declare -- ACCOUNT_KEY_JSON="/etc/dehydrated/accounts/long path/registration_info.json" declare -- KEYSIZE="4096" declare -- WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge" declare -- PRIVATE_KEY_RENEW="yes" declare -- OPENSSL_CNF="/etc/pki/tls/openssl.cnf" declare -- CONTACT_EMAIL="mail@address.com" declare -- LOCKFILE="/etc/dehydrated/lock"
as you see at "declare -- CA="https://acme-v01.api.letsencrypt.org/directory""

When I uncomment in config
CA="https://acme-v02.api.letsencrypt.org/directory"

I get:

Code: [Select]
[root@www ~]# /usr/bin/dehydrated -c # INFO: Using main config file /etc/dehydrated/config Fetching missing account information from CA... + ERROR: An error occurred while sending post-request to https://acme-staging-v02.api.letsencrypt.org/acme/new-acct (Status 400) Details: HTTP/1.1 100 Continue HTTP/1.1 400 Bad Request Server: nginx Date: Thu, 03 Jun 2021 09:11:34 GMT Content-Type: application/problem+json Content-Length: 134 Connection: keep-alive Cache-Control: public, max-age=0, no-cache Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0004dgd0feS87q0sxTbrernNonJAt58Qc0qnGJOHdrymvqU { "type": "urn:ietf:params:acme:error:accountDoesNotExist", "detail": "No account exists with the provided key", "status": 400 }

In sum:
When I add only
API="2"
to the config it will still point to https://acme-v01.api.letsencrypt.org/directory
When I add
CA="https://acme-v02.api.letsencrypt.org/directory" to the config I get an error.
("type": "urn:ietf:params:acme:error:accountDoesNotExist",
"detail": "No account exists with the provided key")

My versions of letsencrypt and dehydrated are up-to-date:
letsencrypt-0.5-15
dehydrated-0.6.5-1

Till now I have tried this:
Code: [Select]
config delprop modSSL crt config delprop modSSL key config delprop modSSL CertificateChainFile signal-event console-save reboot config setprop letsencrypt status test signal-event console-save dehydrated -c
and
this
https://forums.contribs.org/index.php/topic,54460.msg285207.html#msg285207 (https://forums.contribs.org/index.php/topic,54460.msg285207.html#msg285207)

But it does not work.

Can somebody point me in the right direction?
Thank you for your help

Martin
Title: Re: Letsencrypt and dehydrated problem switching from API1 to API2
Post by: mmccarn on June 03, 2021, 11:52:15 AM: I found this post on the turnkey linux site saying you need to update the 'LICENSE' declaration in your configuration
https://www.turnkeylinux.org/forum/support/fri-20171124-1958/dehydrated-out-date

[caveat]
I have no idea if this is relevant or useful...
Title: Re: Letsencrypt and dehydrated problem switching from API1 to API2
Post by: mmccarn on June 03, 2021, 12:10:42 PM: I found the other post from last october in the internet archive wayback machine:
https://web.archive.org/web/20201019153926/https://forums.contribs.org/index.php/topic,54276.0.html

(again... I have no idea if this is useful...)

Quote from: Stefano
you just need to delete some props:

Code: [Select]
config delprop modSSL crt config delprop modSSL key config delprop modSSL CertificateChainFile

then a signal-event post upgrade, a reboot and you're done
Title: Re: Letsencrypt and dehydrated problem switching from API1 to API2
Post by: Jean-Philippe Pialasse on June 03, 2021, 02:44:08 PM: I see you play manually with the configuration file.
You really better use the contrib and the key property to change that.

normally the key registered for v1 will be automatically converted to v2, but you need to update to last dehydrated version available for centos 6 / sme 9

and ... you have to update to SME 10 ASAP.
Title: Re: Letsencrypt and dehydrated problem switching from API1 to API2
Post by: waldviertler on June 03, 2021, 03:59:17 PM: Thank you for your time.

I hope I have found the reason.
It looks that I have two versions of dehydrated on the server.
One in /usr/local/bin
and
one in
/usr/bin

and each time I called
Code: [Select]
dehydrated -cthe version from /usr/local/bin is used.
also the cron.daily for dehydrated uses this path.

But I read here somewhere to call dehydrated only from the root folder with
Code: [Select]
cd /usr/bin/dehydrated
And I think it is working now.
Title: Re: Letsencrypt and dehydrated problem switching from API1 to API2
Post by: ReetP on June 03, 2021, 10:31:06 PM: Clean up your server.... !!
Title: Re: Letsencrypt and dehydrated problem switching from API1 to API2
Post by: Jean-Philippe Pialasse on June 04, 2021, 05:58:59 AM: Quote from: ReetP on June 03, 2021, 10:31:06 PM
Clean up your server.... !!
then migrate :)