acme.sh does not get 'nonce' from Pebble
I try to get a certificate from Pebble (letsencrypt testserver) via acme.sh version v2.8.1. It seems that acme.sh doesn't get a 'nonce' from Pebble.
Log written by acme.sh:
...
[Sa 2 Feb 2019 09:48:21 CET] ACME_DIRECTORY='https://127.0.0.1:14000/dir'
[Sa 2 Feb 2019 09:48:21 CET] _init api for server: https://127.0.0.1:14000/dir
[Sa 2 Feb 2019 09:48:21 CET] RSA key
[Sa 2 Feb 2019 09:48:21 CET] Registering account
[Sa 2 Feb 2019 09:48:21 CET] url='https://127.0.0.1:14000/sign-me-up'
[Sa 2 Feb 2019 09:48:21 CET] payload='{"termsOfServiceAgreed": true}'
[Sa 2 Feb 2019 09:48:21 CET] HEAD
[Sa 2 Feb 2019 09:48:21 CET] _post_url='https://127.0.0.1:14000/nonce-plz'
[Sa 2 Feb 2019 09:48:21 CET] _CURL='curl -L --silent --dump-header /Users/klaustockloth/.acme.sh/http.header --cacert /Users/klaustockloth/Work/Pebble/test/certs/pebble.minica.pem -g '
[Sa 2 Feb 2019 09:48:21 CET] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 92
[Sa 2 Feb 2019 09:48:21 CET] _ret='92'
[Sa 2 Feb 2019 09:48:21 CET] GET
[Sa 2 Feb 2019 09:48:21 CET] url='https://127.0.0.1:14000/dir'
[Sa 2 Feb 2019 09:48:21 CET] timeout=
[Sa 2 Feb 2019 09:48:21 CET] _CURL='curl -L --silent --dump-header /Users/klaustockloth/.acme.sh/http.header --cacert /Users/klaustockloth/Work/Pebble/test/certs/pebble.minica.pem -g '
[Sa 2 Feb 2019 09:48:21 CET] ret='0'
[Sa 2 Feb 2019 09:48:21 CET] Could not get nonce, let's try again.
[Sa 2 Feb 2019 09:48:24 CET] HEAD
[Sa 2 Feb 2019 09:48:24 CET] _post_url='https://127.0.0.1:14000/nonce-plz'
[Sa 2 Feb 2019 09:48:24 CET] _CURL='curl -L --silent --dump-header /Users/klaustockloth/.acme.sh/http.header --cacert /Users/klaustockloth/Work/Pebble/test/certs/pebble.minica.pem -g '
[Sa 2 Feb 2019 09:48:24 CET] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 92
[Sa 2 Feb 2019 09:48:24 CET] _ret='92'
[Sa 2 Feb 2019 09:48:24 CET] GET
[Sa 2 Feb 2019 09:48:24 CET] url='https://127.0.0.1:14000/dir'
[Sa 2 Feb 2019 09:48:24 CET] timeout=
[Sa 2 Feb 2019 09:48:24 CET] _CURL='curl -L --silent --dump-header /Users/klaustockloth/.acme.sh/http.header --cacert /Users/klaustockloth/Work/Pebble/test/certs/pebble.minica.pem -g '
[Sa 2 Feb 2019 09:48:24 CET] ret='0'
[Sa 2 Feb 2019 09:48:24 CET] Could not get nonce, let's try again.
...
Communication seen by Pebble:
...
Pebble 2019/02/02 09:48:21.236816 wfe.go:249: "transaction=request"
client=127.0.0.1:59503
data=GET /dir HTTP/2.0
Host: 127.0.0.1:14000
Accept: */*
User-Agent: acme.sh/2.8.1 (https://github.com/Neilpang/acme.sh)
Pebble 2019/02/02 09:48:21.237211 wfe.go:301: "transaction=response"
client=127.0.0.1:59503
data=200 (OK)
Cache-Control [public, max-age=0, no-cache]
Content-Type [application/json; charset=utf-8]
{
"keyChange": "https://127.0.0.1:14000/rollover-account-key",
"meta": {
"termsOfService": "data:text/plain,Custom%20ACME%20Server%20for%20Internal%20Use%20Only"
},
"newAccount": "https://127.0.0.1:14000/sign-me-up",
"newNonce": "https://127.0.0.1:14000/nonce-plz",
"newOrder": "https://127.0.0.1:14000/order-plz",
"revokeCert": "https://127.0.0.1:14000/revoke-cert"
}
Pebble 2019/02/02 09:48:21.768417 wfe.go:249: "transaction=request"
client=127.0.0.1:59505
data=HEAD /dir HTTP/2.0
Host: 127.0.0.1:14000
Accept: */*
User-Agent: acme.sh/2.8.1 (https://github.com/Neilpang/acme.sh)
Pebble 2019/02/02 09:48:21.768544 wfe.go:301: "transaction=response"
client=127.0.0.1:59505
data=200 (OK)
Content-Type [application/json; charset=utf-8]
Cache-Control [public, max-age=0, no-cache]
{
"keyChange": "https://127.0.0.1:14000/rollover-account-key",
"meta": {
"termsOfService": "data:text/plain,Custom%20ACME%20Server%20for%20Internal%20Use%20Only"
},
"newAccount": "https://127.0.0.1:14000/sign-me-up",
"newNonce": "https://127.0.0.1:14000/nonce-plz",
"newOrder": "https://127.0.0.1:14000/order-plz",
"revokeCert": "https://127.0.0.1:14000/revoke-cert"
}
Pebble 2019/02/02 09:48:24.910389 wfe.go:249: "transaction=request"
client=127.0.0.1:59507
data=HEAD /dir HTTP/2.0
Host: 127.0.0.1:14000
Accept: */*
User-Agent: acme.sh/2.8.1 (https://github.com/Neilpang/acme.sh)
Pebble 2019/02/02 09:48:24.910499 wfe.go:301: "transaction=response"
client=127.0.0.1:59507
data=200 (OK)
Cache-Control [public, max-age=0, no-cache]
Content-Type [application/json; charset=utf-8]
{
"keyChange": "https://127.0.0.1:14000/rollover-account-key",
"meta": {
"termsOfService": "data:text/plain,Custom%20ACME%20Server%20for%20Internal%20Use%20Only"
},
"newAccount": "https://127.0.0.1:14000/sign-me-up",
"newNonce": "https://127.0.0.1:14000/nonce-plz",
"newOrder": "https://127.0.0.1:14000/order-plz",
"revokeCert": "https://127.0.0.1:14000/revoke-cert"
}
The acme.sh log suggest that acme.sh sends a HEAD request to 'https://127.0.0.1:14000/nonce-plz'.
But this seems not to be true. Pebble always gets HEAD requests for '/dir' and this delivers no 'nonce' in the http header.
Klaus-Tockloth
All 8 comments
Hi,
How is going on ? can you try again with latest code ?
Thanks.
Neilpang
on 22 Feb 2019
I have updated to the latest code (which still is identified as v2.8.1). It shows the same problem:
[Fr 22 Feb 2019 18:27:45 CET] Standalone mode.
[Fr 22 Feb 2019 18:27:45 CET] Registering account
[Fr 22 Feb 2019 18:27:45 CET] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 92
[Fr 22 Feb 2019 18:27:45 CET] Could not get nonce, let's try again.
[Fr 22 Feb 2019 18:27:48 CET] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 92
[Fr 22 Feb 2019 18:27:48 CET] Could not get nonce, let's try again.
...
@Klaus-Tockloth
please upgrade to the peb branch, and try again.
acme.sh --upgrade -b peb
@Klaus-Tockloth
please try again with the latest dev code
acme.sh --upgrade -b dev
The latest dev version works for me now with Pebble in strict and nonstrict mode.
~/.acme.sh/acme.sh \
--no-color \
--log \
--server https://127.0.0.1:14000/dir \
--ca-bundle ./pebble.minica.pem \
--standalone \
--httpport 10080 \
--issue \
--domain gany-veggies.com
[Do 28 Feb 2019 08:51:36 CET] Standalone mode.
[Do 28 Feb 2019 08:51:36 CET] Creating domain key
[Do 28 Feb 2019 08:51:37 CET] The domain key is here: /Users/miller/.acme.sh/gany-veggies.com/gany-veggies.com.key
[Do 28 Feb 2019 08:51:37 CET] Single domain='gany-veggies.com'
[Do 28 Feb 2019 08:51:37 CET] Getting domain auth token for each domain
[Do 28 Feb 2019 08:51:37 CET] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 92
[Do 28 Feb 2019 08:51:38 CET] Getting webroot for domain='gany-veggies.com'
[Do 28 Feb 2019 08:51:38 CET] Verifying: gany-veggies.com
[Do 28 Feb 2019 08:51:38 CET] Standalone mode server
[Do 28 Feb 2019 08:51:41 CET] Success
[Do 28 Feb 2019 08:51:41 CET] Verify finished, start to sign.
[Do 28 Feb 2019 08:51:41 CET] Lets finalize the order, Le_OrderFinalize: https://127.0.0.1:14000/finalize-order/fqF9YehJmyiwzijekwyNUHLIp--Pb2JJ0O_j2fcKlkk
[Do 28 Feb 2019 08:51:41 CET] Order status is processing, lets sleep and retry.
[Do 28 Feb 2019 08:51:45 CET] Download cert, Le_LinkCert: https://127.0.0.1:14000/certZ/30e0549fc21065ee
[Do 28 Feb 2019 08:51:45 CET] Cert success.
-----BEGIN CERTIFICATE-----
MIIDITCCAgmgAwIBAgIIMOBUn8IQZe4wDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UE
AxMdUGViYmxlIEludGVybWVkaWF0ZSBDQSAwNDZhNGQwHhcNMTkwMjI4MDc1MTQx
WhcNMjQwMjI4MDc1MTQxWjAbMRkwFwYDVQQDExBnYW55LXZlZ2dpZXMuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+et5cxl7pTe91KnyhuaB/wQF
qSHKIAlYs02OAkYU3keWxpQsGk2NHPNVJoKCMenzCWMhgNdmgcVVvREA3FtU04Wt
Org+75OGZDBq408UasgGPI1QCIfMFVBhLSnS75n3iKOxigWWx5Lf5KHKOHqkChYw
RvW46MBIhnu+BatDeqfdj+D2pSXUetjtVX/p0qkE1Ja6hBYGTvO/pahiCD/xpmIW
DmOuTugmlWOxlgI5V4vknjkdfATCFmg522UYQJxNX9TJ+qdrlCTN/dA5B5znZlUA
UJ7GmyX27QsgphgiqbaQCoZBSUugKZ2fpXAsgWOFXfLPf5ADKdOpVng9/LwkVQID
AQABo1wwWjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMAwGA1UdEwEB/wQCMAAwGwYDVR0RBBQwEoIQZ2FueS12ZWdnaWVzLmNv
bTANBgkqhkiG9w0BAQsFAAOCAQEAAxNp0ynYyRRycwmCigKY+aCpZ8TzVXnzzh+U
XD2YZlUYVcFaiBCUz2GD46tbt1aAVEwtW+DjnSyFPcF9cTeP7spfaRz+KpdaNwC4
ALBsN+CjsJvU3VYC/gkJAoG2xj0//gNY+GuMEYIaktfq9X72boHd6k7bJ5kFTP8j
Io2IvVLDu2MBMizlPJMpYyosT9z+KiP05ZViEsDCo+uZxnDQ1SN1PTKihuiAdRMF
1BAiVB9t/a1hw5fcyibWMQDlP3qrm44m8cNn2Xp0snDAwLi9pEzVzCARX36sgSR2
l71nclDKK1pCnLiZoaG83q0B6bXGeBr4MY4HjJUlqiOUz5pnmw==
-----END CERTIFICATE-----
I think that's a great improvement for 'acme.sh'.
Klaus-Tockloth
on 28 Feb 2019
🎉1
👍1
@Neilpang
After upgrade to the latest version this error gone. I remember the acme was able to do auto upgrade but why not now? My website was down due to this issue. Should I manually upgrade all acme on my different servers?
Thanks
yylzcom
on 22 Nov 2019
@yylzcom you need to enable the auto upgrade first:
acme.sh --upgrade --auto-upgrade
👍1
@Neilpang Thank you. It is best if this could be enabled by default.
yylzcom
on 24 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings
Related issues
mskian
路
3Comments
MarcusWolschon
路
3Comments
xiagw
路
3Comments
hxx-fetch
路
4Comments
extensionsapp
路
3Comments
Most helpful comment
The latest dev version works for me now with Pebble in strict and nonstrict mode.
I think that's a great improvement for 'acme.sh'.