Nixpkgs: Cannot optain certificates for new domains on Let's encrypt. (ACMEv2 required)

Created on 2 Nov 2019  ·  5Comments  ·  Source: NixOS/nixpkgs

Describe the bug
Let's encrypt has stopped to allow new accounts to get registered using the ACMEv1 API. Since this month trying to register a domain using NixOS results in:

Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: HTTP 403
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: Server: nginx
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: Date: Sat, 02 Nov 2019 11:58:23 GMT
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: Content-Type: application/problem+json
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: Content-Length: 280
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: Connection: keep-alive
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: Cache-Control: public, max-age=0, no-cache
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: Replay-Nonce: 0002iSikgf1k2zL9PVwBmTxkZqdhHPkyLb0oo-VpKRSscfw
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: {
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]:   "type": "urn:acme:error:unauthorized",
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]:   "detail": "Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.",
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]:   "status": 403
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: }
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: ACME server returned an error: urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

Also systemctl reports an error:

systemctl status acme-ldap.amessage.eu.service
● acme-ldap.amessage.eu.service - Renew ACME Certificate for ldap.amessage.eu
   Loaded: loaded (/nix/store/i9l14fhlcf6nbjrvrjrrgyzi5mmg8w9f-unit-acme-ldap.amessage.eu.service/acme-ldap.amessage.eu.service; linked; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sat 2019-11-02 11:58:23 UTC; 5min ago
  Process: 7167 ExecStart=/nix/store/5872m0531qdiz9zxf06q1l4i8l306hxw-simp_le-client-0.9.0/bin/simp_le -v -d ldap.amessage.eu --default_root /var/lib/acme/acme-challenge --valid_min 2592000 --email [email protected] -f fullchain>
  Process: 7171 ExecStopPost=/nix/store/04yz46rd07klmxqx00bxbxn8dgs6ma2n-acme-post-stop (code=exited, status=0/SUCCESS)
 Main PID: 7167 (code=exited, status=2)
       IP: 6.1K in, 3.6K out
      CPU: 2.502s

Nov 02 11:58:23 lech.amessage.eu simp_le[7167]:   "type": "urn:acme:error:unauthorized",
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]:   "detail": "Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-pl>
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]:   "status": 403
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: }
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: ACME server returned an error: urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a v>
Nov 02 11:58:23 lech.amessage.eu simp_le[7167]: Debugging tips: -v improves output verbosity. Help is available under --help.
Nov 02 11:58:23 lech.amessage.eu systemd[1]: acme-ldap.amessage.eu.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Nov 02 11:58:23 lech.amessage.eu systemd[1]: acme-ldap.amessage.eu.service: Failed with result 'exit-code'.
Nov 02 11:58:23 lech.amessage.eu systemd[1]: Failed to start Renew ACME Certificate for ldap.amessage.eu.
Nov 02 11:58:23 lech.amessage.eu systemd[1]: acme-ldap.amessage.eu.service: Consumed 2.502s CPU time, received 6.1K IP traffic, sent 3.6K IP traffic.

See also: https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430

Note: actually it seems new domains should work, only new accounts should be disabled. Anyway I have existing let's encrypt domains on this server already but the NixOS machinery seems to try to use a new account for the new domain.

To Reproduce
Add a vhost to nginx for a domain, that hasn't been used with let's encrypt before. Try to optain a certificate for this domain.

Expected behavior
New certificate should get issued and activated, instead the services fails and logges the above mentioned message to the log.

Metadata

  • system: "x86_64-linux"
  • host os: Linux 4.19.80, NixOS, 19.09.941.27a5ddcf747 (Loris)
  • multi-user?: yes
  • sandbox: yes
  • version: nix-env (Nix) 2.3
  • channels(root): "nixos-18.03.133370.263f7b78d6f"
  • nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

module: [ security.acme ]
bug
Source
picture mawis

Most helpful comment

Okay … after nix-channel --update it works. It seems the update from simp_le 0.9.0 to 0.16.0 that has been commited on 2019-10-17 fixes the problem.

picture mawis on 2 Nov 2019
🎉2

All 5 comments

According to https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430/7?u=mawis This will fail on 2019-11-01 while working again for 6 days from 2019-11-02 to 2019-11-07 and then fail again starting at 2019-11-08. (I don't know which time zone applies.)

mawis picture mawis on 2 Nov 2019

Okay … after nix-channel --update it works. It seems the update from simp_le 0.9.0 to 0.16.0 that has been commited on 2019-10-17 fixes the problem.

mawis picture mawis on 2 Nov 2019
🎉2

@mawis you say nix-channel --update fixes it, but what are your channels?

ocharles picture ocharles on 27 Nov 2019

@ocharles I'm on NixOS 19.09:

# nix-channel --list    
nixos https://nixos.org/channels/nixos-19.09
mawis picture mawis on 28 Nov 2019

Thanks, seems like 19.09 is needed for this fix. Ta!

On Thu, 28 Nov 2019, 9:19 am Matthias Wimmer, notifications@github.com
wrote:

@ocharles https://github.com/ocharles I'm on NixOS 19.09:

nix-channel --list

nixos https://nixos.org/channels/nixos-19.09


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/NixOS/nixpkgs/issues/72571?email_source=notifications&email_token=AAAFDDXYBRPG62AITVEA5VDQV6EITA5CNFSM4JIE4V6KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFL6M6Q#issuecomment-559408762,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAAFDDT3ROE4I7AC5OIWUYTQV6EITANCNFSM4JIE4V6A
.

ocharles picture ocharles on 28 Nov 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

chris-martin picture chris-martin  ·  3Comments
copumpkin picture copumpkin  ·  3Comments
sid-kap picture sid-kap  ·  3Comments
vaibhavsagar picture vaibhavsagar  ·  3Comments
ghost picture ghost  ·  3Comments